Cisco® NAC Profiler enables network administrators to keep a real-time, contextual inventory of all devices in a network. It greatly facilitates the deployment and management of Cisco Network Admission Control (NAC) systems by discovering and tracking the location and type of all LAN-attached endpoints, including those that are not capable of authenticating. It also uses the information about the device to determine the correct policies for NAC to apply.
Cisco NAC Profiler simplifies the deployment of Cisco NAC and eases several administrative tasks in a Cisco NAC-enabled network, including adds, moves, and changes; location of non-compliant devices; discovery of unmanaged endpoints; and quick location of endpoints in situations such as helpdesk calls, security events, policy violations, and asset tracking.
Cisco NAC Profiler works by aggregating information from several sources, including:
• Inference-based discovery
• Network traffic analysis
• Network topology comprehension
• Network infrastructure communication
• NetFlow data analysis
Each network-attached device type is identified, then correlated with the location of the device to provide a complete picture of endpoints. And because Cisco NAC Profiler is aware of the authentication process, it can also give visibility into the machines and people that have authenticated to the network, including their location and their history of network usage.
With this contextual information about endpoints, Cisco NAC Profiler also helps administrators monitor and manage anomalies related to authentication, such as port swapping, MAC address spoofing, and profile changes.
Features and Benefits
Organizations with Cisco NAC Profiler as part of a Cisco NAC deployment can enjoy the following benefits:
• Complete access control and confidentiality. Can be deployed with other Cisco TrustSec™ components - including policy components, infrastructure enforcement components, endpoint components, and professional services - for a comprehensive access control and confidentiality solution.
• Save deployment and management costs. Cisco NAC Profiler eliminates the months of work typically required to discover the type and location of all network-attached endpoints, as well as the time and effort to input device information into the system.
• Reduce deployment risk. Automating a previously manual process increases the chance of a successful, effective deployment by reducing the risk of human error.
• Enjoy greater change control. When network endpoints are added, moved, or changed, Cisco NAC Profiler enables real-time discovery and classification of these endpoints, greatly reducing the amount of intervention required.
• Secure all company-owned endpoints. A typical enterprise network contains hundreds - or thousands - of network devices unaffiliated with a user. Cisco NAC Profiler permits administrators to secure all company-owned assets.
Device Inventory and Classification
Cisco NAC Profiler generates an automated inventory of all endpoints, including those known to be non-responsive hosts, and automatically populates them into the Filters List of Cisco NAC Appliance Manager. In addition to the endpoints' MAC addresses, Cisco NAC Profiler also indicates the device type (such as a network printer, IP phone, UPS, HVAC sensor, wireless access point, etc.), which in turn defines the appropriate level of access for that endpoint.
Continuous, Real-Time Endpoint Monitoring
Cisco NAC Profiler performs its function continually, thus maintaining both a real-time and historical database of information about the endpoints in the environment. History is maintained on each endpoint such that the system provides a summary view listing which device types have been recorded for an endpoint, the addresses the endpoint has used, and where it has been connected to the network.
Automated Reprovisioning of Devices
With Cisco NAC Profiler in a Cisco NAC deployment, changes in the endpoint environment are dynamically detected and changes are made to the Filters List automatically. For example, if a network printer is moved and connected to a new port, the Filters List will be dynamically updated. This feature also enhances security; for example, if a device is doing something on the network that is inconsistent with its profiled device type, Cisco NAC Profiler will notify the Cisco NAC Appliance to remove the suspect endpoint from the Filters List or reprovision a more appropriate role for that endpoint.
Tight Integration with Cisco NAC Appliance Manager
Cisco NAC Profiler directly presents its data to the Cisco NAC Appliance Manager through the Appliance Manager API. This data can include an endpoint's address, location, behavior, history, and more, giving NAC administrators significantly more insight into the current state of endpoints while substantially reducing the management burden.
Cisco NAC Profiler has two components: the NAC Profiler Server and the NAC Profiler Collector application. The Profiler Server houses the database, provides access to the administrator's user interface, and liaises with the Cisco NAC Appliance Manager. The NAC Profiler Collector application resides on each NAC Appliance Server.
The NAC Profiler Collector application comprises the following modules:
• NetWatch: NetWatch is the "sniffer" component of the Cisco NAC Profiler system. It aims to collect as much "profilable" information as possible to feed the modeling engine.
• NetMap: NetMap consults with every network device through Simple Network Management Protocol (SNMP) to determine network topology information. As part of the Profiler Collector, NetMap uses the Cisco NAC Appliance Server's host address to communicate with the network devices.
• NetInquiry: NetInquiry is the active profiling component, used to communicate directly with network endpoints to learn information about the end system.
• NetTrap: NetTrap is the component of the Cisco NAC Profiler system that collects link-state and new MAC traps from the network access devices to unlock a real-time understanding of endpoints joining and leaving the network.
Figure 1 is a logical diagram of how the Cisco NAC Profiler Server and NAC Profiler Collector application work in a Cisco NAC Appliance deployment.
Figure 1. Cisco NAC Profiler in a Cisco NAC Appliance Deployment
1. The Profiler Collector application collects the relevant data and consolidates the information to send to the Profiler Server.
2. The Profiler Server aggregates all of the information from the Profiler Collectors and maintains a database of all network-attached endpoints (such as phones, printers, badge readers, modalities, etc.).
3. The Profiler Server continuously maintains the Filters List using the NAC API and provisions the appropriate access decisions (allow, deny, check, "role," or ignore).
4. The Profiler Collector application continuously monitors behavior of profiled devices (to prevent spoofing) and updates the Profiler Server.
Table 1 lists the specifications for the Cisco NAC Profiler Server.
Table 1. Cisco NAC Profiler Server Hardware Specifications
Quad-core Intel Xeon (Nehalem)
2 x 300-GB SAS RAID HDD
Ethernet network interface cards (NICs)
4 x 10/100/1000 LAN ports [2 integrated NICs; 2 Gigabit NICs (PCI-E)]
10BASE-T cable support
Cat 3, 4, or 5 UTP up to 328 ft (100m)
10/100/1000BASE-TX cable support
Cat 5 UTP up to 328 ft (100m)
USB 2.0 ports
4 (one front, one internal, two rear)
External SCSI ports
Rack-mount 1 RU
35 lb (15.87 kg) fully configured
1.70 x 16.78 x 27.75 in. (4.32 x 42.62 x 70.49 cm)
Dual 675W (redundant)
2661 BTUs per hour (at 120 VAC)
Service and Support
Cisco offers a wide range of services programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you to protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services, see Cisco Technical Support Services or Cisco Advanced Services. Warranty information is available at http://www.cisco.com/en/US/products/prod_warranties_item09186a00805f005b.html.