Solved

NAC Appliance and NAC Framework - ambiguous quires- related to my previous thread

Posted on 2007-03-20
7
253 Views
Last Modified: 2010-04-11
Referring to this link
http://www.experts-exchange.com/Security/Misc/Q_22456344.html


That means if we are looking to implement NAC appliances we looking to have these components (required) within our network:

1- NAC Appliance box (Clean Access Server),,,,,,,,,,,function Security Policy Enforcement

http://sslvpn.breakawaymg.com/nac/ciscoCA.php

2- Clean Access Manager Server (CAM) ),,,,,,,,,,,function Security Policy Creation , and It also acts as the authentication proxy to the authentication servers that reside on the back end.


Q9-  If CAM can act as an authentication server, Why do I need to use  3rd Party server for authentication ?
For comparison please see the table that is provided in the link above, he says:
<quote>
•  3rd Party Authentication
•   Internal/external update sites
</quote>






Q10-  Is “ Cisco Clean Access Agent “ that is installed on an endpoint device , same as “ Cisco Security Agent “ ?
Is Cisco Security Agent same as :
http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_white_paper0900aecd8020f438.shtml
or
http://img401.imageshack.us/img401/4246/csaonserverty5.jpg






Q11- If Cisco Clean Access Agent optional (not required) component for NAC appliance implementation, that means we can install it on an endpoint device and we can not installed it .If we have not installed on an endpoint device how can an endpoint device communicate with Clean Access Server (NAC) ?
What he says about Cisco Clean Access Agent is this :
<quote>
Cisco Clean Access Agent. This is an optional client-side component of the Cisco Clean Access system. It is a read-only client that delivers device-based registry scans. The agent also can act as a remediation "wizard," automating the otherwise Web-based "click-through" process of cleaning a machine. It is downloadable and provisioned over the Internet.
</quote>


http://www.experts-exchange.com/Security/Misc/Q_22456344.html
>>It has a CD-rom drive. Basically they are HP Proliant with Cisco software.<<
Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) through CD disc when it is required, hence we have to have updated CD as well (I believe it should be downloadable from cisco site) ? What did you meant by:  Basically they are HP Proliant with Cisco software ?


0
Comment
Question by:zillah
  • 4
  • 3
7 Comments
 
LVL 18

Accepted Solution

by:
PowerIT earned 500 total points
ID: 18755841
Zillah, you have so many questions. That's a good thing!
I propose that you take a look at the manuals, that will clear up a lot:
http://www.cisco.com/application/pdf/en/us/guest/products/ps7091/c1626/ccmigration_09186a00806c3da9.pdf
http://www.cisco.com/application/pdf/en/us/guest/products/ps7091/c1626/ccmigration_09186a00806c38dd.pdf
http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/upgrade.pdf
This is the release note of the latest update: http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/4rn.pdf
This presentation is a detailed summary (is that a word?): http://www.cisco.com/web/MY/learning/cnsf/files/T1-S2_Snow.pdf
More documentation here: http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

To answer your questions: I'm under the impression that you think that the NAC appliance is a UTM (firewall, AV, proxy ...). This is not so. NAC serves to enforce compliance by checking if the endpoint complies with the policy. E.g. it verifies if the endpoint has an up to date antivirus installed.

Also: when working agentless the user is redirected to a login page, where he has to login and his machine is scanned for compliance.

Regarding the hardware: you can buy a seperate server which complies with this: http://www.cisco.com/en/US/products/ps6128/products_device_support_table09186a00807600e1.html
Or you can buy a pre-built and installed one from Cisco, which is a HP Proliant server with the software preinstalled. This is the easy way.

J.
0
 

Author Comment

by:zillah
ID: 18756493
>>I propose that you take a look at the manuals, that will clear up a lot: <<
Thanks. I will look at them.

>>I'm under the impression that you think that the NAC appliance is a UTM (firewall, AV, proxy ...). This is not so.<<
No. I am not
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 18756883
Why this then: "Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...

J.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:zillah
ID: 18758356
Thanks J
>>"Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...<<
Yes I meant this : "Or did you mean for the NAC to recognize new AV etc ...", since NAC appliance is out-of-the-box functionality with preisntalled support for antivirus and Microsoft updates, how can we update antivirus and Microsoft patches ? ???? therefore I have asked in my previous thread :
((Q3- How does NAC appliance get updated ? since it is standalone box ? do we have to connect it to net to get the necessary updates ?))
0
 

Author Comment

by:zillah
ID: 18777237
>>Why this then: "Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...<<
Sorry J , for more clarification to what I meant in the above quote,  is below (I have been told that) :

(( The NAC Appliance gets updated as per configured schedule, in our case, once an hour, via CCO and it can
do this via a Proxy too for preconfigured checks for over 200 products. The actual update and most of the configuration is done on the Manager Appliance, which controls one or more NAC appliances ))
0
 

Author Comment

by:zillah
ID: 18841360
http://www.experts-exchange.com/Security/Misc/Q_22456344.html
>>Q6: In band = physically between the monitored device and the rest of the network. Inline in the above quote is just the normal English meaning: the device is always in sync or in control. Out of band = logical seperation using other means to block network access then physically denying access. E.g. redirecting to an isolated VLAN, assigning a special subnet ...<<

Jut to share with you (you have already explained it ) what I have found recently, is the quote below:
http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1228704,00.html
[quote]
NAC appliances may operate out-of-band (consulted only during admission) , or in-line (passing traffic as a bridge or router after admission).
[/quote]
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 18869001
Zillah, I just returned from a holiday.
Do you have any questions left?

J.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question