Network Admission Control Overview

Worms and viruses continue to be disruptive, even though many businesses have significantly invested in antivirus and traditional security solutions. Not all users stay up to date with the many needed software security patches of antivirus files. Noncompliant endpoints are frequent and the reasons vary; for example:

• A user might choose to wait and install a new update later because they don't have the time

• A contractor, partner, or guest needs network access; however, the business may not control the endpoint

• The endpoints are not managed

• The business lacks the capability to monitor the endpoints and determine whether they are updated to conform to the business's security policy

When infected endpoints connect to the network, they unsuspectingly spread their infections to other improperly protected devices. This has caused businesses to examine how they should implement endpoint compliance enforcement besides user authentication before granting access to their networks.

Cisco Systems provides two network admission control solution choices:

• NAC Appliance

• NAC Framework

Chapter 7, "Cisco Clean Access," describes NAC Appliance, which was originally marketed as Cisco Clean Access (CCA). NAC Appliance is a turnkey self-sufficient package that does not rely on third-party products for determining and enforcing software compliance. This chapter focuses on NAC Framework.

NAC Framework is an integrated solution that enables businesses to leverage many of their existing Cisco network products, along with many third-party vendor products such as antivirus, security, and identity-based software. Vendor products must be NAC-enabled in order to communicate with the NAC-enabled network access devices. NAC Framework is extremely flexible because it can enforce more features available from other vendors' products. A comparison of customer preferences for choosing the NAC Appliance and NAC Framework is shown in Table 6-1.

Source: Cisco Systems, Inc.¹