The initial release of the Cisco NAC Framework became available in June 2004 and continues to evolve in phases. The functions of the solution architecture remain consistent; however, as each phase is introduced, more capabilities and deeper integration are added to the NAC Framework architecture. To stay up to date with NAC and partner products, refer to the URL www.cisco.com/go/nac. NAC Framework includes the following main components, as shown in Figure 6-1: Figure 6-1. NAC Framework Components
The next sections describe the main components in more detail. Endpoint Security ApplicationAn endpoint security application is security software that resides on a host computer. Depending on the application, it can provide host-based intrusion prevention system (HIPS), antivirus scanning, personal firewall, and other host security functions. Cisco Security Agent is a HIPS example. NAC partners provide NAC-enabled security applications that use a posture plug-in that communicates their credentials and state with a posture agent, both residing on the same endpoint. Many endpoint security applications provide antivirus capabilities, and some provide additional identity-based services. For a list of NAC partners, refer to www.cisco.com and search for "Network Admission Control Current Participants." Posture AgentA posture agent is middleware or broker software that collects security state information from multiple NAC-enabled endpoint security applications, such as antivirus clients. It communicates the endpoint device's compliance condition. This condition is referred to as the posture of an endpoint. The posture information is sent to Cisco Secure Access Control Server (ACS) by way of the Cisco network access device. The Cisco Trust Agent is Cisco's implementation of the posture agent. Cisco has licensed the trust-agent technology to its NAC partners so that it can be integrated with their security software client products. The trust agent is free and is also integrated with the Cisco Security Agent. Cisco Trust Agent can work with Layer 3 Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP), and Cisco Trust Agent (CTA) version 2 can also work with Layer 2 with Extensible Authentication Protocol over 802.1x (EAPo802.1x) or Extensible Authentication Protocol over LAN (EAPoLAN). Network Access DevicesNetwork access devices that enforce admission control policy include Cisco routers, switches, wireless access points, and security appliances. These devices demand endpoint security credentials and relay this information to policy servers, where network admission control decisions are made. Based on customer-defined policy, the network will enforce the appropriate admission control decisionpermit, deny, quarantine, or restrict. Another term for this device is security policy enforcement point (PEP). Policy ServerA policy server evaluates the endpoint security information relayed from network access devices (NADs) and determines the appropriate admission policy for enforcement. The Cisco Secure ACS, an authentication, authorization, and accounting (AAA) RADIUS server, is the foundation of the policy server system and is a requirement for NAC. Cisco Secure ACS is where the admission security policy is created and evaluated to determine the endpoint device's compliance condition or posture. Optionally, Cisco Secure ACS may work in concert with other policy and audit servers to provide the following additional admission validations:
The optional validation policy servers communicate the user authentication status or compliance status or both to Cisco Secure ACS, which makes the final determination as to the admission policy for the endpoint. Policy decision point is a term used to describe the function Cisco Secure ACS performs. Management and Reporting ToolsIn addition to the required NAC components, a management system is recommended to manage and monitor the various devices. Reporting tools are available to operation personnel to identify which endpoints are compliant and, most importantly, which endpoints are not compliant. Examples include Cisco Security MARS and CiscoWorks Security Information Manager Solution (SIMS). |