Solved

NAC Appliance and NAC Framework - ambiguous quires- related to my previous thread

Posted on 2007-03-20
7
241 Views
Last Modified: 2010-04-11
Referring to this link
http://www.experts-exchange.com/Security/Misc/Q_22456344.html


That means if we are looking to implement NAC appliances we looking to have these components (required) within our network:

1- NAC Appliance box (Clean Access Server),,,,,,,,,,,function Security Policy Enforcement

http://sslvpn.breakawaymg.com/nac/ciscoCA.php

2- Clean Access Manager Server (CAM) ),,,,,,,,,,,function Security Policy Creation , and It also acts as the authentication proxy to the authentication servers that reside on the back end.


Q9-  If CAM can act as an authentication server, Why do I need to use  3rd Party server for authentication ?
For comparison please see the table that is provided in the link above, he says:
<quote>
•  3rd Party Authentication
•   Internal/external update sites
</quote>






Q10-  Is “ Cisco Clean Access Agent “ that is installed on an endpoint device , same as “ Cisco Security Agent “ ?
Is Cisco Security Agent same as :
http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_white_paper0900aecd8020f438.shtml
or
http://img401.imageshack.us/img401/4246/csaonserverty5.jpg






Q11- If Cisco Clean Access Agent optional (not required) component for NAC appliance implementation, that means we can install it on an endpoint device and we can not installed it .If we have not installed on an endpoint device how can an endpoint device communicate with Clean Access Server (NAC) ?
What he says about Cisco Clean Access Agent is this :
<quote>
Cisco Clean Access Agent. This is an optional client-side component of the Cisco Clean Access system. It is a read-only client that delivers device-based registry scans. The agent also can act as a remediation "wizard," automating the otherwise Web-based "click-through" process of cleaning a machine. It is downloadable and provisioned over the Internet.
</quote>


http://www.experts-exchange.com/Security/Misc/Q_22456344.html
>>It has a CD-rom drive. Basically they are HP Proliant with Cisco software.<<
Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) through CD disc when it is required, hence we have to have updated CD as well (I believe it should be downloadable from cisco site) ? What did you meant by:  Basically they are HP Proliant with Cisco software ?


0
Comment
Question by:zillah
  • 4
  • 3
7 Comments
 
LVL 18

Accepted Solution

by:
PowerIT earned 500 total points
Comment Utility
Zillah, you have so many questions. That's a good thing!
I propose that you take a look at the manuals, that will clear up a lot:
http://www.cisco.com/application/pdf/en/us/guest/products/ps7091/c1626/ccmigration_09186a00806c3da9.pdf
http://www.cisco.com/application/pdf/en/us/guest/products/ps7091/c1626/ccmigration_09186a00806c38dd.pdf
http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/upgrade.pdf
This is the release note of the latest update: http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/4rn.pdf
This presentation is a detailed summary (is that a word?): http://www.cisco.com/web/MY/learning/cnsf/files/T1-S2_Snow.pdf
More documentation here: http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

To answer your questions: I'm under the impression that you think that the NAC appliance is a UTM (firewall, AV, proxy ...). This is not so. NAC serves to enforce compliance by checking if the endpoint complies with the policy. E.g. it verifies if the endpoint has an up to date antivirus installed.

Also: when working agentless the user is redirected to a login page, where he has to login and his machine is scanned for compliance.

Regarding the hardware: you can buy a seperate server which complies with this: http://www.cisco.com/en/US/products/ps6128/products_device_support_table09186a00807600e1.html
Or you can buy a pre-built and installed one from Cisco, which is a HP Proliant server with the software preinstalled. This is the easy way.

J.
0
 

Author Comment

by:zillah
Comment Utility
>>I propose that you take a look at the manuals, that will clear up a lot: <<
Thanks. I will look at them.

>>I'm under the impression that you think that the NAC appliance is a UTM (firewall, AV, proxy ...). This is not so.<<
No. I am not
0
 
LVL 18

Expert Comment

by:PowerIT
Comment Utility
Why this then: "Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...

J.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:zillah
Comment Utility
Thanks J
>>"Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...<<
Yes I meant this : "Or did you mean for the NAC to recognize new AV etc ...", since NAC appliance is out-of-the-box functionality with preisntalled support for antivirus and Microsoft updates, how can we update antivirus and Microsoft patches ? ???? therefore I have asked in my previous thread :
((Q3- How does NAC appliance get updated ? since it is standalone box ? do we have to connect it to net to get the necessary updates ?))
0
 

Author Comment

by:zillah
Comment Utility
>>Why this then: "Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...<<
Sorry J , for more clarification to what I meant in the above quote,  is below (I have been told that) :

(( The NAC Appliance gets updated as per configured schedule, in our case, once an hour, via CCO and it can
do this via a Proxy too for preconfigured checks for over 200 products. The actual update and most of the configuration is done on the Manager Appliance, which controls one or more NAC appliances ))
0
 

Author Comment

by:zillah
Comment Utility
http://www.experts-exchange.com/Security/Misc/Q_22456344.html
>>Q6: In band = physically between the monitored device and the rest of the network. Inline in the above quote is just the normal English meaning: the device is always in sync or in control. Out of band = logical seperation using other means to block network access then physically denying access. E.g. redirecting to an isolated VLAN, assigning a special subnet ...<<

Jut to share with you (you have already explained it ) what I have found recently, is the quote below:
http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1228704,00.html
[quote]
NAC appliances may operate out-of-band (consulted only during admission) , or in-line (passing traffic as a bridge or router after admission).
[/quote]
0
 
LVL 18

Expert Comment

by:PowerIT
Comment Utility
Zillah, I just returned from a holiday.
Do you have any questions left?

J.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now