Table of Contents
Advertisement
Dramatically improve network security
While most organizations use identity management and authentication,
authorization, and accounting (AAA) to authenticate users and authorize network
privileges, there has been virtually no way to authenticate the security profile of a
user's endpoint device. Without an accurate way to assess the health of a device,
even the most trustworthy user can inadvertently expose everyone else in the
network to significant risks posed by either an infected device or by one that is
not properly protected against infection.
NAC is a set of technologies and solutions built on an industry initiative led by
Cisco Systems. NAC uses the network infrastructure to enforce security policy
compliance on all devices seeking to access network computing resources,
thereby limiting damage from emerging security threats such as viruses, worms,
and spyware. Customers implementing NAC are able to restrict network access
to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example)
and can control the access of noncompliant or unmanaged devices.
NAC is unique because it is designed to be integrated into the network
infrastructure. So why should a policy compliance and verification strategy be
implemented in the network instead of somewhere else?
Virtually every bit of data that an organization is interested in or is concerned
about touches the network.
Virtually any device that an organization is interested in or concerned about is
attached to that same network.
Implementing admission control in the network gives an organization the
ability to deploy the broadest possible security solution covering the largest
number of networked devices.
This strategy uses an organization's existing infrastructure, security, and
management deployments, so it has the smallest IT overhead footprint
possible.
With NAC in place, whenever an endpoint device attempts to make a network
connection, the network access device (LAN, WAN, wireless, or remote access)
automatically requests a security profile of the endpoint device, which is provided
either through an installed client or through assessment tools. This profiled
information is then compared to network security policy, and the level of device
compliance to that policy determines how the network handles the request for
admission. The network can simply permit or deny access, or it can restrict
access by redirecting the device to a network segment that limits exposure to
potential vulnerabilities. It can also quarantine a noncompliant device by
redirecting it to a remediation server, where it may be updated with components
that will bring it into policy compliance.
Appendix B. Network Admission Control
473
Advertisement
Table of Contents
