I think that would be a great idea. I am unable to find any type of information, other than the basic configuration aspects of the appliance, and seminars on what it is supposed to be able to support.

When is the Cisco Clean Access supposed to become available, in the discussion arena?

I have a bunch of questions regarding all of the technologies, including NAC.

Now is Cisco Clean Access "client-less", where as the CSA has the client installed?

Now with NAC, you utilize the Cisco Trust Agent, which is free for standalone, or built into the CSA Client, but with how the communications are performed (I know that the Trust Agent uses EAPoUDP), but when the CSA interacts with VMS, how much chatter are we going to see on the network. with comms going to the ACS and VMS machines. Also, in theory, how many clients can a VMS station manage. Does the CS-MARS then in turn manage all of the VMS machines? I am trying to think in terms of deployment in a very large network.

Any direction is appreciated, and if you could direct me to maybe another onlinme support discussion that took place regarding CSA and VMS, that would be great too...

Sorry for the bombardment, but thanks in advance!

Any documentation that you could provide no any of the following is greatly appreciated.

Ok - glad to help.

There's a Cisco Clean Access "Ask the Expert" session ongoing right now.

I likely can answer most of your NAC questions.

Q1 - Now is Cisco Clean Access "client-less"

CCA can either be clientless (performs vulnerability scan of host and watches traffic from host for vulnerabilities) or can have a client (performs AV check, HF/SP checks, Spyware removal program checks). The client (which is a small applet) gives you more flexability on what to trust. I believe that some OS's don't have a client solution yet (maybe MACs) and clientless is the only approach that can be taken for those machines.

Q2 - where as the CSA has the client installed?

I believe you may have been referring to NAC. To become trusted in a NAC environment, an end-pc needs to either have CTA with the right ACS server certificate, or an exemption on the Network Access Device (which would be the case for OS's that Cisco doesn't offer a CTA client for - printers, MACs, Linux, IP Phones).

Q3 - how much chatter are we going to see on the network. with comms going to the ACS and VMS machines.

I don't recall the exact packet size off-hand, but the communication is relatively small. I'd only be concerned on very low BW WAN connections.

Here's an overview of the comms:

NAC Related Comms

1 - Router to CTA

2 - Router to ACS for Policy Validation

3 - ACS Server to Router Downloading ACLs

CSA Related Comms

1 - CSA to CSA Mgmt Server polling

2 - CSA Mgmt Server policy download

3 - CSA to CSA Mgmt Server event uploads

Your SE or I could help you dig dipper into determining the packets sizes, but I recall them being very minimal size packets.

Q4 - Also, in theory, how many clients can a VMS station manage.

A VMS Mgmt Server can manage up to 10,000 CSA Agent. This is the supported numbers. Some customers have more than 10k agents on a single server, in special tweaks of the configuration.

Q5 - Does the CS-MARS then in turn manage all of the VMS machines?

CS-MARS is used to collect all the Netflow data from Cisco Swtiches and Routers, along with IDS/IPS events, firewall syslog events, Windows Server Security Logs, and a variety of other security device logs.

Once CS-MARS collects all this data, it turns all these seperate events and flows into a set of meaningful Incidents. It adds intelligence to all of these logs and begins the Analysis steps for you.

For instance, if your IDS fires on a MSBLASTER signature, CS-MARS will receive that signature event, look for the flow of the traffic through the routers and switches (thanks to Netflow) and provide a graphical representation of the Incident to you. CS-MARS could also perform a vulnerability assessment of the attacked host to see if it is vulnerable. If the host is vulnerable, CS-MARS will provide you options and configurations immediately on how to mitigate the attack.

Hope this is a good start. I'll post some documentation links for you later on today.

thanks

peter

Now for question 2, I was refering to Cisco Secure Agent (too many acronyms). I am trying to make a comparison between the 2 products, whereas CSA and VMS work together Cisco Clean can either have, or not have a client side, like you covered in question 1. It seems to me that the Cisco Secure Agent has many more options, since it is acting like a host ids solution in a way, and the reporting mechanisms are a little different, depending on how you configure it. Now with NAC, isn't the requirements totally independent regardless of what your using, whether it be CSA or Cisco Clean? NAC needs IOS 12.3(8)T, AAA Server with 3.3 and CTA(Cisco Trust Agent) with a cert from an AAA Server, right? Please correct me where I am wrong.

Now when you mention CS-MARS, I would want it to coordinate multiple VMS Servers, with thousands of clients connecting, as well as netflow data, etc... will this work?

Also, when you mention 10K agents on one VMS machine, what type of hardware is in place to support this?

Thanks Again!

Hi Matt -

CSA - provides 2 benefits

1st - host based IPS

2nd - Security Policy enforcement on Hosts

NAC - provides Trust of endpoints

Required Components (as you mentioned)

- NAD - Network Access Device

- IOS Router - 12.3(8)T or later

- VPN Concentrator - 4.7

- Policy Server

- Cisco Secure ACS 3.3

- Trust Agent

- CTA with Policy Server's cert

Optional Components

- Antivirus with Posture Plugin

- Trend Micro, Symantec, McAfee

- CSA with Posture Plugin

Cisco Clean Access today is completely independent of NAC.

CS-MARS is used for Monitoring of the Security environment. These events could include netflow from switches and routers, IDS/IPS events from sensors, IPS events from hosts running CSA, firewall syslog entries, and windows security events from servers.

CS-MARS really doesn't coordinate multiple VMS Servers. What it can do is consilidate multiple VMS servers that are running the monitoring software like Security Monitor (a component of VMS).

As far as 10k agents on a machine, I have heard of these deployments using the latest quad processor in the machines with 4 gigs of memory, along with some nice disk space.

I hope these answers help. Let us know what other questions you might have.

thanks

peter

Sure does help in making some clarifications on what the products specifically do and what they are intended for.

One more thing. When you mentioned NAC, you said the VPN Concentrator v4.7, that isn't a "need" is it?

Thanks...

Hi Matt -

NAC requires a Network Device that checks for Trust and enforces the policies for access through the network.

Currently, a router can be that device if it is running 12.3(8)T Security Feature set or later, or the VPN Concentrator can be that device for VPN users if you are using the new 4.7 version of the concentrator software.

thanks

peter