NAC appliance - Virus scan

charles.demers-tremblay · ‎08-20-2007

Is it possible to force a virus scan prior to giving acces to the network using nac appliance (with or without cca) ?

Also, any way to know when was the last time the machine fully virus scanned ?

Thx

Jagdeep Gambhir · ‎08-20-2007

Hi Charles,

Yes that is possible with NAC,Please check this NAC demo presentation,

http://www.cisco.com/cdc_content_elements/flash/nac/demo.htm

If user system is infected NAC will put that user in the isolated network.

Also check NAC Faq's

Regards,

~JG

charles.demers-tremblay · ‎08-20-2007

Using the CAM GUI, where do you go go configure this ? All I can see is rule for av installation/service/definition. Maybe by the network scanner ?

Thx

Jagdeep Gambhir · ‎08-20-2007

Yes,

Device manager--->Clean Access---->Network scanner.

Kindly see the attachment.

Pls rate if helps

Regards,

~JG

charles.demers-tremblay · ‎08-21-2007

Looks like I must manually choose all virus I wanna scan a pc for ? Is there a plugin like "scan hardrive for any virus" ?

Jagdeep Gambhir · ‎08-21-2007

Charles,

Yes, that is correct you need to define it.

Go into ---Rules---New AV rule select ANY for antivirus vendor.

Device management-----> Clean Access-----> Network Scanner ---> Plugin Updates

NAC is not for the purpose to scan whole system. AV is used for that purpose. It check and make sure that AV and MS update are up to date.

Regards,

~JG

charles.demers-tremblay · ‎08-21-2007

So I cannot be sure that a user pc isn't infect before allowing network access ?

Jagdeep Gambhir · ‎08-21-2007

NAC FAQ's

Q. Does the Cisco NAC Appliance actually clean, or does it just make sure programs are installed and updated so that machines remain clean?

A. In the case of a failed Windows hotfix, the Cisco NAC Appliance can automatically launch the Windows AutoUpdate tool. If the Cisco NAC Appliance detects an infection or vulnerability, it can push a fix tool to the user (Symantec's MyDoom Fix Tool, for example) and require that user to use it before accessing the network. In addition, any registry setting that is detected can trigger the download of software or scripts that secure the user's device to meet established security policies.

Q. How does the Cisco NAC Appliance work?

A. When a device attempts to log onto the network, the Cisco NAC Appliance requests authentication credentials and identifies what kind of device it is. Depending on the role of the user, a posture assessment is performed based on the requirements of the network. If the device is found to be noncompliant, the Cisco NAC Appliance redirects the machine to a quarantine area where the user can perform the necessary downloads to update the machine. The machine is then rescanned and, if compliant, is granted access to the network.

Q. What kind of scans does the Cisco NAC Appliance perform?

A. The Cisco NAC Appliance performs network- and agent-based scans. Network-based scans look for network vulnerabilities such as remote-procedure call (RPC) buffer overflows or messenger buffer overflows. Agent-based scans check a user's system registry, file system, and system memory for specific services and applications.

Hope that helps

~Jg

charles.demers-tremblay · ‎08-21-2007

Thx, that all clear now !