Network Access Control; Cisco Network Admission Control - HP BladeSystem bc2000 - Blade PC Manual

Network Access Control

Advancements in computer networking have significantly changed the way people and organizations
communicate and access information. Networks have become critical resources in many
organizations, providing real-time communications and access, through both the Internet and
enterprise intranets. Much of the data available on internal business networks needs to be protected,
either to follow data privacy regulations or to protect valuable information assets. As such, the need to
provide reliable and secure network access has become a key challenge facing today's Information
Technology (IT) organizations.
As organizations take advantage of the benefits of making information available, they also need to
consider the security implications. They must protect valuable proprietary information. They also might
be responsible for complying with government regulations related to data privacy. This leads to two
business objectives that many IT organizations are striving to maximize: data availability and data
security. While addressing each of these objectives individually can be straightforward, the methods
used to address one often conflict with the other. Therefore, it is important for organizations to
address these objectives together.
To meet these needs adequately requires a layered security approach, often defined as Defense in
Depth. NAC is one component of such an approach, and should not be considered in isolation. The
high level role of NAC is to protect the network and its resources from harmful users and devices or
systems. It does this by restricting network access based on certain criteria and business policies. The
policies may be quite simple, such as allowing access to a set of known users or devices while
denying all others. Or, in order to model more intricate business policies, the policies may be much
more complex.
NAC works together with other network security layers such as firewalls, Intrusion Detection and
Prevention Systems (IDPS), endpoint security, and so forth to build a defensive posture in your
environment. NAC should be used to minimize the risk associated with unauthorized, infected, or
improperly configured devices trying to connect to your network.
In its most basic form, NAC allows a network administrator to restrict network access to authorized
users and/or devices. However, many organizations have the need to provide, or can benefit from
providing, different levels of access depending on the role of the user. For example, employees have
access to internal network resources and the Internet while guest users are only provided access to the
external Internet.
There is also a need for protection from malicious software, which is accomplished by evaluating the
security posture of devices connecting to the network. The security posture required is defined by
organizational policies and is based on checking for things such as operating system versions and
patches, security software (antivirus, anti-spam, firewalls, etc.), security settings on common software,
and other required or prohibited software.
There are many aspects to a complete network security implementation. This white paper addresses
use of the Cisco Clean Access Network Admission Control (NAC) appliances and software as
applied to HP thin clients and blade PCs to control their access to a production network and the
information available on that network. We note here that the NAC acronym for Cisco products
denotes "Network Admission Control" which in this paper is synonymous with "Network Access
Control."

Cisco Network Admission Control

Cisco Clean Access NAC appliances provides an easily managed way to implement Network Access
Control on any network. The NAC Appliance is made up of three components: The Clean Access
Manager (CAM), the Clean Access Server (CAS), and the Clean Access Agents (CAA). The CAM
serves a Web console allowing configuration of the CAS and CAA components. The CAS actively
protects and enforces policy on the network.
3