Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

NAC

Introduction

Network Admission Control.

                                                                                                              or

Network Access Control (NAC) solutions deliver a comprehensive approach to identifying, controlling, and securing access to critical network communications. Well architected NAC solutions proactively manage whether a trusted user, a guest, or a device can connect to a network and what they are authorized to do once connected; this is all based on policy criteria such as device and user identity, business role, time of day, location, and health of the end system. Comprehensive NAC solutions use both agent-based and agent-less assessment technologies, along with proactive and reactive policy enforcement to provide a solid pre-connect and post-connect end system security offering.

NAC.png

NAC is an acronym which stands for Network Access Control. Sometimes it is also referred to as Network Admission Control. NAC is a common term within IT organizations today, but there is much discussion around what NAC involves and what it does not. Some view NAC as simple registration and authorization of network connected end systems. Some view NAC as a solution to protect the network environment from viruses and worms. Some view NAC as a gatekeeper function to control how end systems and guest systems, which are not compliant with corporate computing guidelines, can access the network. A well architected NAC solution is actually all of these things. Network Access Control is the integration of several technologies to provide a solution that proactively and reactively controls end system communication on the network. There are a number of individual functions that make up a comprehensive NAC solution.

NAC 1.png

Detect - Detection and identification of new devices connecting to the network

Authenticate - Authentication of users and/or devices

Assess - Assessment of end systems regarding their compliance and/or vulnerabilities

Authorize - Authorization to use the network based on the results of the authentication and the assessment

Monitor - Monitoring users and devices once they are connected to the network

Contain - Quarantine problem end systems and/or users to prevent them from negatively impacting the overall network environment

Remediate - Remediation of problems with the end system and/or user A well architected solution should integrate highly advanced, policy-enabled   network infrastructure, along with advanced security applications and centralized management to deliver all of the required functions for pre and post-connect secure network access.

Phase Wise Implementation

A phased approach for implementing a NAC solution is the preferred method. In general, a NAC implementation can be separated into the following phases:

Phase 1: End-System Detection and Tracking

Phase 2: End-System Authorization

Phase 3: End-System Authorization with Assessment

Phase 4: End-System Authorization with Assessment and Remediation

Phase 1: Collects information about all end systems without altering any existing network access. This is basically an inventory of end systems attached to the network. This can be done with or without authentication.

Phase 2: Considers pre-defined rules and restrictions related to network access. This typically requires authentication to ensure unique network access policies can be enforced for each end system and user.

Phase 3: Assessment of all end systems. This data can be accessed via an external management system (for software distribution), an agent, or a network scanner. Typical information would be: operating system, vulnerabilities, and open ports.

Phase 4: Further network access policy rules are enforced to individual end systems, using assessment data results. The user should be informed about this assessment and should be given the opportunity to remediate if not in compliance with appropriate security policies.

Version history
Revision #:
1 of 1
Last update:
‎06-09-2009 05:41 AM
Updated by:
 
Labels (1)