Author: Ben

Preface

When I served as technical manager in Cisco Systems, I had observed that Cisco Systems had been devoted to network security as one important direction of company development since early 2000. They begin to incorporate the companies which have relevant manufacture and mechanism on the premise of research and development upon self-defense system, in which Cisco NAC is a quite important part. In fact, NAC does not represent one product but one intelligent mechanism composed of various information security products, which is used to automatize all defensive maintenance process. With correct authentication and authorization, NAC can reduce manual intervention in miscarriage of justice and instantly resolve troubles. As a result, the heterogeneous manufactures involved in NAC implementation and application are quite extensive so that product universality is the current primary issue that NAC technique must overcome.

The following figure indicates NAC evolution:

Cisco NAC feature

1. Universality: the best support for Microsoft; using pre-existing third party software
2. Pre-existing network device: full use of Cisco network device that can be shared with other manufactures.
3. Support various access modes: wired, wireless, VPN or WAN are all available.
4. Innovation: Single Sign On, Ruleset, Design Description, Router Module and etc.
5. NAC appliance: plug-in-play without complicated installation

Cisco NAC advantage

1. Single Sign-On
   Cisco NAC device can support most authentications including Kerberos, Lightweight Directory Authentication Protocol (LDAP), RADIUS, Active Directory (AD), S/Idnet and etc. For client convenience, Cisco NAC also supports VPN. Besides, in terms of Single Sign-On toward WLAN clients and Windows AD domain, system administrator can issue different permissions to separate different classes of users based on role-based access control mechanism.
2. Vulnerability evaluation
   Cisco NAC is able to execute vulnerability scanning toward various operating systems including Windows, MacOS and Linux-based machine as well as other non-PC network devices such as PDA, game player, printer and IP Phone. The scanning approach can be customized according to different environment and device in order to demand evaluative precision. In addition, Cisco NAC device can also investigate which services and system file identified applications are configured by registry key.
3. Device isolation
   Cisco NAC device can isolate machinery that is against policy to avoid greater impact. On the other hand, the isolated machinery will be granted to quarantine area for remediation and restoration, in which it is configured as /30 in subnet or put in different VLAN.
4. Automatic Security Policy Updates
   Automatic Security Policy Updates belongs to a part of default policy mechanism offered by Cisco maintenance pack, which is used to standardize the criteria for general network access. This mechanism will automatically investigate whether the upgrades are too old for system, virus signature and anti-spyware in order to ease system administrator’s burden.
5. Centralized management
   The web management interface of Cisco NAC allows the system administrator to define which users can perform a scanning mode and also define the remediation pack that system recovery requires, i.e. one Cisco NAC can manage multiple Servers.
6. Remediation and maintenance
   Isolation policy allows isolated device to connect to system remediation server for automatically upgrading operating system and virus signature. The isolated machinery will also be installed CSA for offering complete security mechanism. System administrator can also customize a series of automatic remediation performance.
7. Flexible deployment model
   Cisco NAC offers the most deployment models in industry, which can be applied in any network topology. These models include virtual gateway, real IP gateway, in-band, out-of-band and etc.

The following figure indicates various NAC deployments:

Introduction to Cisco NAC element

Cisco NAC certification course and material

Cisco Systems are devoted to network security with hard effort. In addition to incorporating the companies which have cutting edge technology, Cisco Systems also consecutively improve their certification system and relevant training materials. In terms of NAC, Cisco Systems introduces Cisco NAC Specialist certification that you can earn it by passing 642-522 (SND – Securing Cisco Network Devices) and 642-591 (CANAC – Implementing Cisco NAC Appliance). It is a cost-effective shortcut for those who aim to acquire NAC technique but don’t want to spend much time on CCSP certification.

Cisco NAC official course objective

Cisco NAC Endpoint Security Solutions
Cisco NAC Appliance Common Elements Configuration
Cisco NAC Appliance Implementation
Cisco NAC Appliance Monitoring and Administration

Conclusion

Cisco Systems possesses the most complete security manufacturers of network and host in industry. In terms of those products that I was responsible for in Cisco Systems, CSA, MARS, Cisco Guard/Detector, IPS, ASA/PIX and AVS are all successfully combined with NAC mechanism. In the near future, I think Cisco Systems will integrate all network security products into one complete Self-Defense System like the human body.