Welcome to the Cisco Networking Professionals Ask the Expert conversation for small and medium business. For a one-week period, small and medium business and technology leaders and Cisco engineers are available to continue discussing issues and ideas from scheduled live web broadcasts.
This is an opportunity to discuss with experts Chris Jackson and Robb Boyd on how you can safeguard your network from today's most common threat: Insider Abuse. Chris is a consulting systems engineer at Cisco, focused on developing Security practices within the partner community. Over his 15 year career in inter-networking, Chris has built secure networks that map to a strong security policy for organizations including UPS, GE, and Sprint. Robb, a security marketing manager who functions most visibly as the Cisco Security Expert on Cisco's Techwise TV, has gained a detailed understanding of customers' security challenges through his role as a security field-sales specialist during his five years at Cisco.
Remember to use the rating system to let Chris and Robb know if you have received an adequate response.
They might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 15, 2006. Visit this forum often to view responses to your questions and the questions of other community members.
If my company has one AV standard and a guest user is attempting access to the network but uses a different AV vendor...how am I supposed to provide updates to them so we can let them on the network?
Bill, great question. This is actually part of the standard service updates you would be using from Cisco with NAC Appliance. Over 27 AV vendors can be supported automatically so that with one policy rule "must have updated AV" you can control access to your network regardless of the AV Vendor that user subscribes to.
The AV detection techniques require the agent to be present on the desktop. So for a guest user that you do not have administrative control over (client is not loaded), you would be able to check for policy violations with the built in host scanning engine. You could check for things like running an SMTP server or peer to peer file sharing applications, but you would not be able to see into the registery or check AV definition dates.
NAC appliance gets updated automaticaly via a built in update process. Anytime microsoft comes out with a new patch or an AV or anti-spyware vendor updates their definition files we send out an update. We also include Client file updates in this process as well, to facilitate getting the latest client pushed out to host automaticaly. You will have to update server and manager software patches and new releases manualy though (moving from 4.03-4.1 for example). If we add support for new 3rd party products that is auto updated as well.
You need at least 1 NAC Appliance Manager and 1 NAC appliance server to have a functioning system. I recommend that you work with your local Cisco account team to see if they can conduct a demo for you or a try and buy. There are various bundles depending on our user counts and they would be able to make sure that you had the correct componets.
Here is a link that details the switches that we support with the current release.
What would you recommend if I am interested in approx 400 user configuration coming in from wireless access, vpn and conference rooms?
For that size install you are looking at needing a NAC appliance Manager lite (supports 3 NAC servers) and 1 500 user NAC server. I would also recommend going with a redundant solution that includes standby servers for high availability. We sell these as a bundle and make it easy to deploy in tandem. Wireless and VPN are deployed in an Inband fashion (ie the NAC server stays inline during the entire client session), so in order to use the same server for conference rooms you would have to do INBand there as well. As always, check with your Local Cisco Account team to make sure that you get some assistance with pricing and verifying the design.
I'm reading up on NAC right now and have just a quick question. If I configure my NAC appliance as an OOB Real-IP Gateway, it says that I have to bounce the interface to get a new DHCP address on the access VLAN. It's lists this as an advantage of the Gateway, but it sounds like I have to release/renew the interface after authentication. What do they mean here?
The nice thing about bouncing the interface (ie shutting it down and bring it back up on the switch) is that it will cause the operating system to immediately request a new ip address. this prevents the user from having to do a release and renew when the vlan changes from unauthenticated to whichever vlan the user is assigned to. We have the option to force an interface reset from NAC appliance to do this for you.