question about cisco nac agent

Unanswered Question
Mar 5th, 2009
User Badges:

When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?

Please answer me early. Thank you for your answer.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mylove142 Fri, 03/06/2009 - 18:38
User Badges:

Dear michael, Thank you for your answer. Because I see agent is optional, if I don't like to use agent, I think that NAC server can scan and remediate. If NAC Server can't scan and remediate, Nac agent is required.

That is my ideas. Anyone has another ideas.

I'm looking for your answer.

Thank you very much.


Daniel Laden Fri, 03/06/2009 - 19:04
User Badges:
  • Cisco Employee,

The NAC Agent will allow you to access the computer from inside the host firewall, you can also review using the network scanner to assess the computer from outside the firewall.


The agent is optional and it is absence will limit your capabilities to scan and remediate.


Check out the NAC Chalk Talks.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html


Thank You,

Dan Laden


Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.


We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:


1) You have to decide which vulnerabilities you want to scan for.


2) The more plug-ins you enable, the longer (obviously) the scan takes.


3) There are configuration steps for many of the plug-ins


4) Your users will still need to go to a login page in order to be scanned.


5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.


From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).


It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.


Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.


Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

Actions

This Discussion