Cisco WS-C6506 Software Manual page 1087

Chapter 44 Configuring Network Admission Control
Virus Infections and Their Effect on Networks
Virus infections are the single largest cause of serious security breaches for networks. Sources of virus
infections are insecure end points (for example, PCs, laptops, and servers). Although the end points may
have antivirus software installed, the software is often disabled. Even if the software is enabled, the end
points may not have the latest virus definitions and scan engines. A larger security risk is from devices
that do not have any antivirus software installed.
How Network Admission Control Works
End-point systems, or clients, are hosts on the network, such as PCs, laptops, workstations, and servers.
The end-point systems are a potential source of virus infections, and their antivirus states need to be
validated before they are granted network access. When an end point attempts an IP connection to a
network through an upstream Cisco network access device (Cisco switch or router), the network access
device challenges the end point for its antivirus state. The end-point systems run a client called
Cisco Trust Agent, which collects antivirus state information from the end device and transports the
information to the network access device. This information is then communicated to a Cisco Secure ACS
where the antivirus state of the end point is validated and access control decisions are made and returned
to network access devices. The network devices either permit, deny, or quarantine the end device. The
Cisco Secure ACS may use back-end antivirus vendor-specific servers for evaluating the antivirus state
of the end point.
Figure 44-1
Figure 44-1
Cisco ACS
Network Access Device
A network access device (NAD) is a Cisco switch or router (a Layer 3 Extensible Authentication
Protocol over UDP [EAPoUDP] access point) that provides connectivity to external networks, such as
the Internet or remote enterprise networks.
OL-8978-04
shows how Cisco NAC works.
Cisco IOS Network Admission Control System
Admission control
with input interface
ACL to block all user
traffic except
EAPoUDP and ACS
User
User
Configuring Network Admission Control with LAN Port IP
E2/1
Cisco switch or
Cisco IOS router
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
ISP and
Internet
44-3