Network Admission Control
|This article needs additional citations for verification. (April 2012)|
Network Admission Control (NAC) refers to Cisco's version of Network Access Control, which restricts access to the network based on identity or security posture. When a network device (switch, router, wireless access point, DHCP server, etc.) is configured for NAC, it can force user or machine authentication prior to granting access to the network. In addition, guest access can be granted to a quarantine area for remediation of any problems that may have caused authentication failure. This is enforced through an inline custom network device, changes to an existing switch or router, or a restricted DHCP class. A typical (non-free) WiFi connection is a form of NAC. The user must present some sort of credentials (or a credit card) before being granted access to the network.
In its initial phase, the Cisco Network Admission Control (NAC) functionality enables Cisco routers to enforce access privileges when an endpoint attempts to connect to a network. This access decision can be on the basis of information about the endpoint device, such as its current antivirus state. The antivirus state includes information such as version of antivirus software, virus definitions, and version of scan engine.
Network admission control systems allow noncompliant devices to be denied access, placed in a quarantined area, or given restricted access to computing resources, thus keeping insecure nodes from infecting the network.
The key component of the Cisco Network Admission Control program is the Cisco Trust Agent, which resides on an endpoint system and communicates with Cisco routers on the network. The Cisco Trust Agent collects security state information, such as what antivirus software is being used, and communicates this information to Cisco routers. The information is then relayed to a Cisco Secure Access Control Server (ACS) where access control decisions are made. The ACS directs the Cisco router to perform enforcement against the endpoint.
Besides user authentication, authorization in NAC can be based upon compliance checking. This posture assessment is the evaluation of system security based on the applications and settings that a particular system is using. These might include Windows registry settings or the presence of security agents such as anti-virus or personal firewall. NAC products differ in their checking mechanisms:
- 802.1x Extensibile Authentication Protocol
- Microsoft Windows AD domain authentication - login credentials
- Cisco NAC Appliance L2 switch or L3 authentication
- Pre-installed security agent
- Web-based security agent
- Network packet signatures or anomalies
- External network vulnerability scanner
- External database of known systems
Agent-less posture assessment
Most NAC vendors require the 802.1x supplicant (client or agent) to be installed. Some, including Hexis' NetBeat NAC, Trustwave, and Enterasys  offer an agent-less posture checking. This is designed to handle the "Bring Your Own Device" or "BYOD" scenario to:
- Detect and fingerprint all network attached devices, whether wired or wireless
- Determine if these devices have common vulnerabilities and exposures (aka "CVEs")
- Quarantine rogue devices as well as those infected with new malware
The agent-less approach works heterogenously across almost all network environments and with all network device types.