Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

NAC Appliance and NAC Framework - ambiguous quires- related to my previous thread

Posted on 2007-03-20
7
Medium Priority
?
265 Views
Last Modified: 2010-04-11
Referring to this link
http://www.experts-exchange.com/Security/Misc/Q_22456344.html


That means if we are looking to implement NAC appliances we looking to have these components (required) within our network:

1- NAC Appliance box (Clean Access Server),,,,,,,,,,,function Security Policy Enforcement

http://sslvpn.breakawaymg.com/nac/ciscoCA.php

2- Clean Access Manager Server (CAM) ),,,,,,,,,,,function Security Policy Creation , and It also acts as the authentication proxy to the authentication servers that reside on the back end.


Q9-  If CAM can act as an authentication server, Why do I need to use  3rd Party server for authentication ?
For comparison please see the table that is provided in the link above, he says:
<quote>
•  3rd Party Authentication
•   Internal/external update sites
</quote>






Q10-  Is “ Cisco Clean Access Agent “ that is installed on an endpoint device , same as “ Cisco Security Agent “ ?
Is Cisco Security Agent same as :
http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_white_paper0900aecd8020f438.shtml
or
http://img401.imageshack.us/img401/4246/csaonserverty5.jpg






Q11- If Cisco Clean Access Agent optional (not required) component for NAC appliance implementation, that means we can install it on an endpoint device and we can not installed it .If we have not installed on an endpoint device how can an endpoint device communicate with Clean Access Server (NAC) ?
What he says about Cisco Clean Access Agent is this :
<quote>
Cisco Clean Access Agent. This is an optional client-side component of the Cisco Clean Access system. It is a read-only client that delivers device-based registry scans. The agent also can act as a remediation "wizard," automating the otherwise Web-based "click-through" process of cleaning a machine. It is downloadable and provisioned over the Internet.
</quote>


http://www.experts-exchange.com/Security/Misc/Q_22456344.html
>>It has a CD-rom drive. Basically they are HP Proliant with Cisco software.<<
Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) through CD disc when it is required, hence we have to have updated CD as well (I believe it should be downloadable from cisco site) ? What did you meant by:  Basically they are HP Proliant with Cisco software ?


0
Comment
Question by:zillah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 18

Accepted Solution

by:
PowerIT earned 2000 total points
ID: 18755841
Zillah, you have so many questions. That's a good thing!
I propose that you take a look at the manuals, that will clear up a lot:
http://www.cisco.com/application/pdf/en/us/guest/products/ps7091/c1626/ccmigration_09186a00806c3da9.pdf
http://www.cisco.com/application/pdf/en/us/guest/products/ps7091/c1626/ccmigration_09186a00806c38dd.pdf
http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/upgrade.pdf
This is the release note of the latest update: http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/4rn.pdf
This presentation is a detailed summary (is that a word?): http://www.cisco.com/web/MY/learning/cnsf/files/T1-S2_Snow.pdf
More documentation here: http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

To answer your questions: I'm under the impression that you think that the NAC appliance is a UTM (firewall, AV, proxy ...). This is not so. NAC serves to enforce compliance by checking if the endpoint complies with the policy. E.g. it verifies if the endpoint has an up to date antivirus installed.

Also: when working agentless the user is redirected to a login page, where he has to login and his machine is scanned for compliance.

Regarding the hardware: you can buy a seperate server which complies with this: http://www.cisco.com/en/US/products/ps6128/products_device_support_table09186a00807600e1.html
Or you can buy a pre-built and installed one from Cisco, which is a HP Proliant server with the software preinstalled. This is the easy way.

J.
0
 

Author Comment

by:zillah
ID: 18756493
>>I propose that you take a look at the manuals, that will clear up a lot: <<
Thanks. I will look at them.

>>I'm under the impression that you think that the NAC appliance is a UTM (firewall, AV, proxy ...). This is not so.<<
No. I am not
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 18756883
Why this then: "Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...

J.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:zillah
ID: 18758356
Thanks J
>>"Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...<<
Yes I meant this : "Or did you mean for the NAC to recognize new AV etc ...", since NAC appliance is out-of-the-box functionality with preisntalled support for antivirus and Microsoft updates, how can we update antivirus and Microsoft patches ? ???? therefore I have asked in my previous thread :
((Q3- How does NAC appliance get updated ? since it is standalone box ? do we have to connect it to net to get the necessary updates ?))
0
 

Author Comment

by:zillah
ID: 18777237
>>Why this then: "Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...<<
Sorry J , for more clarification to what I meant in the above quote,  is below (I have been told that) :

(( The NAC Appliance gets updated as per configured schedule, in our case, once an hour, via CCO and it can
do this via a Proxy too for preconfigured checks for over 200 products. The actual update and most of the configuration is done on the Manager Appliance, which controls one or more NAC appliances ))
0
 

Author Comment

by:zillah
ID: 18841360
http://www.experts-exchange.com/Security/Misc/Q_22456344.html
>>Q6: In band = physically between the monitored device and the rest of the network. Inline in the above quote is just the normal English meaning: the device is always in sync or in control. Out of band = logical seperation using other means to block network access then physically denying access. E.g. redirecting to an isolated VLAN, assigning a special subnet ...<<

Jut to share with you (you have already explained it ) what I have found recently, is the quote below:
http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1228704,00.html
[quote]
NAC appliances may operate out-of-band (consulted only during admission) , or in-line (passing traffic as a bridge or router after admission).
[/quote]
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 18869001
Zillah, I just returned from a holiday.
Do you have any questions left?

J.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question