With today's security challenges and threats growing more sophisticated, perimeter defense alone is no longer sufficient. Few organizations are closed entities with well-defined security perimeters, which has led to the creation of perimeterless networks with ubiquitous access. Organizations need to have internal security systems that are more comprehensive, pervasive, and tightly integrated than in the past. Cisco NAC Appliance allows you to enforce host security policies on all hosts managed and unmanaged as they enter the interior of the network, regardless of their access method, ownership, device type, application set, or operating system.
|Published (Last):||10 May 2005|
|PDF File Size:||14.31 Mb|
|ePub File Size:||5.62 Mb|
|Price:||Free* [*Free Regsitration Required]|
Topics include:. With comprehensive security features, In-Band or Out-of-Band deployment options, user authentication tools, and bandwidth and traffic filtering controls, Cisco NAC Appliance is a complete solution for controlling and securing networks.
As the central access management point for your network, Cisco NAC Appliance lets you implement security, access, and compliance policies in one place instead of having to propagate the policies throughout the network on many devices. The security features in Cisco NAC Appliance include user authentication, policy-based traffic filtering, and client posture assessment and remediation.
Cisco NAC Appliance stops viruses and worms at the edge of the network. With remote or local system checking, Cisco NAC Appliance lets you block user devices from accessing your network unless they meet the requirements you establish. You can deploy the Cisco NAC Appliance in the configuration that best meets the needs of your network. The Clean Access Server can be deployed as the first-hop gateway for your edge devices providing simple routing functionality, advanced DHCP services, and other services.
Alternatively, if elements in your network already provide these services, the CAS can work alongside those elements without requiring changes to your existing network by being deployed as a "bump-in-the-wire. Cisco NAC Appliance checks client systems, enforces network requirements, distributes patches and antivirus software, and quarantines vulnerable or infected clients for remediation before clients access the network.
High encryption is also required for client browsers for web login and Agent authentication. The CAS enforces the policies you have defined in the CAM web admin console, including network access privileges, authentication requirements, bandwidth restrictions, and Cisco NAC Appliance system requirements.
You can install Cisco NAC series appliances in your company headquarters core, for example to handle thousands of users and simultaneously install one or more Cisco NAC network modules in ISR platforms to accommodate smaller groups of users at a satellite office, for example. Cisco NAC Appliance Agent check applications, files, services, or registry keys to ensure that client machines meet your specified network and software requirements prior to gaining access to the network.
Note There is no client firewall restriction with client posture assessment via the Agent. The Agent can check the client registry, services, and applications even if a personal firewall is installed and running. Provides built-in support for AV vendors and AS vendors. You can use it to manage up to 20 Clean Access Servers. See Admin Console Summary for a brief introduction to the modules of the web console.
When enabled for your Cisco NAC Appliance deployment, the Agent can ensure that computers accessing your network meet the system requirements you specify. The Agent is a read-only, easy-to-use, small-footprint program that resides on Windows user machines. When a user attempts to access the network, the Agent checks the client system for the software you require, and helps users acquire any missing updates or software. Agent users who fail the system checks you have configured are assigned to the Agent Temporary role.
This role gives users limited network access to access the resources needed to comply with the Agent requirements. Once a client system meets the requirements, it is considered "clean" and allowed network access. Agent users see the web login page and the Agent download page the first time they perform initial web login in order to download and install the Agent setup installation file. After installation, Agent users should login through the Agent dialog which automatically pops up when " Popup Login Window " is selected from the system tray icon menu default setting.
Cisco NAC Agent users can also bring up the login dialog by right-clicking the Agent system tray icon and selecting " Login. The Logout option is not needed for these deployments, since the machine always attempts to log back in immediately. Agent users will not see Quarantine role pages or popup scan vulnerability reports, as the Agent dialogs perform the communication. You can also configure a Network Policy page Acceptable Use Page that Agent users must accept after login and before accessing the network.
If you configure the Clean Access Manager to use a RADIUS server to validate remote users, the end-user Agent login session may feature extra authentication challenge-response dialogs not available in other dialog sessions—beyond the standard user ID and password. For example, the RADIUS server profile configuration may feature an additional authentication challenge like verifying a token-generated PIN or other user-specific credentials in addition to the standard user ID and password.
In this case, one or more additional login dialog screens may appear as part of the login session. Choose a user role from the dropdown menu, which shows all roles in the system. Configure Agent Login settings for each role for which the Agent will be required. See Adding a New User Role for how to create new user roles.
ALL settings apply by default to all client operating systems if no OS-specific settings are specified. Check this option to enable OOB Logoff. See Configure Out-of-Band Logoff for more details. Users will be prompted to download, install, and use the Agent to log into the network. If you choose to enable both options, both choices appear to users when they are directed to the Login Page. Users can also take advantage of "restricted" network access to gain limited network access when the client machine fails remediation and the user must implement updates to meet network access requirements before they can log in using their assigned user role.
You can change the text in this box to show users who can log in to the Cisco NAC Appliance system a "customized" button in the Agent login dialog process. Click this checkbox if you want to display a link in the Agent login session to a Network Policy Acceptable Use Policy web page to Agent users.
You can use this option to provide a policies or information page that users must accept before they access the network. This page can be hosted on an external web server or on the Clean Access Manager itself. Note The Network Policy page is only shown to the first user that logs in with the device. This helps to identify the authenticating user who accepted the Network Policy Page. Clearing the device from the Certified Devices List will force the user to accept the Network Policy again at the next login.
This removes the user from the Online Users list. For SSO, the next user to use that client will be logged in with the credentials of the previous user. Refresh Windows domain group policy after login for Windows only. Click this checkbox to automatically refresh the Windows domain group policy perform GPO update after the user login for Windows only. Setting the time to 0 seconds prevents display of the Agent Login success screen.
Valid range is seconds. Automatically close logout success screen after  secs for Windows only. Click this checkbox and set the time to configure the Logout success dialog to close automatically when the user manually logs out otherwise user has to click OK button. Setting the time to 0 seconds prevents display of the logout success screen.
Web login users see the login and logout pages, quarantine role or blocked access pages and Nessus scan vulnerability reports, if enabled. You can also configure a User Agreement Page that appears to web login users before accessing the network. The dropdown list shows all roles in the system. Choose the client OS for the specified user role.
By default, 'ALL' settings apply to all client operating systems if no OS-specific settings are specified. Click this checkbox to present the User Agreement Page "Virus Protection Information" after web login and network scanning. The page displays the content you configure in the User Agreement configuration form.
Users must click the Accept button to access the network. Note The User Agreement page is only shown to the first user that logs in with the device. This helps to identify the authenticating user who accepted the UAP. If choosing this option, be sure to configure the page as described in Customize the User Agreement Page. Enable pop-up scan vulnerability reports from User Agreement Page. Click this checkbox to enable web login users to see the results of their network scan from a popup browser window.
If popup windows are blocked on the client computer, the user can view the report by clicking the Scan Report link on the Logout page.
Exempt certified devices from web login requirement by adding to MAC filters. This allows devices to bypass authentication and posture assessment the next time they access the network. If quarantined, the user must correct the problem with their system and go through network scanning again until no vulnerabilities are found in order to access the network. Note The role session expiration time appears in parentheses next to the quarantine role name. This session time will also appears on the User Agreement Page, if display of the page is enabled for a quarantined user.
It lets you present a User Agreement Page specific to the quarantine role chosen for users who fail scanning. Alternatively, Cisco NAC Appliance can present the page associated with the user's normal login role, or no page. See Customize the User Agreement Page for further information. Cisco NAC Appliance compliance policies reduce the threat of computer viruses, worms, and other malicious code on your network.
Cisco NAC Appliance is a powerful tool that enables you to enforce network access requirements, detect security threats and vulnerabilities on clients, and distribute patches, antivirus and anti-spyware software.
It lets you block access or quarantine users who do not comply with your security requirements, thereby stopping viruses and worms at the edge of the network, before they can do harm. Cisco NAC Appliance evaluates a client system when a user tries to access the network.
Almost all aspects of Cisco NAC Appliance are configured and applied by user role and operating system. This allows you to customize Cisco NAC Appliance as appropriate for the types of users and devices that will be accessing your network.
Cisco NAC Appliance provides three different methods for finding vulnerabilities on client systems and allowing users to fix vulnerabilities or install required packages:. The general summary of steps to configure client posture assessment in Cisco NAC Appliance is as follows:.
Retrieve general updates for the Agent s and other deployment elements. Require use of the Agent for a role, enable network scanning web pages for web login users, and block or quarantine users with vulnerabilities.
See Client Login Overview. Traffic policies for the quarantine role allow access to the User Agreement Page and web resources for quarantined users who failed network scanning. Traffic policies for the Agent Temporary role allow access to the resources from which the user can download required software packages. Plan and define your requirements per user role.
Configure AV Rules or create custom rules from checks. Map requirements to each user role. Load Nessus plugins to the Clean Access Manager repository. To enable network scanning, select the Nessus plugins to participate in scanning, then configure scan result vulnerabilities for the user roles and operating systems.
Cisco Nac Appliance: Enforcing Host Security with Clean Access
Topics include:. With comprehensive security features, In-Band or Out-of-Band deployment options, user authentication tools, and bandwidth and traffic filtering controls, Cisco NAC Appliance is a complete solution for controlling and securing networks. As the central access management point for your network, Cisco NAC Appliance lets you implement security, access, and compliance policies in one place instead of having to propagate the policies throughout the network on many devices. The security features in Cisco NAC Appliance include user authentication, policy-based traffic filtering, and client posture assessment and remediation. Cisco NAC Appliance stops viruses and worms at the edge of the network.
Cisco NAC Appliance: Enforcing Host Security with Clean Access
With Cisco NAC Appliance formerly Cisco Clean Access , use your organization's network infrastructure to enforce security policy compliance on all devices that attempt to gain access. Your network administrators can use the Cisco NAC Appliance to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users before they can access the network. You can deploy this system as an overlay solution for accounts requiring network authentication, role-based access control, and posture assessment. It also supports posture assessment for guest users. Cisco's Services can help you increase operational efficiency, lower support costs, and improve availability risk management.