• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 268
  • Last Modified:

NAC Appliance and NAC Framework - ambiguous quires- related to my previous thread

Referring to this link
http://www.experts-exchange.com/Security/Misc/Q_22456344.html


That means if we are looking to implement NAC appliances we looking to have these components (required) within our network:

1- NAC Appliance box (Clean Access Server),,,,,,,,,,,function Security Policy Enforcement

http://sslvpn.breakawaymg.com/nac/ciscoCA.php

2- Clean Access Manager Server (CAM) ),,,,,,,,,,,function Security Policy Creation , and It also acts as the authentication proxy to the authentication servers that reside on the back end.


Q9-  If CAM can act as an authentication server, Why do I need to use  3rd Party server for authentication ?
For comparison please see the table that is provided in the link above, he says:
<quote>
•  3rd Party Authentication
•   Internal/external update sites
</quote>






Q10-  Is “ Cisco Clean Access Agent “ that is installed on an endpoint device , same as “ Cisco Security Agent “ ?
Is Cisco Security Agent same as :
http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_white_paper0900aecd8020f438.shtml
or
http://img401.imageshack.us/img401/4246/csaonserverty5.jpg






Q11- If Cisco Clean Access Agent optional (not required) component for NAC appliance implementation, that means we can install it on an endpoint device and we can not installed it .If we have not installed on an endpoint device how can an endpoint device communicate with Clean Access Server (NAC) ?
What he says about Cisco Clean Access Agent is this :
<quote>
Cisco Clean Access Agent. This is an optional client-side component of the Cisco Clean Access system. It is a read-only client that delivers device-based registry scans. The agent also can act as a remediation "wizard," automating the otherwise Web-based "click-through" process of cleaning a machine. It is downloadable and provisioned over the Internet.
</quote>


http://www.experts-exchange.com/Security/Misc/Q_22456344.html
>>It has a CD-rom drive. Basically they are HP Proliant with Cisco software.<<
Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) through CD disc when it is required, hence we have to have updated CD as well (I believe it should be downloadable from cisco site) ? What did you meant by:  Basically they are HP Proliant with Cisco software ?


0
zillah
Asked:
zillah
  • 4
  • 3
1 Solution
 
PowerITCommented:
Zillah, you have so many questions. That's a good thing!
I propose that you take a look at the manuals, that will clear up a lot:
http://www.cisco.com/application/pdf/en/us/guest/products/ps7091/c1626/ccmigration_09186a00806c3da9.pdf
http://www.cisco.com/application/pdf/en/us/guest/products/ps7091/c1626/ccmigration_09186a00806c38dd.pdf
http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/upgrade.pdf
This is the release note of the latest update: http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/4rn.pdf
This presentation is a detailed summary (is that a word?): http://www.cisco.com/web/MY/learning/cnsf/files/T1-S2_Snow.pdf
More documentation here: http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

To answer your questions: I'm under the impression that you think that the NAC appliance is a UTM (firewall, AV, proxy ...). This is not so. NAC serves to enforce compliance by checking if the endpoint complies with the policy. E.g. it verifies if the endpoint has an up to date antivirus installed.

Also: when working agentless the user is redirected to a login page, where he has to login and his machine is scanned for compliance.

Regarding the hardware: you can buy a seperate server which complies with this: http://www.cisco.com/en/US/products/ps6128/products_device_support_table09186a00807600e1.html
Or you can buy a pre-built and installed one from Cisco, which is a HP Proliant server with the software preinstalled. This is the easy way.

J.
0
 
zillahAuthor Commented:
>>I propose that you take a look at the manuals, that will clear up a lot: <<
Thanks. I will look at them.

>>I'm under the impression that you think that the NAC appliance is a UTM (firewall, AV, proxy ...). This is not so.<<
No. I am not
0
 
PowerITCommented:
Why this then: "Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...

J.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
zillahAuthor Commented:
Thanks J
>>"Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...<<
Yes I meant this : "Or did you mean for the NAC to recognize new AV etc ...", since NAC appliance is out-of-the-box functionality with preisntalled support for antivirus and Microsoft updates, how can we update antivirus and Microsoft patches ? ???? therefore I have asked in my previous thread :
((Q3- How does NAC appliance get updated ? since it is standalone box ? do we have to connect it to net to get the necessary updates ?))
0
 
zillahAuthor Commented:
>>Why this then: "Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...<<
Sorry J , for more clarification to what I meant in the above quote,  is below (I have been told that) :

(( The NAC Appliance gets updated as per configured schedule, in our case, once an hour, via CCO and it can
do this via a Proxy too for preconfigured checks for over 200 products. The actual update and most of the configuration is done on the Manager Appliance, which controls one or more NAC appliances ))
0
 
zillahAuthor Commented:
http://www.experts-exchange.com/Security/Misc/Q_22456344.html
>>Q6: In band = physically between the monitored device and the rest of the network. Inline in the above quote is just the normal English meaning: the device is always in sync or in control. Out of band = logical seperation using other means to block network access then physically denying access. E.g. redirecting to an isolated VLAN, assigning a special subnet ...<<

Jut to share with you (you have already explained it ) what I have found recently, is the quote below:
http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1228704,00.html
[quote]
NAC appliances may operate out-of-band (consulted only during admission) , or in-line (passing traffic as a bridge or router after admission).
[/quote]
0
 
PowerITCommented:
Zillah, I just returned from a holiday.
Do you have any questions left?

J.
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now