Network Admission Control
Encyclopedia
Network Admission Control (NAC) refers to Cisco's version of Network Access Control
, which restricts access to the network based on identity or security posture. When a network device (switch
, router, wireless access point
, DHCP server, etc.) is configured for NAC, it can force user or machine authentication prior to granting access to the network. In addition, guest access can be granted to a quarantine area for remediation of any problems that may have caused authentication failure. This is enforced through an inline custom network device, changes to an existing switch or router, or a restricted DHCP class. A typical (non-free) WiFi
connection is a form of NAC. The user must present some sort of credentials (or a credit card) before being granted access to the network.
In its initial phase, the Cisco Network Admission Control (NAC) functionality enables Cisco routers to enforce access privileges when an endpoint attempts to connect to a network. This access decision can be on the basis of information about the endpoint device, such as its current antivirus state. The antivirus state includes information such as version of antivirus software, virus definitions, and version of scan engine.
Network admission control systems allow noncompliant devices to be denied access, placed in a quarantined area, or given restricted access to computing resources, thus keeping insecure nodes from infecting the network.
The key component of the Cisco Network Admission Control program is the Cisco Trust Agent, which resides on an endpoint system and communicates with Cisco routers on the network. The Cisco Trust Agent collects security state information, such as what antivirus software is being used, and communicates this information to Cisco routers. The information is then relayed to a Cisco Secure Access Control Server (ACS) where access control decisions are made. The ACS directs the Cisco router to perform enforcement against the endpoint.
settings or the presence of security agents such as anti-virus or personal firewall
. NAC products differ in their checking mechanisms:
Network Access Control
Network Access Control is an approach to computer network security that attempts to unify endpoint security technology , user or system authentication and network security enforcement.-Background:Network Access Control is a computer networking solution that uses a set of protocols to define and...
, which restricts access to the network based on identity or security posture. When a network device (switch
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
, router, wireless access point
Wireless access point
In computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
, DHCP server, etc.) is configured for NAC, it can force user or machine authentication prior to granting access to the network. In addition, guest access can be granted to a quarantine area for remediation of any problems that may have caused authentication failure. This is enforced through an inline custom network device, changes to an existing switch or router, or a restricted DHCP class. A typical (non-free) WiFi
WIFI
WIFI is a radio station broadcasting a brokered format. Licensed to Florence, New Jersey, USA, the station is currently operated by Florence Broadcasting Partners, LLC.This station was previously owned by Real Life Broadcasting...
connection is a form of NAC. The user must present some sort of credentials (or a credit card) before being granted access to the network.
In its initial phase, the Cisco Network Admission Control (NAC) functionality enables Cisco routers to enforce access privileges when an endpoint attempts to connect to a network. This access decision can be on the basis of information about the endpoint device, such as its current antivirus state. The antivirus state includes information such as version of antivirus software, virus definitions, and version of scan engine.
Network admission control systems allow noncompliant devices to be denied access, placed in a quarantined area, or given restricted access to computing resources, thus keeping insecure nodes from infecting the network.
The key component of the Cisco Network Admission Control program is the Cisco Trust Agent, which resides on an endpoint system and communicates with Cisco routers on the network. The Cisco Trust Agent collects security state information, such as what antivirus software is being used, and communicates this information to Cisco routers. The information is then relayed to a Cisco Secure Access Control Server (ACS) where access control decisions are made. The ACS directs the Cisco router to perform enforcement against the endpoint.
Posture assessment
Besides user authentication, authorization in NAC can be based upon compliance checking. This posture assessment is the evaluation of system security based on the applications and settings that a particular system is using. These might include Windows registryWindows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
settings or the presence of security agents such as anti-virus or personal firewall
Personal firewall
A personal firewall is an application which controls network traffic to and from a computer, permitting or denying communications based on a security policy. Typically it works as an application layer firewall....
. NAC products differ in their checking mechanisms:
- 802.1x Extensibile Authentication ProtocolExtensible Authentication ProtocolExtensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....
- Microsoft WindowsMicrosoft WindowsMicrosoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
AD domain authentication - login credentials - Cisco NAC ApplianceCisco NAC ApplianceCisco NAC Appliance, formerly Cisco Clean Access , is a network admission control system developed by Cisco Systems designed to produce a secure and clean network environment -- the NAC appliance is however still referred to as Cisco Clean Access by some in the industry or Universities such as...
L2 switch or L3 authentication - Pre-installed security agent
- Web-based security agent
- Network packet signatures or anomalies
- External network vulnerability scannerVulnerability scannerA vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. There are a number of types of vulnerability scanners available today, distinguished from one another by a focus on particular targets...
- External database of known systems
See also
- Access ControlAccess controlAccess control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
- Network Access ProtectionNetwork Access ProtectionNetwork Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first introduced in Windows Server 2008....
- Cisco NAC ApplianceCisco NAC ApplianceCisco NAC Appliance, formerly Cisco Clean Access , is a network admission control system developed by Cisco Systems designed to produce a secure and clean network environment -- the NAC appliance is however still referred to as Cisco Clean Access by some in the industry or Universities such as...
- Network Access ControlNetwork Access ControlNetwork Access Control is an approach to computer network security that attempts to unify endpoint security technology , user or system authentication and network security enforcement.-Background:Network Access Control is a computer networking solution that uses a set of protocols to define and...
- PacketFencePacketFencePacketFence is an open-source network access control system which provides the following features: registration, detection of abnormal network activities, proactive vulnerability scans, isolation of problematic devices, remediation through a captive portal, 802.1X, wireless integration and...
- The leading Free and Open Source NAC solution
External links
- Network Admission Control - Cisco Systems