Cisco NAC Appliance
Encyclopedia
Cisco NAC Appliance, formerly Cisco Clean Access (CCA), is a network admission control (NAC) system developed by Cisco Systems
designed to produce a secure and clean network environment -- the NAC appliance is however still referred to as Cisco Clean Access by some in the industry or Universities such as University of Alabama in Huntsville and Cleveland Clinic
. Originally developed by Perfigo
and marketed under the name of Perfigo SmartEnforcer, this network admission control
device analyzes systems attempting to access the network and prevents vulnerable computers from joining the network. The system usually installs an application known as the Clean Access Agent on computers that will be connected to the network. This application, in conjunction with both a Clean Access server and a Clean Access Manager, has become common in many universities and corporate environments today. It is capable of managing wired
or wireless networks in an in-band
or out-of-band
configuration mode, and Virtual Private networks (VPN
) in an in-band only configuration mode.
, Windows Me
, Windows 2000
, Windows XP
, Windows XP Media Center Edition
, Windows Vista
, Windows 7 and Mac OS X
); most network administrators allow clients with non-Windows operating systems (such as Mac OS 9
, Linux
, and FreeBSD
) to access the network without any security checks (authentication is still required and is usually handled via a Web interface).
based clients to download and install the Clean Access Agent application (at this time, non-Windows based clients need only authenticate via the web interface and agree to any network terms of service). Once installed, the Agent software will require the user to re-authenticate. Once re-authenticated, the Agent software will typically check the client computer for known vulnerabilities to the Windows
operating system being used, as well as for updated anti-virus software and definitions. The checks are maintained as a series of "rules" on the Clean Access Manager side. The Clean Access Manager (CAM) can be configured to check, install, or update anything on the user's system. Once the Agent application checks the system, the Agent will inform the user of the result - either with a success message, or a failed message. Failed messages inform the user of what category(s) the system failed (Windows updates, antivirus, etc.), and instruct the user on how to proceed.
Any system failing the checks will be denied general access to the network and will probably be placed in a quarantined role (how exactly a failed system is handled depends entirely on how the Clean Access Manager is configured, and may vary from network to network. For example: a failed system may simply be denied all network access afterward). Quarantined systems are then typically given a 60-minute window where the user can try to resolve the reason(s) for quarantine. In such a case, the user is only allowed connectivity to the Windows Update
website and a number of antivirus providers (Symantec
, McAfee
, Trend Micro
, etc.), or the user may be redirected to a Guest Server for remediation. All other traffic is typically blocked. Once the 60-minute window expires, all network traffic is blocked. The user has the option of re-authenticating with Clean Access again, and continuing the process as needed.
Systems passing the checks are granted access to the network as defined by the assigned role on the Clean Access Manager. Clean Access configurations vary from site to site. The network services available will also vary based on Clean Access configuration and the assigned user role.
Systems usually need to re-authenticate a minimum of once per week, regardless of their status; however, this option can be changed by the network administrator. Also, if a system is disconnected from the network for a set amount of time (usually ten minutes), the user will have to re-authenticate when they reconnect to the network.
's Xbox
and Xbox 360
, Sony
's PlayStation 2
, PlayStation 3
and PlayStation Portable
, and Nintendo
's GameCube
, Wii
and the DS
, as well as the TiVo
digital video recorder, to access their networks. While web browsers are being introduced to some of those platforms, some are still lacking the necessary web-based means to authenticate into a NAC server and therefore such devices are often exempted from authentication via Clean Access.
Many universities allow a gaming device to be registered via its MAC address
, and any device with that MAC address will be allowed to access the network without authentication or review. Several possible security holes open up as a result:
In response to this, the Clean Access Server can typically automatically detect if a device on the network is a gaming device (accomplished by looking up the manufacturer of the network interface by MAC address, in conjunction with a port scan
).
string after authentication. If a Windows system is detected, then the server will ask the user to download the Clean Access Agent; on all other operating system
s, login is complete. To combat attempts to spoof the OS in use on the client, newer versions of the Server and Agent (3.6.0 and up) also probe the host via TCP/IP stack fingerprinting
and JavaScript
to verify the machine's operating system:
. With online games, the disruptions created by Cisco NAC Appliance cause the player to be logged off the gaming server. Numerous individuals who have experienced this rather blunt manner of security have openly expressed frustration with this software in forums as well as on Facebook with groups and posts.
Cisco Systems
Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
designed to produce a secure and clean network environment -- the NAC appliance is however still referred to as Cisco Clean Access by some in the industry or Universities such as University of Alabama in Huntsville and Cleveland Clinic
Cleveland Clinic
The Cleveland Clinic is a multispecialty academic medical center located in Cleveland, Ohio, United States. The Cleveland Clinic is currently regarded as one of the top 4 hospitals in the United States as rated by U.S. News & World Report...
. Originally developed by Perfigo
Perfigo
Perfigo is a computer networking company based in the United States. It was acquired by Cisco Systems on October 21, 2004....
and marketed under the name of Perfigo SmartEnforcer, this network admission control
Network Admission Control
Network Admission Control refers to Cisco's version of Network Access Control, which restricts access to the network based on identity or security posture. When a network device is configured for NAC, it can force user or machine authentication prior to granting access to the network...
device analyzes systems attempting to access the network and prevents vulnerable computers from joining the network. The system usually installs an application known as the Clean Access Agent on computers that will be connected to the network. This application, in conjunction with both a Clean Access server and a Clean Access Manager, has become common in many universities and corporate environments today. It is capable of managing wired
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
or wireless networks in an in-band
In-band signaling
In telecommunications, in-band signaling is the sending of metadata and control information in the same band or channel used for data.-Telephone:...
or out-of-band
Out-of-band
The term out-of-band has different uses in communications and telecommunication. In case of out-of-band control signaling, signaling bits are sent in special order in a dedicated signaling frame...
configuration mode, and Virtual Private networks (VPN
Virtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
) in an in-band only configuration mode.
Clean Access Agent
The Clean Access Agent (abbreviation: CCAA, "Cisco Clean Access Agent") resides on the client's machine, authenticates the user, and scans for the required patches and software. Currently the Clean Access Agent application is only available for some Windows and Mac OS X operating systems (Windows 98Windows 98
Windows 98 is a graphical operating system by Microsoft. It is the second major release in the Windows 9x line of operating systems. It was released to manufacturing on 15 May 1998 and to retail on 25 June 1998. Windows 98 is the successor to Windows 95. Like its predecessor, it is a hybrid...
, Windows Me
Windows Me
Windows Millennium Edition, or Windows Me , is a graphical operating system released on September 14, 2000 by Microsoft, and was the last operating system released in the Windows 9x series. Support for Windows Me ended on July 11, 2006....
, Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
, Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
, Windows XP Media Center Edition
Windows XP Media Center Edition
Windows XP Media Center Edition is a version of the Windows XP operating system designed to serve as a home-entertainment hub. The last version, Windows XP Media Center Edition 2005, was released in October 2004.-Versions:...
, Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
, Windows 7 and Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
); most network administrators allow clients with non-Windows operating systems (such as Mac OS 9
Mac OS 9
Mac OS 9 is the final major release of Apple's Mac OS before the launch of Mac OS X. Introduced on October 23, 1999, Apple positioned it as "The Best Internet Operating System Ever," highlighting Sherlock 2's Internet search capabilities, integration with Apple's free online services known as...
, Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, and FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
) to access the network without any security checks (authentication is still required and is usually handled via a Web interface).
Authentication
After successfully authenticating via a web interface, the Clean Access Server will direct new WindowsMicrosoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
based clients to download and install the Clean Access Agent application (at this time, non-Windows based clients need only authenticate via the web interface and agree to any network terms of service). Once installed, the Agent software will require the user to re-authenticate. Once re-authenticated, the Agent software will typically check the client computer for known vulnerabilities to the Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
operating system being used, as well as for updated anti-virus software and definitions. The checks are maintained as a series of "rules" on the Clean Access Manager side. The Clean Access Manager (CAM) can be configured to check, install, or update anything on the user's system. Once the Agent application checks the system, the Agent will inform the user of the result - either with a success message, or a failed message. Failed messages inform the user of what category(s) the system failed (Windows updates, antivirus, etc.), and instruct the user on how to proceed.
Any system failing the checks will be denied general access to the network and will probably be placed in a quarantined role (how exactly a failed system is handled depends entirely on how the Clean Access Manager is configured, and may vary from network to network. For example: a failed system may simply be denied all network access afterward). Quarantined systems are then typically given a 60-minute window where the user can try to resolve the reason(s) for quarantine. In such a case, the user is only allowed connectivity to the Windows Update
Windows Update
Windows Update is a service provided by Microsoft that provides updates for the Microsoft Windows operating system and its installed components, including Internet Explorer...
website and a number of antivirus providers (Symantec
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
, McAfee
McAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
, Trend Micro
Trend Micro
Trend Micro Inc. is a computer security company. It is headquartered in Tokyo, Japan and markets Trend Micro Internet Security, Trend Micro Worry-Free Business Security, OfficeScan, and other related security products and services...
, etc.), or the user may be redirected to a Guest Server for remediation. All other traffic is typically blocked. Once the 60-minute window expires, all network traffic is blocked. The user has the option of re-authenticating with Clean Access again, and continuing the process as needed.
Systems passing the checks are granted access to the network as defined by the assigned role on the Clean Access Manager. Clean Access configurations vary from site to site. The network services available will also vary based on Clean Access configuration and the assigned user role.
Systems usually need to re-authenticate a minimum of once per week, regardless of their status; however, this option can be changed by the network administrator. Also, if a system is disconnected from the network for a set amount of time (usually ten minutes), the user will have to re-authenticate when they reconnect to the network.
Windows Updates
Clean Access normally checks a Windows system for required updates by checking the system's registry. A corrupted registry may keep a user from being able to access the network.Gaming consoles and MAC spoofing
Several universities allow game consoles, such as MicrosoftMicrosoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
's Xbox
Xbox
The Xbox is a sixth-generation video game console manufactured by Microsoft. It was released on November 15, 2001 in North America, February 22, 2002 in Japan, and March 14, 2002 in Australia and Europe and is the predecessor to the Xbox 360. It was Microsoft's first foray into the gaming console...
and Xbox 360
Xbox 360
The Xbox 360 is the second video game console produced by Microsoft and the successor to the Xbox. The Xbox 360 competes with Sony's PlayStation 3 and Nintendo's Wii as part of the seventh generation of video game consoles...
, Sony
Sony
, commonly referred to as Sony, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan and the world's fifth largest media conglomerate measured by revenues....
's PlayStation 2
PlayStation 2
The PlayStation 2 is a sixth-generation video game console manufactured by Sony as part of the PlayStation series. Its development was announced in March 1999 and it was first released on March 4, 2000, in Japan...
, PlayStation 3
PlayStation 3
The is the third home video game console produced by Sony Computer Entertainment and the successor to the PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes with Microsoft's Xbox 360 and Nintendo's Wii as part of the seventh generation of video game consoles...
and PlayStation Portable
PlayStation Portable
The is a handheld game console manufactured and marketed by Sony Corporation Development of the console was announced during E3 2003, and it was unveiled on , 2004, at a Sony press conference before E3 2004...
, and Nintendo
Nintendo
is a multinational corporation located in Kyoto, Japan. Founded on September 23, 1889 by Fusajiro Yamauchi, it produced handmade hanafuda cards. By 1963, the company had tried several small niche businesses, such as a cab company and a love hotel....
's GameCube
Nintendo GameCube
The , officially abbreviated to NGC in Japan and GCN in other regions, is a sixth generation video game console released by Nintendo on September 15, 2001 in Japan, November 18, 2001 in North America, May 3, 2002 in Europe, and May 17, 2002 in Australia...
, Wii
Wii
The Wii is a home video game console released by Nintendo on November 19, 2006. As a seventh-generation console, the Wii primarily competes with Microsoft's Xbox 360 and Sony's PlayStation 3. Nintendo states that its console targets a broader demographic than that of the two others...
and the DS
Nintendo DS
The is a portable game console produced by Nintendo, first released on November 21, 2004. A distinctive feature of the system is the presence of two separate LCD screens, the lower of which is a touchscreen, encompassed within a clamshell design, similar to the Game Boy Advance SP...
, as well as the TiVo
TiVo
TiVo is a digital video recorder developed and marketed by TiVo, Inc. and introduced in 1999. TiVo provides an on-screen guide of scheduled broadcast programming television programs, whose features include "Season Pass" schedules which record every new episode of a series, and "WishList"...
digital video recorder, to access their networks. While web browsers are being introduced to some of those platforms, some are still lacking the necessary web-based means to authenticate into a NAC server and therefore such devices are often exempted from authentication via Clean Access.
Many universities allow a gaming device to be registered via its MAC address
MAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
, and any device with that MAC address will be allowed to access the network without authentication or review. Several possible security holes open up as a result:
- The MAC address belongs to a computer, not a gaming console; this is likely done by people who don't want to install Clean Access, or be subjected to the annoyances of authentication and a check by the Agent application.
- The MAC address was provided incorrectly, and will thus grant an unknown device immediate full access. (However, with the billions of possible MAC addresses, this is a very unlikely occurrence).
- A user could change the MAC address of their own computer to match the gaming device's (a classic MAC spoof attack).
In response to this, the Clean Access Server can typically automatically detect if a device on the network is a gaming device (accomplished by looking up the manufacturer of the network interface by MAC address, in conjunction with a port scan
Port scanner
A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.A port scan or portscan is "An attack...
).
User Agent Spoofing
The Clean Access Server (CAS) determines the client's operating system by reading the browser's user agentUser agent
In computing, a user agent is a client application implementing a network protocol used in communications within a client–server distributed computing system...
string after authentication. If a Windows system is detected, then the server will ask the user to download the Clean Access Agent; on all other operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s, login is complete. To combat attempts to spoof the OS in use on the client, newer versions of the Server and Agent (3.6.0 and up) also probe the host via TCP/IP stack fingerprinting
TCP/IP stack fingerprinting
TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications...
and JavaScript
JavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
to verify the machine's operating system:
By default, the system uses the User-AgentUser agentIn computing, a user agent is a client application implementing a network protocol used in communications within a client–server distributed computing system...
string from the HTTPHypertext Transfer ProtocolThe Hypertext Transfer Protocol is a networking protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web....
header to determine the client OS. Release 3.6.0 provides additional detection options to include using the platform information from JavaScriptJavaScriptJavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
or OS fingerprinting from the TCP/IPInternet protocol suiteThe Internet protocol suite is the set of communications protocols used for the Internet and other similar networks. It is commonly known as TCP/IP from its most important protocols: Transmission Control Protocol and Internet Protocol , which were the first networking protocols defined in this...
handshake to determine the client OS. This feature is intended to prevent users from changing identification of their client operating systems through manipulating HTTPHypertext Transfer ProtocolThe Hypertext Transfer Protocol is a networking protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web....
information. Note that this is a "passive" detection technique that only inspects the TCP handshake and is not impacted by the presence of a firewallFirewall (computing)A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
.
Microsoft Windows Scripting
The Clean Access Agent makes extensive use of the Windows Script Engine, version 5.6. It was demonstrated that removal or disabling of the scripting engine in MS Windows will bypass and break posture interrogation by the Clean Access Agent, which will "fail open" and allow devices to connect to a network upon proper authentication.Device Segregation
While MAC address spoofing may be accomplished in a wireless environment by means of using a sniffer to detect and clone the MAC address of a client who has already been authorized or placed in a "clean" user role, it is not easy to do so in a wired environment, unless the Clean Access Server has been misconfigured. In a correct architecture and configuration, the Clean Access Server would hand out IP subnets and addresses via DHCP on its untrusted interface using a 30 bit network address and 2 bits for hosts, therefore only one host could be placed in each DHCP scope/subnet at any given time. This segregates unauthorized users from each other and from the rest of the network, and makes wired-sniffing irrelevant and spoofing or cloning of authorized MAC addresses nearly impossible. Proper and similar implementation in a wireless environment would in fact contribute to a more secure instance of Clean Access.Certified-Device Timers
In addition, MAC-spoofing could further be combated with the use of timers for certified devices. Timers allow administrators to clear the list of certified MAC addresses on a regular basis and force a re-authorization of devices and users to the Clean Access Server. Timers allow an administrator to clear certified devices based on user roles, time and date, and age of certification; a staggered method is also available that allows one to avoid clearing all devices at once.Complaints
Cisco NAC Appliance is notorious for creating disruptions in the Internet connections of users, considering a continuous connection between a computer and a server or another computer as suspicious activity. This is problematic for individuals using Skype or any webcam activity as well as online games such as World of WarcraftWorld of Warcraft
World of Warcraft is a massively multiplayer online role-playing game by Blizzard Entertainment. It is the fourth released game set in the fantasy Warcraft universe, which was first introduced by Warcraft: Orcs & Humans in 1994...
. With online games, the disruptions created by Cisco NAC Appliance cause the player to be logged off the gaming server. Numerous individuals who have experienced this rather blunt manner of security have openly expressed frustration with this software in forums as well as on Facebook with groups and posts.
External links
- Cisco Product Page
- Clean Access Administrators Mailing List - Archives hosted by Miami UniversityMiami UniversityMiami University is a coeducational public research university located in Oxford, Ohio, United States. Founded in 1809, it is the 10th oldest public university in the United States and the second oldest university in Ohio, founded four years after Ohio University. In its 2012 edition, U.S...
- Cisco Security Response - Cisco's Response to the latest NAC Agent Installation Bypass vulnerability
- CCA Workaround/Hack/Exploit Details