Cisco NAC Appliance Executive Overview · Unmanaged Desktop Account Manager Mobile User SSL Tunnel...
Transcript of Cisco NAC Appliance Executive Overview · Unmanaged Desktop Account Manager Mobile User SSL Tunnel...
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Cisco NAC Appliance Executive Overview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
1 The “Business Case” For Network Admission Control
2 Cisco NAC Appliance Product Overview
3 Common NAC Posture Assessments
4 Deployment Considerations
5 Additional Resources
Contents
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
The Vulnerability of Networks
Every bit of user data touches the network
Every device employee, consultant and guest has is attached to the network
In this environment, EVERYTHING is a potential target AND a potential threat
>> Threat vectors have changed: your “trusted users” can be the weakest link in your network’s security
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
The Evolution of Threats
Mitigating threats via policy compliance
Balancing productivity and security in a “connected” world
Changing threats from data-in-transit to data-in-storage
>> Business vectors have changed: you are accountable for your “policies” that are not enforced
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Common Ways to Combat Threats
1. Require users to abide by “responsible computing”guidelines
2. Register use computers; require authentication
3. Pass out anti-X software, OS updates through patch management systems
4. Use IDS/IPS/endpoint monitoring solutions to find bad computers
No direct pain, no responsibilityBUT
Authentication not enoughBUT
Compliance is still voluntary and unenforceable
BUT
Does not stop vulnerabilities and fails to fix problem
BUT
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Make Access Contingent on Compliance
Authenticate & AuthorizeEnforces authorization policies and privileges
Supports multiple user roles
Update & RemediateNetwork-based tools for vulnerability and threat remediation
Help-desk integration
Quarantine & EnforceIsolate non-compliant devices from rest of network
MAC and IP-based quarantine effective at a per-user level
Scan & EvaluateAgent scan for required versions of hotfixes, AV, etc
Network scan for virus and worm infections and port vulnerabilities
First, establish ACCESS POLICIES. Then:
NO COMPLIANCE = NO NETWORK ACCESS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Contents1 The “Business Case” For Network Admission Control
2 Cisco NAC Appliance Product Overview
3 Common NAC Posture Assessments
4 Deployment Considerations
5 Additional Resources
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
NAC Means Better Criteria for Security
What’s The PreferredWay To Check/Fix It?
Pre-Configured ChecksCustomized ChecksSelf-Remediation or Auto-RemediationThird-Party Software
Windows, Mac or LinuxLaptop or Desktop or PDAPrinter or Other Corporate Asset
What System Is It?
CompanyEmployeeContractorGuestUnknown
Who Owns It?
VPNLANWLANWAN
Where Is It Coming From?
Anti-Virus, Anti-SpywarePersonal FirewallPatching Tools
What’s On It?Is It Running?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
SecurelyIdentify
Device and User
What ItMeans
Why It Is Important
Associate Users to Devices
Associating Users with Devices Enables Granular Enforcement of Policies by Role or group
Configureand
Manage
Policies That Are Easy to Create and Maintain Lead to Better System Operations and Adherence
Create and Manage Policies Easily
Quarantineand
Remediate
Quarantine Critical to Halt Spread of Vulnerabilities; Remediation Addresses Root Cost Drivers
Isolate and Fix Non-compliant Devices
EnforceConsistent
Policy
Enforcement at the Network Reduces Reliance on the Integrity of the Endpoint
Assess Devices; Enforce Policies
Four Key Capabilities of Cisco NAC
A Comprehensive NAC Solution Must Have All Four Capabilities: The Absence of Any One Weakens the Solution
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Top Customer Pain Points*
Customer Pain Points
Cisco NAC authenticates and controls guest and unmanaged assets
Guests andunmanaged
users
Enforce endpointpolicy
requirements
Role-basedaccesscontrol
* Source: Current Analysis, July 2006
Cisco NAC assesses, quarantines, and
remediates noncompliant endpoints
Cisco NAC applies access and posture
policies based on roles
SecuredRemote Access
SecuredWireless Access
SecuredLAN Access
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Cisco NAC Is Widely Deployed TodayCisco NAC Appliance has 1200+ customersMid-market and large enterprises
Financial services HealthcarePublic sectorManufacturing
All use casesRemote access Guest usersWirelessLAN/VoIP
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Cisco NAC Appliance Advantage
Managed LAN/ VoIP Users
Unmanaged/ Guest LAN Users
Wireless LAN Users
VPN/Remote/ WAN Users
1.
One Product for
All Use Cases
2. Number 1:Most amount of experience brings the most relevant features
3. Easy to own:Most deployments ready under five days
4. Scalable:Installations from 100 users to 100,000+ users, from single site to 150+ locations
5. Flexible:Does not require an infrastructure upgrade
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Cisco Clean Access ManagerCentralizes management for administrators, support personnel, and operators
Cisco Clean Access ServerServes as enforcement point for network access control
Cisco Clean Access AgentOptional lightweight client for device-based registry scans in unmanaged environments
Rule-set UpdatesScheduled automatic updates for anti-virus, critical hot-fixes and other applications
NAC Appliance Components
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
NAC Appliance Sizing
2500 users each
SuperManager manages up to 40
Enterprise andBranch Servers
Enterprise andBranch Servers
1500 users each
StandardManager manages up to 20
Branch Officeor SMB Servers
100 users 250 users 500 users
ManagerLite manages up to 3
Users = online, concurrent
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
NAC Appliance Use Cases
INTERNET
Endpoint ComplianceNetwork access only for compliant devices
Guest ComplianceRestricted internet access only for guest users
IPSec
802.1Q
CAMPUS BUILDING 1
Wireless ComplianceSecured network access only for compliant wireless devices
WIRELESS BUILDING 2
CONFERENCE ROOMIN BUILDING 3
VPN User ComplianceIntranet access only for
compliant remote access users
Intranet Access ComplianceEnsure hosts are hardened prior to connecting to ERP, HRIS, BPM, etc.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
THE GOAL
Intranet/Network
Cisco NAC Appliance Overview
2. User is redirected to a login page
Clean Access validates username and password, also performs device and network scans to assess vulnerabilities on the device
Device is noncompliant or login is incorrect
User is denied access and assigned to a quarantine role with access to online remediation resources
3a. QuarantineRole
3b. Device is “clean”Machine gets on “certified devices list” and is granted access to network
Cisco CleanAccess Server
Cisco Clean Access Manager
1. End user attempts to access a Web page or uses an optional client
Network access is blocked until wired or wireless end user provides login information
AuthenticationServer
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
End User Experience: Web-based
LoginScreen
Scan is performed(types of checks depend on user role/OS)
Click-through remediation
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
End User Experience: with Agent
4.
LoginScreen Scan is performed
(types of checks depend on user role)
Scan fails
Remediate
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
Cisco NAC Appliance PartnershipsCisco NAC is committed to protecting customer’s
investments in partner applications
NAC Appliance Supports Policies for 250+ Applications, Including These Vendors:
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Complementary Cisco Products
Switches and RoutersAll switches and routers (In Band)Catalyst 2900, 2940/50/60, 3500, 3550/60, 3750, 4000/4500, 6500 (Out of Band)
Cisco Security Agent for day-zero endpoint securityCisco MARS for security correlationVPN products
VPN3000 ConcentratorASA/PIX70ISR/IOSWebVPN
Wireless APsWLSM (Aironet) Wireless Controllers (Airespace)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
1 The “Business Case” For Network Admission Control
2 Cisco NAC Appliance Product Overview
3 Common NAC Posture Assessments
4 Deployment Considerations
5 Additional Resources
Contents
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
Corporate/Employee Posture Assessment
Corporate Asset TagUnique registries inserted into corporate devicesCorporate PKI certificates installed in corporate devices
Microsoft Hotfixes:Critical hot-fixes checks (provided via Cisco automated updates)SUS/WUS running or AU Options (can force setting)SMS or Patch Management SW running (can launch qualified .exe)
Security Applications:HIDS (CSA) or Personal Firewall installed and runningAV installed, running and latest DAT (can launch AV)Anti-Spyware installed and runningEncryption software installed and running
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
NAC Decision Tree for Employee
Corp Asset Tag
SUS/SMS/CSA
Hotfixes AV/AS UptoDate
Quarantine
Access
No access, call HelpDesk
No access, start service
Internet only, SUS/SMS runs
Internet Only, launch AV
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Contents1 The “Business Case” For Network Admission Control
2 Cisco NAC Appliance Product Overview
3 Common NAC Posture Assessments
4 Deployment Considerations
5 Additional Resources
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Cisco Clean Access for Corporate LAN
Enables central deployment modeEnd user devices can be several hops awayExtends enforcement to campus buildings
Supports 802.1q trunkingSupports both L3 multi-hop and L2Supports L2TPv3 tunnelingSupports both inband and out-of-band
BENEFITSFEATURES
Central Site
Campus BuildingCorporate Users
L2TPv3802.1q
Campus BuildingGuest Users
Multi-Hop IP
Campus BuildingCorporate Users
CCA
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
Cisco Clean Access for Remote UsersCentral Site
Branch OfficeCorporate Users
IPSec VPN
CCA
Home OfficeUnmanaged Desktop
Account ManagerMobile User
SSL Tunnel VPN
Supply PartnerExtranet
IPSec VPN
Multi-Hop IP
CCA
Extends policy enforcement and compliance to remote access and VPN usersExtends enforcement to site-to-site VPN partnersLeverages VPN sign-on for single-sign-on
Supports IPSec and SSL Tunnel VPNsSupports site-to-site VPNsSupports VPN user sign-on
BENEFITSFEATURES
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Cisco Clean Access for Wireless Users
Enables central deployment modeEnd user devices can be several hops awayExtends enforcement to any wireless networksLeverages EAP sign-on for single-sign-on
Supports 802.1q trunkingSupport L2TPv3 or GRE tunnelingSupports thin or thick wireless 802.11 APsSupports Wireless user sign-on
BENEFITSFEATURES
Central Site
Wireless NetworkLWAPP Users
LWAPP
Wireless NetworkWLSM Guest
Users802.1q
GRE
CCA
802.1q
Campus BuildingWireless Users
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
ADDITIONAL ADDITIONAL RESOURCESRESOURCES
Product information at:www.cisco.com/go/nac/appliance
Specific questions to:[email protected]
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29