NAC with security rtr

Answered Question
Oct 7th, 2008

hello

we want to implement a NAC solution for people dialing from home to HO then going to internet via our internet router.

this router contains the security feature and is NAC enabled (we can see this from web interface)

however, one cisco partner suggests to use clean access server and not the security router.

is there any advantage of using clean access servers or limitation for security rtr.

note: we only need to check for windows updates and antivirus updates when computers access internet

Correct Answer by ovt@redcenter.ru about 8 years 4 months ago

Well, both NAC Framework (NAC on your router) and NAC Appliance (Clean Access Server) will work. You can dial via PSTN/ISDN or via VPN using Cisco VPN Client. Also, you can purchase NME-NAC-K9 module for your router and it will work like Clean Access Server.

To use NAC Framework you'll also need Cisco Secure Access Control Server (CS ACS) 4.0+ (4.1). This is commercial RADIUS server and isn't cheap.

Also, to check for antivirus updates your antivirus product must be supported by either NAC Framework or Appliance. For a list of supported products take a look at:

http://www.cisco.com/go/nac

http://www.cisco.com/web/partners/pr46/nac/partners.html (NAC Framework)

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/416/416rn.html (NAC Appliance)

For NAC Framework you'll need to integrate vendor .dlls into the Cisco Trust Agent (for all of your antivirus vendors!), then distribute CTA to all user PCs using some out-of-band mechanism (not an easy task). CTA is a must for NAC Framework.

NAC Appliance automates this. This is a self-contained product (no .dlls). Clean Access Agent can check supported antivirus products by itself. It can be installed onto PCs via some out-of-band mechanism or downloaded from the Web Login page. Also, Java / ActiveX agent is supported and can check your PC for compliance as well.

Checking for Service Pack number isn't

difficult in both products. However, to check for Windows Hotfixes you'll have to create complex rules in NAC Framework. When a new hotfix is released by Microsoft you'll have to change your rules manually (not easy). NAC Appliance automates this. It can download rules from the Cisco website. But you'll have to buy tech support for this.

In general, configuring and maintaining NAC Framework is not an easy task. However, you can buy additional products, integrate them into the Framework and they will automate many things for you. This is not cheap and easy. NAC Appliance is self-contained. You'll not need anything else.

HTH

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
ovt@redcenter.ru Tue, 10/07/2008 - 11:21

Well, both NAC Framework (NAC on your router) and NAC Appliance (Clean Access Server) will work. You can dial via PSTN/ISDN or via VPN using Cisco VPN Client. Also, you can purchase NME-NAC-K9 module for your router and it will work like Clean Access Server.

To use NAC Framework you'll also need Cisco Secure Access Control Server (CS ACS) 4.0+ (4.1). This is commercial RADIUS server and isn't cheap.

Also, to check for antivirus updates your antivirus product must be supported by either NAC Framework or Appliance. For a list of supported products take a look at:

http://www.cisco.com/go/nac

http://www.cisco.com/web/partners/pr46/nac/partners.html (NAC Framework)

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/416/416rn.html (NAC Appliance)

For NAC Framework you'll need to integrate vendor .dlls into the Cisco Trust Agent (for all of your antivirus vendors!), then distribute CTA to all user PCs using some out-of-band mechanism (not an easy task). CTA is a must for NAC Framework.

NAC Appliance automates this. This is a self-contained product (no .dlls). Clean Access Agent can check supported antivirus products by itself. It can be installed onto PCs via some out-of-band mechanism or downloaded from the Web Login page. Also, Java / ActiveX agent is supported and can check your PC for compliance as well.

Checking for Service Pack number isn't

difficult in both products. However, to check for Windows Hotfixes you'll have to create complex rules in NAC Framework. When a new hotfix is released by Microsoft you'll have to change your rules manually (not easy). NAC Appliance automates this. It can download rules from the Cisco website. But you'll have to buy tech support for this.

In general, configuring and maintaining NAC Framework is not an easy task. However, you can buy additional products, integrate them into the Framework and they will automate many things for you. This is not cheap and easy. NAC Appliance is self-contained. You'll not need anything else.

HTH

Actions

This Discussion