Network Admission Control (NAC) refers to

Cisco Cisco Systems, Inc. (using the trademark Cisco) is an American multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, s ...

's version of network access control, which restricts access to the network based on identity or security posture. When a network device (

switch In electrical engineering, a switch is an electrical component that can disconnect or connect the conducting path in an electrical circuit, interrupting the electric current or diverting it from one conductor to another. The most common type o ...

, router,

wireless access point In Computer networking device, computer networking, a wireless access point (WAP) (also just access point (AP)) is a networking hardware device that allows other Wi-Fi devices to connect to a wired network or wireless network. As a standalone ...

DHCP The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a clie ...

server, etc.) is configured for NAC, it can force user or machine authentication prior to granting access to the network. In addition, guest access can be granted to a quarantine area for remediation of any problems that may have caused authentication failure. This is enforced through an inline custom network device, changes to an existing switch or router, or a restricted

class. A typical (non-free)

WiFi Wi-Fi () is a family of wireless network protocols based on the IEEE 802.11 family of standards, which are commonly used for Wireless LAN, local area networking of devices and Internet access, allowing nearby digital devices to exchange data by ...

connection is a form of NAC. The user must present some sort of credentials (or a credit card) before being granted access to the network. In its initial phase, the Cisco Network Admission Control (NAC) functionality enables Cisco routers to enforce access privileges when an endpoint attempts to connect to a network. This access decision can be on the basis of information about the endpoint device, such as its current antivirus state. The antivirus state includes information such as version of antivirus software, virus definitions, and version of scan engine. Network admission control systems allow noncompliant devices to be denied access, placed in a quarantined area, or given restricted access to computing resources, thus keeping insecure nodes from infecting the network. The key component of the Cisco Network Admission Control program is the Cisco Trust Agent, which resides on an endpoint system and communicates with Cisco routers on the network. The Cisco Trust Agent collects security state information, such as what antivirus software is being used, and communicates this information to Cisco routers. The information is then relayed to a Cisco Secure Access Control Server (ACS) where access control decisions are made. The ACS directs the Cisco router to perform enforcement against the endpoint. This Cisco product has been marked End of Life since November 30, 2011, which is Cisco's terminology for a product that is no longer developed or supported.

Posture assessment

Besides user authentication, authorization in NAC can be based upon compliance checking. This posture assessment is the evaluation of system security based on the applications and settings that a particular system is using. These might include

Windows registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, a ...

settings or the presence of security agents such as

anti-virus Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name ...

or personal firewall. NAC products differ in their checking mechanisms: * 802.1X Extensibile Authentication Protocol *

Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

AD domain authentication - login credentials * Cisco NAC Appliance L2 switch or L3 authentication * Pre-installed security agent * Web-based security agent * Network packet signatures or anomalies * External network vulnerability scanner * External database of known systems

Agent-less posture assessment

Most NAC vendors require the 802.1X supplicant (client or agent) to be installed. Some, including Hexis' NetBeat NAC, Trustwave, and Enterasys "Trustwave Datasheet"
/ref> offer an agent-less posture checking. This is designed to handle the "

Bring Your Own Device Bring your own device (BYOD ) (also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own personal computer (BYOPC)) refers to being allowed to use one's personally owned device, rather than being required to use ...

" or "BYOD" scenario to: * Detect and fingerprint all network attached devices, whether wired or wireless * Determine if these devices have common vulnerabilities and exposures (aka "CVEs") * Quarantine rogue devices as well as those infected with new malware The agent-less approach works heterogeneously across almost all network environments and with all network device types.

References

{{Reflist

External links

Network Admission Control
- Cisco Systems
Agent-less Network Admission Control
- NetClarity, Inc.
FastNAC
Next-generation NAC Computer network security

Posture assessment

Agent-less posture assessment

See also

References

External links