Downloads |
Overview
The Cisco® NAC Profiler works with the Cisco NAC Appliance to provide accelerated deployment of a Network Admission Control (NAC) solution. The profiler simplifies the discovery and profiling of all endpoint devices, regardless of whether they are associated with a specific user. It also improves the management of endpoints through its ability to manage identity; location; and adds, moves, and changes in these devices following deployment.
Endpoint Profiling
Quickly profiling and managing all devices-or endpoints-is one of the core tenets of NAC. While many endpoints are desktops and laptops that are associated with users, many other endpoints, such as IP phones and printers, exist on the network independently of specific users. These are often called nonresponsive hosts or nonassociated devices.
The Cisco NAC Profiler profiles all network endpoints and accurately portrays the state of the network edge leading up to, and following, the deployment of strong authentication. It combines numerous optional sources of information, including:
• Results from monitoring network traffic at aggregation points
• Behavior of end stations
• NetFlow data ingestion
• Continuous port state (location) monitoring
• Active profiling
Since 20 to 40 percent of devices on a network may be nonresponsive hosts, this information is increasingly important for an effective NAC solution.
Accelerating NAC Rollout
The Cisco NAC Appliance initiates the admission procedure either through a standard Web browser or through a lightweight, read-only client that resides on the endpoint. Users enter their credentials, then the NAC Appliance determines access rights and policy requirements. For devices that cannot support such user interaction, the Cisco NAC Appliance admits them through an exception list (the "filters list") in its Clean Access Manager, which lists the MAC addresses of these nonresponsive hosts. When a device on the filters list attempts to access the network, the NAC Appliance can route it appropriately using roles-based VLAN assignment.
The filters list is populated either through a bulk import of MAC addresses or by entering MAC addresses manually. It must be compiled and populated for a comprehensive NAC rollout. Furthermore, it must keep the list of nonresponsive hosts updated, even as changes occur. For example, adding a new network printer would require adding its MAC address to the filters list before it can connect. Similarly, as devices are moved around or permanently removed from the network, administrators would need to reprovision or delete their MAC addresses.
To simplify this process, the Cisco NAC Profiler generates an automated inventory of all endpoints, populating not only the MAC address but also the device type descriptor (printer, IP phone, uninterruptible power supply, etc.) and the appropriate access type value that determines the appropriate level of access. It can then automatically populate the filters list in the Clean Access Manager and manage that list on an ongoing basis so that the list of devices granted network access remains relevant and accurate.
Greater Control over Nonresponsive Hosts
From a management perspective, the Cisco NAC Profiler dynamically detects changes in the endpoint environment as devices are added to and removed from the network. Administrators no longer need to update the filters list manually; more importantly, this feature eliminates the possibility of MAC address spoofing.
In addition, the Cisco NAC Profiler can detect changes in endpoint behavior that indicate a change in device type. When an event occurs that is inconsistent with the profile of the device, such as a printer that begins to surf the Internet with Internet Explorer, the Cisco NAC Profiler can notify the Clean Access Manager to remove the suspect endpoint from the filters list, or reprovision the role to accommodate the change in device function.
Fully Integrated User Interface
Data from the Cisco NAC Profiler is displayed within the Clean Access Manager Web-based interface, providing deeper insight into the state of the NAC system through one location. NAC administrators can see, at a glance, the current state of endpoints on the filters list, which reduces the management burden and simplifies troubleshooting.
Summary
Endpoint profiling is an increasingly important component for deploying a NAC solution. The Cisco NAC Profiler greatly reduces deployment time; simplifies ongoing maintenance, particularly of nonresponsive hosts; and enhances security through behavior-based surveillance. Together, The Cisco NAC Profiler and Cisco NAC Appliance offer a complete solution for providing trusted access for all enterprise assets.
Solution Benefits
The Cisco NAC Profiler yields three primary benefits for NAC administrators:
• Automated endpoint profiling greatly reduces the initial Cisco NAC deployment effort and timeframe. Administrators can devote more time on policy and configuration issues rather than data entry and physical inventories.
• Detection of device additions and subtractions from the network reduces the maintenance duties for NAC administrators.
• Surveillance of endpoint behavior adds an additional layer of security to eliminate nonresponsive hosts as a source of subverting the NAC mechanism.
For More Information
For more information about the Cisco NAC Profiler or the Cisco NAC Appliance, visit http://www.cisco.com/go/nac/appliance.