Overview
The Beacon system from Great Bay Software integrates with the Cisco® NAC Appliance to provide accelerated deployment of a Network Admission Control (NAC) solution. Working together, the Beacon system and the Cisco NAC Appliance simplify discovery and profiling of all endpoint devices, regardless of whether they are associated with a specific user. Beacon also improves the management of endpoints through its ability to manage identity; location; and adds, moves, and changes in these devices following deployment.
Cisco NAC Appliance Overview
The Cisco NAC Appliance uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources. With the Cisco NAC Appliance, network administrators can authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to network access. The appliance identifies whether networked devices such as laptops, IP phones, or game consoles are compliant with an organization's security policies, and repairs any vulnerability before permitting access to the network. The Cisco NAC Appliance management console is known as the Cisco Clean Access Manager.
Endpoint Profiling
Quickly profiling and managing all devices-or endpoints-is one of the core tenets of NAC. While many endpoints are desktops and laptops associated with users, many other endpoints, such as IP phones and printers, exist on the network independently of specific users. These are often called "non-responsive hosts" or "non-associated devices."
Beacon profiles all network endpoints and accurately portrays the state of the network edge leading up to, and following, the deployment of strong authentication. It combines numerous optional sources of information, including:
• Results from monitoring network traffic at aggregation points
• Behavior of end stations
• NetFlow data ingestion
• Continuous port state (location) monitoring
• Active profiling
Since 20 to 40 percent of devices on a network may be non-responsive hosts, this information is increasingly important for an effective NAC solution.
Accelerating NAC Rollout
The Cisco NAC Appliance initiates the admission procedure either through a standard Web browser or through a lightweight, read-only client that resides on the endpoint. Users enter their credentials, which then determine access rights and policy requirements. The Cisco NAC Appliance admits devices that cannot support such user interaction through an Exception List (also called a Filters List) in the Clean Access Manager, which lists the MAC addresses of these non-responsive hosts. When a device on the Filters List attempts to access the network, the NAC Appliance can route it appropriately via roles-based VLAN assignment.
This Filters List is populated either through a bulk import of MAC addresses or entering MAC addresses manually. It must be compiled and populated for a comprehensive NAC rollout. Furthermore, it must keep the list of non-responsive hosts updated, even as changes occur. For example, adding a new network printer would require adding its MAC address to the Filters List before it can connect. Similarly, as devices are permanently removed from the network, administrators would need to delete their MAC addresses.
To simplify this process, Beacon generates an automated inventory of all endpoints, populating not only the MAC address but also the device type descriptor (printer, IP phone, uninterruptible power supply, etc.) and the appropriate access type value that determines the appropriate level of access. Beacon can automatically populate the Filters List into the Clean Access Manager, and then manages that list on an ongoing basis so that the list of devices granted network access remains relevant and accurate.
Greater Control over Non-Responsive Hosts
From a management perspective, Beacon dynamically detects changes in the endpoint environment as devices are added to and removed from the network. Administrators no longer need to update the Filters List manually; more importantly, this feature eliminates the possibility of MAC address spoofing.
In addition, the combined Beacon and Cisco NAC Appliance solution can detect changes in endpoint behavior that indicate a change in device type. When an event occurs that is inconsistent with the profile of the device, such as a printer that begins to surf the Internet with Internet Explorer, Beacon can notify the Clean Access Manager to remove the suspect endpoint from the Filters List, or re-provision the role to accommodate the change in device function.
Fully Integrated User Interface
Data from Beacon is displayed within the Cisco Clean Access Manager Web-based interface, providing deeper insight into the state of the NAC system through one location. NAC administrators can see, at a glance, the current state of endpoints on the Filters List, which reduces the management burden and effects easier troubleshooting.
Summary
Endpoint profiling is an increasingly important component for deploying a NAC solution. The Beacon solution from Great Bay Software greatly reduces deployment time; simplifies ongoing maintenance, particularly of non-responsive hosts; and enhances security through behavior-based surveillance. Together, Beacon and the Cisco NAC Appliance offer a complete solution for providing trusted access for all enterprise assets.
Solution Benefits
A combined Beacon and Cisco NAC Appliance solution yields three primary benefits for NAC administrators:
• Automated endpoint profiling greatly reduces the initial Cisco NAC Appliance deployment effort and timeframe. Administrators can devote more time on policy and configuration issues rather than data entry and physical inventories.
• Detection of device additions and subtractions from the network reduces the maintenance duties for NAC administrators.
• Surveillance of endpoint behavior adds an additional layer of security to eliminate non-responsive hosts as a source of subverting the NAC mechanism.
For More Information
For more information about Beacon by Great Bay Software, visit http://www.greatbaysoftware.com.
For more information about the Cisco NAC Appliance, visit http://www.cisco.com/go/nac/appliance.