Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Security

The Need for Policy Enforcement

Perimeter defense alone and traditional independent point-solution security products are no longer sufficient to protect an organization's network.

Today's threats demand more comprehensive, pervasive, and tightly integrated information security solutions that include policy enforcement, or admissions control, mechanisms that meet these new challenges. These mechanisms should allow organizations to enforce their security policies on all devices (managed and unmanaged) as users enter the network, regardless of their access methods, ownership, device types, application configurations, and remediation models.

Next Steps

Watch a demo of the Network Admission Control solution. (Flash)

Learn more about the basics of Network Admission Control.

Read the complete article for more detail.

Admissions control mechanisms should include the following functions:

  • Evaluation and Verification: Collect relevant endpoint security information before the device gains network access, and use the collected information to verify the endpoint's compliance with security policy requirements. It must also provide user-authentication support.
  • Policy Enforcement: Reliably deny, permit, redirect or quarantine network access, depending on the level of policy compliance.
  • Remediation: Help bring noncompliant devices into compliance. Ideally, remediation should be done without user intervention and should allow ongoing compliance assistance by automatically updating compliant computers so that they adhere to ongoing changes and changes in security policy requirements.

Beyond the basic requirements for network admission control, other functions vastly improve user experience and administrator manageability:

  • Basic Levels of Endpoint Security: Verify that applications such as antivirus, personal firewalls, and OS patches and updates exist, and that they are configured and enabled properly.
  • Integration: Prevent bypass attempts through integration with capabilities such as vulnerability scanning; malware detection; customizable client scripts; effective data reporting; and security features.
  • Compatibility and Interoperability: Integrate other applications and remain interoperable with security products that organizations may consider in the near future.

Deployment Considerations

Ask the following questions when planning deployment of a network admission control mechanism:

Which security risks are you trying to address?

Identifying security risks that the NAC mechanism can address will establish your project scope. Typical security risks include mobile endpoint devices (because their security profile is often out of date) and wireless connections.

Do you already have business and security policies that would support admission control?

You need clear security policies in place to establish that users and their devices must reach compliance before they are allowed network access. In addition, you need to publish precise security standards so that users understand the actual technical specifications for compliance request.

Is your user population ready for a new security environment?

Without thorough and persistent communication efforts, some users (especially those accustomed to unconditional network access) might not be ready for the change. Are users prepared to adjust their expectation levels because they understand the business values and benefits of admission control?

What kind of architecture should you have?

For instance, if mobile users are your major concern, it makes sense to deploy admission controls for the remote-access segment first. If you worry about the protection level at branch offices due to the lack of onsite IT and security staff, consider deploying admission control in remote sites first. Starting with a few small environments, you can gain knowledge and experience, and then follow up with a more substantial deployment.

What subsequent technical decisions are necessary?

Once you've chosen your high-level directions, you need to make a series of detailed technical decisions. You'll need to consider your specific environment and requirements to design a plan that fits your business needs. For example:

  • How will you integrate the admission control component with your existing infrastructure?
  • How do you handle security software usage if you prefer not to give licensed software to visitors or contractors?
  • Strategically, where should you deploy enforcement and management equipment?
  • Where should you store collected data?
  • How will you handle monitoring and reporting?