Network Access Control (NAC) solutions deliver a comprehensive approach to identifying, controlling, and securing access to critical network communications. Well architected NAC solutions proactively manage whether a trusted user, a guest, or a device can connect to a network and what they are authorized to do once connected; this is all based on policy criteria such as device and user identity, business role, time of day, location, and health of the end system. Comprehensive NAC solutions use both agent-based and agent-less assessment technologies, along with proactive and reactive policy enforcement to provide a solid pre-connect and post-connect end system security offering.
NAC is an acronym which stands for Network Access Control. Sometimes it is also referred to as Network Admission Control. NAC is a common term within IT organizations today, but there is much discussion around what NAC involves and what it does not. Some view NAC as simple registration and authorization of network connected end systems. Some view NAC as a solution to protect the network environment from viruses and worms. Some view NAC as a gatekeeper function to control how end systems and guest systems, which are not compliant with corporate computing guidelines, can access the network. A well architected NAC solution is actually all of these things. Network Access Control is the integration of several technologies to provide a solution that proactively and reactively controls end system communication on the network. There are a number of individual functions that make up a comprehensive NAC solution.
• Detect - Detection and identification of new devices connecting to the network
• Authenticate - Authentication of users and/or devices
• Assess - Assessment of end systems regarding their compliance and/or vulnerabilities
• Authorize - Authorization to use the network based on the results of the authentication and the assessment
• Monitor - Monitoring users and devices once they are connected to the network
• Contain - Quarantine problem end systems and/or users to prevent them from negatively impacting the overall network environment
• Remediate - Remediation of problems with the end system and/or user A well architected solution should integrate highly advanced, policy-enabled network infrastructure, along with advanced security applications and centralized management to deliver all of the required functions for pre and post-connect secure network access.
Phase Wise Implementation
A phased approach for implementing a NAC solution is the preferred method. In general, a NAC implementation can be separated into the following phases:
Phase 1: End-System Detection and Tracking
Phase 2: End-System Authorization
Phase 3: End-System Authorization with Assessment
Phase 4: End-System Authorization with Assessment and Remediation
Phase 1: Collects information about all end systems without altering any existing network access. This is basically an inventory of end systems attached to the network. This can be done with or without authentication.
Phase 2: Considers pre-defined rules and restrictions related to network access. This typically requires authentication to ensure unique network access policies can be enforced for each end system and user.
Phase 3: Assessment of all end systems. This data can be accessed via an external management system (for software distribution), an agent, or a network scanner. Typical information would be: operating system, vulnerabilities, and open ports.
Phase 4: Further network access policy rules are enforced to individual end systems, using assessment data results. The user should be informed about this assessment and should be given the opportunity to remediate if not in compliance with appropriate security policies.
Greetings, We just deployed AnyConnect 4.8.00175 to our MAC users in anticipation of macOS Catalina 10.15 (upgrading from AnyConnect 4.5.05030). Cisco AnyConnect 4.8.00175 is the first version that officially supports operation on macOS Catalina and ...
I've read posts and documentation about the distributed deployment. Primary PAN and MnT in onc DC, Secondary PAN and MnT in another DC. My understanding is that this requires at least 1 heath check node. Has anyone one done this in ACI wi...
Hi,I'm trying to register the secondary ACS to the primary (log collector). When adding from secondary "Register to Primary" I'm getting the Connection timed out message (see below).I have confirmed they have reachability to each other and proper IP ...
Hello ,My understanding of Policy based VPN is that it uses ACL rather than routing table to check for interesting traffic.I have attached a diagram and configuration.Topology :Host1 <--> R1<--> ISP<-->R3<-->Host2.My question is th...
Hi Guys, I have an issue receiving snmp traps, The scenario is, we have 4 snmp servers (A,B,C,D), out of which A and B are required to do snmp polling & trap , where as the server C, D are doing snmp polling only. There is a FTD firew...