Network Admission Control (NAC) refers to
Cisco
Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...
's version of
Network Access Control, which restricts access to the network based on identity or security posture. When a network device (
switch
In electrical engineering, a switch is an electrical component that can disconnect or connect the conducting path in an electrical circuit, interrupting the electric current or diverting it from one conductor to another. The most common type of ...
,
router,
wireless access point
In computer networking, a wireless access point (WAP), or more generally just access point (AP), is a networking hardware device that allows other Wi-Fi devices to connect to a wired network. As a standalone device, the AP may have a wired ...
,
DHCP
The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a cli ...
server, etc.) is configured for NAC, it can force user or machine authentication prior to granting access to the network. In addition, guest access can be granted to a quarantine area for remediation of any problems that may have caused authentication failure. This is enforced through an inline custom network device, changes to an existing switch or router, or a restricted
DHCP
The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a cli ...
class. A typical (non-free)
WiFi
Wi-Fi () is a family of wireless network protocols, based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio wa ...
connection is a form of NAC. The user must present some sort of credentials (or a credit card) before being granted access to the network.
In its initial phase, the Cisco Network Admission Control (NAC) functionality enables Cisco routers to enforce access privileges when an endpoint attempts to connect to a network. This access decision can be on the basis of information about the endpoint device, such as its current antivirus state. The antivirus state includes information such as version of antivirus software, virus definitions, and version of scan engine.
Network admission control systems allow noncompliant devices to be denied access, placed in a quarantined area, or given restricted access to computing resources, thus keeping insecure nodes from infecting the network.
The key component of the Cisco Network Admission Control program is the Cisco Trust Agent, which resides on an endpoint system and communicates with Cisco routers on the network. The Cisco Trust Agent collects security state information, such as what antivirus software is being used, and communicates this information to Cisco routers. The information is then relayed to a Cisco Secure Access Control Server (ACS) where access control decisions are made. The ACS directs the Cisco router to perform enforcement against the endpoint.
This Cisco product has been marked End of Life since November 30, 2011, which is Cisco's terminology for a product that is no longer developed or supported.
Posture assessment
Besides user authentication, authorization in NAC can be based upon compliance checking. This posture assessment is the evaluation of system security based on the applications and settings that a particular system is using. These might include
Windows registry
The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and ...
settings or the presence of security agents such as
anti-virus
Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware.
Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...
or
personal firewall
A personal firewall is an application which controls network traffic to and from a computer, permitting or denying communications based on a security policy. Typically it works as an application layer firewall.
A personal firewall differs from ...
. NAC products differ in their checking mechanisms:
*
802.1x Extensibile Authentication Protocol
*
Microsoft Windows AD domain authentication - login credentials
*
Cisco NAC Appliance
Cisco NAC Appliance, formerly Cisco Clean Access (CCA), was a network admission control (NAC) system developed by Cisco Systems designed to produce a secure and clean computer network environment. Originally developed by Perfigo and marketed un ...
L2 switch or L3 authentication
* Pre-installed security agent
* Web-based security agent
* Network
packet
Packet may refer to:
* A small container or pouch
** Packet (container), a small single use container
** Cigarette packet
** Sugar packet
* Network packet, a formatted unit of data carried by a packet-mode computer network
* Packet radio, a fo ...
signatures or anomalies
* External network
vulnerability scanner
A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. These scanners are used to discover the weaknesses of a given system. They are utilized in the identification and detecti ...
* External database of known systems
Agent-less posture assessment
Most NAC vendors require the 802.1x supplicant (client or agent) to be installed. Some, including Hexis' NetBeat NAC, Trustwave, and Enterasys
"Trustwave Datasheet"
/ref> offer an agent-less posture checking. This is designed to handle the "Bring Your Own Device
Bring your own device (BYOD )—also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own personal computer (BYOPC)—refers to being allowed to use one's personally owned device, rather than being required to u ...
" or "BYOD" scenario to:
* Detect and fingerprint all network attached devices, whether wired or wireless
* Determine if these devices have common vulnerabilities and exposures (aka "CVEs")
* Quarantine rogue devices as well as those infected with new malware
The agent-less approach works heterogeneously across almost all network environments and with all network device types.
See also
* Access control
* Network Access Protection
Network Access Protection (NAP) is a Microsoft technology for controlling network access of a computer, based on its health. With NAP, system administrators of an organization can define policies for system health requirements. Examples of system h ...
* Cisco NAC Appliance
Cisco NAC Appliance, formerly Cisco Clean Access (CCA), was a network admission control (NAC) system developed by Cisco Systems designed to produce a secure and clean computer network environment. Originally developed by Perfigo and marketed un ...
* Network Access Control
* PacketFence
References
{{Reflist
External links
Network Admission Control
- Cisco Systems
Agent-less Network Admission Control
- NetClarity, Inc.
FastNAC
Next-generation NAC
Computer network security