White Papers

How to PDF acrobat

Table Of Contents

White Paper

Executive Overview

Introduction—Responding to Threat Evolution

An Overview of Cisco NAC

Cisco NAC in Action

Availability and Use

Conclusion—The Cisco Self-Defending Network

For More Information

White Paper

Cisco NAC
The Development of the Self-Defending Network

Executive Overview

Cisco Network Admission Control (NAC) leverages the network infrastructure to limit damage from viruses and worms.

Using Cisco NAC, organizations can provide network access to endpoint devices, such as PCs, PDAs, and servers that fully comply with established security policy. Cisco NAC allows noncompliant devices to be denied access, placed in a quarantined area, or given restricted access to computing resources.

Cisco NAC is the first step of the multiphased the Cisco Self-Defending Network initiative to identify, prevent, and adapt to security threats.

Introduction—Responding to Threat Evolution

Viruses and worms continue to disrupt business, causing system downtime, lost productivity, and continual patching. The self-propagating nature of the latest attacks makes them especially virulent and damaging. Existing anti-virus solutions, which rely on recognizing attack signatures, are unable to detect and contain "day-zero" viruses and the denial-of-service (DoS) attacks that they spawn.

Servers and desktops that are not compliant with corporate security policy are common, and they are difficult to detect, contain, and cleanse. Locating and isolating these systems is time- and resource-intensive, resulting in infections that appear to be removed from the corporate network, but that reappear at a later time. The problem is compounded by the complexity of today's networked environment, which contains:

Multiple types of end users—employees, vendors, and contractors

Multiple types of endpoints—company desktop, home, and server

Multiple types of access—wired, wireless, virtual private network (VPN), and dial

Cisco NAC counters evolved threats to the network, addressing the environmental complexity, and providing a real advance over point security technologies that have focused on the host, rather than global network availability and overall enterprise resiliency.

An Overview of Cisco NAC

The damage caused by worms and viruses has graphically demonstrated the inadequacy of existing safeguards. Cisco NAC provides a new, comprehensive solution that allows organizations to enforce host patch policies, and to regulate noncompliant and potentially vulnerable systems to quarantined environments with limited or no network access. By combining information about endpoint security status with network admission enforcement, Cisco NAC enables organizations to dramatically improve the security of their computing infrastructures.

Cisco NAC allows network access to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example), and restricts the access of noncompliant devices. The access decision can be based on information such as the endpoint's anti-virus state and operating system patch level.

Figure 1  Cisco NAC

Cisco NAC has the following components:

Cisco Trust Agent—Software that resides on an endpoint system. The trust agent collects security state information from multiple security software clients, such as anti-virus clients, and then communicates this information to Cisco network access devices, which enforce admission control. Cisco has licensed trust agent technology to its anti-virus co-sponsors so that it can be integrated with their security software client products. The trust agent will also be integrated with the Cisco Security Agent to enforce access privileges based on an endpoint's operating system patch level. Cisco Security Agent, a day-zero host protection software solution, will assess the operating system version, patch, and hot fix information and will communicate this information to the Cisco Trust Agent. Hosts that are not running the proper patches may be given limited access or denied network access.

Network access devices—Network devices that enforce admission control policy include routers, switches, wireless access points, and security appliances. These devices demand host security "credentials" and relay this information to policy servers, where network admission control decisions are made. Based on customer-defined policy, the network will enforce the appropriate admission control decision—permit, deny, quarantine, or restrict.

Policy server—Evaluates the endpoint security information relayed from network access devices and determines the appropriate access policy for them to apply. The Cisco Secure Access Control Server (ACS), an authentication, authorization, and accounting (AAA) RADIUS server, is the foundation of the policy server system. It works in concert with Cisco NAC co-sponsor application servers that provide deeper credential validation capabilities, such as anti-virus policy servers.

Management System—CiscoWorks VPN/Security Management Solution (VMS) provisions Cisco NAC elements, while CiscoWorks Security Information Manager Solution (SIMS) provides monitoring and reporting tools. Cisco NAC co-sponsors provide management solutions for their endpoint security software.

Crucially, Cisco NAC leverages existing investments in network infrastructure and host security technology by linking the two together to provide a network admission control facility. For example, organizations can ensure that the use of anti-virus software is enforced by the Cisco network—routers, switches, wireless, and security appliances. In this way, Cisco NAC complements, rather than replaces, classic security technologies already widely used—gateway firewall, intrusion protection systems, user authentication, and communications security.

Cisco NAC in Action

Cisco NAC is a flexible and ubiquitous solution, capable of providing protection to all connected computing systems. Cisco NAC operates across all access methods that hosts use to connect to the network, including campus switching, wired and wireless, router WAN and LAN links, IP Security (IPSec) connections, remote access, and dialup links.

Cisco NAC deployment examples include:

Branch office compliance—Cisco NAC helps to ensure the compliance of hosts in remote or home offices trying to connect to centralized corporate resources, either over a private WAN or through a secure channel across the Internet. This includes performing compliance checks at the Cisco branch or main office router.

Remote-access security—Cisco NAC helps to ensure that remote and mobile worker desktops have the latest anti-virus and operating system patches before allowing them to access company resource through dial, IPSec, and other VPN connections.

Wireless campus protection—Cisco NAC checks hosts connecting to the network via wireless to ensure they are properly patched. The 802.1x protocol is used in combination with device and user authentication to perform this validation.

Campus access and data center protection—Cisco NAC monitors desktops and servers within the office, helping to ensure that these devices comply with corporate anti-virus and operating system patch policies before granting them LAN access. This reduces the risk of virus and worm infections spreading within an organization by expanding admission control to Layer 2 switches.

Extranet compliance—Cisco NAC can be used to check the compliance of every system trying to obtain network access, not just those managed by IT. Managed and unmanaged hosts, including contractor and partner systems, may be checked for compliance with anti-virus and operating system policy. If the Cisco Trust Agent is not present on the interrogated host, a default access policy can be enforced.

Benefits of Cisco NAC

Dramatically improved security—Cisco NAC helps to ensure that all hosts comply with the latest corporate anti-virus and operating system patch policies prior to obtaining normal network access. Vulnerable and noncompliant hosts may be isolated and given reduced access until they are patched and secured, preventing them from being the targets of or the sources for worm and virus infections.

Use of network and anti-virus investment—Cisco NAC integrates and increases the value of investments in the Cisco network infrastructure, Cisco endpoint security, and anti-virus technology.

Deployment scalability—Cisco NAC provides comprehensive access control across all access methods that hosts use to connect to the network. It also supports heterogeneous vendor scenarios. For example, if an employee has an anti-virus solution with a Cisco Trust Agent, and a contractor is using a different anti-virus solution with a Cisco Trust Agent, it is possible to check compliance of both and grant differentiated policies based on user identity and endpoint security status. Finally, Cisco NAC can set differentiated access policy for responsive hosts (those running the Cisco Trust Agent) and nonresponsive hosts.

Increased resilience and availability—By taking information about endpoint security status and combining it with network admission enforcement, Cisco NAC enables customers to dramatically improve the security of their computing infrastructures.

Availability and Use

Cisco NAC will be available in the first half of 2004, at which point Cisco routers will communicate with the Cisco Trust Agent to provide network admission control. Router access control lists (ACLs) will restrict the communications between noncompliant hosts and other systems in the network—for example, only allowing communications to an anti-virus server in order to download a new pattern file. Initially, Cisco NAC will support endpoints running Microsoft Windows NT, XP, and 2000 operating systems.

"Recent worm and virus infections have elevated the issue of keeping insecure nodes from infecting the network and made this a top priority for enterprises today," said Mark Bouchard, senior program director, META Group. "Many organizations were successful at stopping recent worm attacks at their Internet boundaries, yet still fell victim to the exploits when mobile or guest users connected their infected PCs directly to internal, local area networks. Eliminating this type of threat will require a combination of strengthened policies and network admission control technology."

This first release of Cisco NAC addresses the two most pressing compliance tests required—anti-virus software state and operating system information. This includes anti-virus vendor software version, engine level, and signature file levels, as well as operating system type, patch, and hot fix. Cisco NAC is likely to first be used in monitoring mode, where host compliance will be assessed without any attempt to restrict network access. During this time, noncompliant systems may be updated as needed in order to reach desired compliance levels.

In subsequent Cisco NAC releases, Cisco switches and wireless access points will be able to assign noncompliant hosts to quarantine VLAN segments on which only remediation servers reside. Subsequent releases will also expand Cisco NAC support into Cisco security appliances, such as VPN concentrators and firewalls.

Future Cisco NAC phases will provide dynamic infection containment. This will enable compliant endpoints or other system elements to report misuse emanating from rogue or infected systems during an attack. This intelligence will be used to dynamically quarantine infected systems from the rest of the network and significantly reduce virus, worm, and blended threat propagation.

Conclusion—The Cisco Self-Defending Network

Cisco NAC is a crucial phase in the development of the Cisco Self-Defending Network, an innovative, multiphased security initiative that dramatically improves the ability of networks to identify, prevent, and adapt to security threats. The Cisco Self-Defending Network Initiative significantly advances Cisco's strategy of integrating security services throughout IP networks by delivering new system-level network threat defense.

For More Information

For more information, visit:


Posted: Mon Jun 7 12:57:04 PDT 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.