NAC Appliance and NAC Framework - ambiguous quires- related to my previous thread

Referring to this link
http://www.experts-exchange.com/Security/Misc/Q_22456344.html


That means if we are looking to implement NAC appliances we looking to have these components (required) within our network:

1- NAC Appliance box (Clean Access Server),,,,,,,,,,,function Security Policy Enforcement

http://sslvpn.breakawaymg.com/nac/ciscoCA.php

2- Clean Access Manager Server (CAM) ),,,,,,,,,,,function Security Policy Creation , and It also acts as the authentication proxy to the authentication servers that reside on the back end.


Q9-  If CAM can act as an authentication server, Why do I need to use  3rd Party server for authentication ?
For comparison please see the table that is provided in the link above, he says:
<quote>
•  3rd Party Authentication
•   Internal/external update sites
</quote>






Q10-  Is “ Cisco Clean Access Agent “ that is installed on an endpoint device , same as “ Cisco Security Agent “ ?
Is Cisco Security Agent same as :
http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_white_paper0900aecd8020f438.shtml
or
http://img401.imageshack.us/img401/4246/csaonserverty5.jpg






Q11- If Cisco Clean Access Agent optional (not required) component for NAC appliance implementation, that means we can install it on an endpoint device and we can not installed it .If we have not installed on an endpoint device how can an endpoint device communicate with Clean Access Server (NAC) ?
What he says about Cisco Clean Access Agent is this :
<quote>
Cisco Clean Access Agent. This is an optional client-side component of the Cisco Clean Access system. It is a read-only client that delivers device-based registry scans. The agent also can act as a remediation "wizard," automating the otherwise Web-based "click-through" process of cleaning a machine. It is downloadable and provisioned over the Internet.
</quote>


http://www.experts-exchange.com/Security/Misc/Q_22456344.html
>>It has a CD-rom drive. Basically they are HP Proliant with Cisco software.<<
Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) through CD disc when it is required, hence we have to have updated CD as well (I believe it should be downloadable from cisco site) ? What did you meant by:  Basically they are HP Proliant with Cisco software ?


zillahAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PowerITCommented:
Zillah, you have so many questions. That's a good thing!
I propose that you take a look at the manuals, that will clear up a lot:
http://www.cisco.com/application/pdf/en/us/guest/products/ps7091/c1626/ccmigration_09186a00806c3da9.pdf
http://www.cisco.com/application/pdf/en/us/guest/products/ps7091/c1626/ccmigration_09186a00806c38dd.pdf
http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/upgrade.pdf
This is the release note of the latest update: http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/4rn.pdf
This presentation is a detailed summary (is that a word?): http://www.cisco.com/web/MY/learning/cnsf/files/T1-S2_Snow.pdf
More documentation here: http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

To answer your questions: I'm under the impression that you think that the NAC appliance is a UTM (firewall, AV, proxy ...). This is not so. NAC serves to enforce compliance by checking if the endpoint complies with the policy. E.g. it verifies if the endpoint has an up to date antivirus installed.

Also: when working agentless the user is redirected to a login page, where he has to login and his machine is scanned for compliance.

Regarding the hardware: you can buy a seperate server which complies with this: http://www.cisco.com/en/US/products/ps6128/products_device_support_table09186a00807600e1.html
Or you can buy a pre-built and installed one from Cisco, which is a HP Proliant server with the software preinstalled. This is the easy way.

J.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
zillahAuthor Commented:
>>I propose that you take a look at the manuals, that will clear up a lot: <<
Thanks. I will look at them.

>>I'm under the impression that you think that the NAC appliance is a UTM (firewall, AV, proxy ...). This is not so.<<
No. I am not
0
PowerITCommented:
Why this then: "Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...

J.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

zillahAuthor Commented:
Thanks J
>>"Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...<<
Yes I meant this : "Or did you mean for the NAC to recognize new AV etc ...", since NAC appliance is out-of-the-box functionality with preisntalled support for antivirus and Microsoft updates, how can we update antivirus and Microsoft patches ? ???? therefore I have asked in my previous thread :
((Q3- How does NAC appliance get updated ? since it is standalone box ? do we have to connect it to net to get the necessary updates ?))
0
zillahAuthor Commented:
>>Why this then: "Does that mean we have to update our NAC appliance box (Antivirus Software, Spyware Software, Anti Trojan,,,etc) ". Or did you mean for the NAC to recognize new AV etc ...<<
Sorry J , for more clarification to what I meant in the above quote,  is below (I have been told that) :

(( The NAC Appliance gets updated as per configured schedule, in our case, once an hour, via CCO and it can
do this via a Proxy too for preconfigured checks for over 200 products. The actual update and most of the configuration is done on the Manager Appliance, which controls one or more NAC appliances ))
0
zillahAuthor Commented:
http://www.experts-exchange.com/Security/Misc/Q_22456344.html
>>Q6: In band = physically between the monitored device and the rest of the network. Inline in the above quote is just the normal English meaning: the device is always in sync or in control. Out of band = logical seperation using other means to block network access then physically denying access. E.g. redirecting to an isolated VLAN, assigning a special subnet ...<<

Jut to share with you (you have already explained it ) what I have found recently, is the quote below:
http://searchnetworking.techtarget.com/generic/0,295582,sid7_gci1228704,00.html
[quote]
NAC appliances may operate out-of-band (consulted only during admission) , or in-line (passing traffic as a bridge or router after admission).
[/quote]
0
PowerITCommented:
Zillah, I just returned from a holiday.
Do you have any questions left?

J.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.