Menu
NAC Appliance hits on basic enforcement

NAC Appliance hits on basic enforcement

Cisco's NAC Appliance 4.1 (formerly called Cisco Clean Access) provides basic network-access-control functionality, such as antivirus and patch-status checks, but remains behind many of the other vendors in this space because of the inability to perform assessment checks beyond initial connection.

We reviewed CCA 3.4 in 2005 and beyond increased coverage for the AV market and new support for Windows Update services, we can't point to any significant enhancements in the endpoint assessment or reporting areas between the two versions. Cisco's biggest changes occurred in the authorisation/authentication arena with the addition of single sign-on with Active Directory and integration with its Cisco VPN Concentrator product. From an enforcement perspective, Cisco now includes the ability to launch a remediation program if an endpoint fails its integrity check. The product has two main components and agent software.

The Clean Access Manager provides centralised management features, while the Clean Access Server (CAS) provides the distributed enforcement capabilities. Users can have multiple CASs deployed across the network, all managed through the single platform, which is a fairly typical scalability standard across the field of NAC products we've reviewed. For testing, we placed the appliance running CAS in-line between the access and distribution layers of the network, which is typical of the in-line products tested.

Many other LAN-deployment options are available, such as placing it in an 802.1X-based network or running it out-of-band, where it controls an access switch. Cisco NAC Appliance can also tap into Cisco's VPN Concentrator to provide posture assessments and enforcement for remote-access users, which provides single sign-on for users. We verified this integration with IPSec only. Cisco also claims SSL VPN integration.

Authentication check
Guest access is provided through a captive portal Web-logon process. When a user authenticates as a guest, after successful authentication, they are placed into the appropriate role defined for guests, which dictates what access they should have on the network.

Authentication is available through Active Directory, Lightweight Directory Access Protocol, Radius, 802.1X or a local repository residing within the Cisco product itself. For testing, we configured integration with Active Directory. This setup was complex and we had to make changes to our Active Directory environment to enable DES encryption from AD's standard RC4 encryption.

As with most NAC products, if authentication is unsuccessful a "failed" message appears and when successful, an endpoint assessment ensues.

Endpoints running Cisco's Clean Access persistent agent software receive a pop-up window requiring them to provide authentication credentials. If the single sign-on feature is enabled, the user is not prompted to provide credentials. For guests, a captive portal is used for logging in and distributing Cisco's dissolvable agent. The overall user experience is on par with the other NAC products we've tested.

Cisco NAC Appliance supports an extensive list of antivirus products, ranging from Ahn Lab to Zone Labs, as well as Windows security patches. Integrated systems vulnerability assessments are provided via Nessus. Custom checks are available and are easy to define, but difficult to use. Cisco displays all available checks in one, long list, which is time consuming to scroll through in order to find the specific one you want to apply.

Posture assessment is performed only when the client initially connects to the network. The Cisco Clean Access persistent agent is pre-deployed to endpoint system by standard enterprise tools, while the dissolvable one is pushed out automatically upon authentication. The agent software gathers minimal information about each endpoint - user name, role as well as IP and MAC addresses. We did notice system-performance degradation when the persistent agent was doing its posture assessment. With just a single agent configured, CPU use spiked to greater than 90 per cent for a brief period.

Enforcement and remediation is provided by limiting access or blocking it via firewall rules, changing a VLAN port in out-of band deployment or actively changing the VLAN tag on packets with an in-line deployment, launching a program (limited to local systems only), providing a URL link and integrating with Windows System Update Service to get missing windows patches.

When a system failed the posture assessment in our testing, the Clean Access Agent displayed an alert with the message configured in accordance with our applicable policy rule. In that message the user clicked the button to open a link to download missing software, Sophos AV, in this instance. This overall process is very typical to the rest of the products tested.

Policy flexibility
Policies are created via a multistep process using a Web based management interface. While this process allows for some flexibility, which would be necessary in an enterprise network - such as the ability to create different policy combinations for different endpoint populations - it's one that takes a while to understand and leaves a lot of room for error. Individual checks are defined by an administrator for a specific item, such as Sophos AV running the latest version. Checks are then combined into a rule, which are mapped to a requirement, such as AV software must be running. Users can assign requirements to a role, such as ensuring that all "guest" systems are running an AV program with current signatures, but you don't care which one.

The management GUI, while better than some in terms of overall design and presentation, is not intuitive. Multiple layers of tabs make it difficult to pinpoint exactly where configuration items are. The documentation - both hard copy and online - is very good, though, and helps answer questions quickly. In terms of status reports: users can tap into syslog to check the status of currently connected devices. Cisco also offers a text table summarising the current number of online users assigned to each role (for example, Quarantine, Employee or Contractor).

Historical reporting is almost nonexistent. Users cannot report on posture-assessment results directly from the product. Posture-assessment details are provided as events, and Cisco makes available an API that can be tapped in order to pull the data from the Cisco NAC system into a separate analysis tool. Users can run queries against the data, looking for bulk details about users, operating systems, IP addresses and antivirus software, but results can't be exported for use in any type of graphical reports.

Cisco provides basic NAC functionality, but has not yet moved into post connect assessment. Most of the other products we tested in this space provide regular posture assessments after initial network connect.


Follow Us

Join the newsletter!

Error: Please check your email address.
Show Comments