General

Bolting the Back Door with NAC
Part 3: Comparing the alternatives — page two

by Lisa Phifer VP Core Competence, Inc. [June 22, 2007]

Cisco Network Admission Control
We'll start with the oldest and most widely-deployed framework: Cisco NAC. As shown below, CNAC was designed for all-Cisco networks that use Cisco and/or third-party posture and audit servers to make endpoint security policy decisions.

At left is a host attempting network access. Full CNAC functionality can be applied to hosts that run Cisco's Trust Agent, which uses an API to consult with Posture Plug-Ins like McAfee VirusScan, Symantec Enterprise, or Cisco's own Security Agent. The Cisco Trust Agent is now available for Windows NT, 2000, XP, 2003, and RedHat Linux. Hosts without that Trust Agent can bypass CNAC by appearing on a MAC exception list or be scanned by an external Audit Server.

Host access requests are fielded by CNAC-enabled Network Access Devices (NADs) that relay EAP messages over 802.1X or UDP and enforce access decisions. CNAC can protect networks composed of Cisco NADs: specifically, Cisco routers (IOS 12.3(8)T or later), Catalyst switches (IOS 12.2(25)SED/SG or later), Aironet Access Points (IOS 12.3(7)JA or later), and the Cisco VPN 3000 Concentrator (v4.7).

See Cisco's website for a detailed list of CNAC-enabled products. Your network may also include other/older devices, but only access initiated through recent Cisco gear can be controlled by CNAC.

All CNAC-enabled NADs forward RADIUS Access Requests to a Cisco Access Control Server (ACS). ACS authenticates the user and authorizes access by collaborating with external Directory Servers (e.g., Windows AD), Posture Validation Servers (e.g., TrendMicro OfficeScan), and/or Audit Servers (e.g., QualysGuard). Depending on your network and what you're trying to accomplish, there can be one or many policy servers.

Posture Validation Servers decide whether Cisco Trust Agent hosts are healthy, infected, need a checkup, etc., using information supplied by Posture Plug-Ins. They return results called posture tokens back to ACS over Cisco's Host Credentials Authorization Protocol (HCAP). Alternatively, Audit Servers remotely scan agentless hosts and return their results over Cisco's Generic Authorization Message Exchange (GAME) protocol.

Cisco sells its own Security Agent plug-in and MARS server. But it also runs a NAC partner program with dozens of certified third-party Posture Validation and Audit Server products. Check this link to determine whether your favorite patch management, anti-virus, or other endpoint security product can "speak CNAC."

Stepping through CNAC
How would these components work together to implement our employee laptop quarantine? Let's walk through an example, using CNAC.

1. When the laptop's Ethernet or Wi-Fi connection is first enabled, that traffic triggers a message from a NAD—for example, an 802.1X EAP Identity Request from the closest Switch or AP.
   
   
2. The employee responds to login prompts with access credentials; behind the scenes, posture data may also be solicited from plug-in programs. The Cisco Trust Agent collects those responses and packs them into EAP messages.
   
   
3. When tunneled EAP messages reach the NAD (a RADIUS client), they are simply passed along to a Cisco ACS (a RADIUS server).
   
   
4. ACS consults other servers as needed to reach an admission decision.
   
   
1. ACS may relay the user's login/password to a Directory Server to complete 802.1X authentication.
   
   
2. ACS then passes supplied posture data to a Posture Validation Server, like an AV Policy Server.
   
   
3. Because our host has an agent, ACS does not consult an Audit Server.
   
   
5. ACS evaluates all server responses to render a final compliance ruling. In our example, the user must pass authentication in 4a) and the host must be found healthy in 4b) to achieve full compliance.
   
   
6. ACS now determines the endpoint's authorization level—for example, deny access, assign the endpoint to a VLAN, apply a session timer, etc.
   
   
7. ACS returns an EAP-Success or Failure to the NAD, which then implements supplied policy (e.g., unblocks the port, updates ACLs.)
   
   
8. That EAP-Success or Failure message finally reaches the Cisco Trust Agent.
   
   
1. A healthy, authenticated laptop can now get an IP address and send traffic. The NAD enforces policy throughout the session (e.g., by tagging or filtering packets.)
   
   
2. An authenticated, infected laptop may find itself admitted, but only to quarantine VLAN, where all traffic is redirected to a remediation server. Once the laptop has been cleaned, it can return to Step 1 and try again.

Although component names, protocols, and APIs differ, this overall sequence of events could also be carried out using NAP, TNC, or NEA. However, note the pivotal roles played here by Cisco's Trust Agent and ACS, and reliance on Cisco-defined protocols and APIs. These are what make CNAC a proprietary framework. Eventually, portions of CNAC may find their way into the IETF NEA standard. But today, CNAC only fits into Cisco-based networks that can satisfy NAD/ACS requirements.

 

Page one: Introduction

Page two: Cisco Network Admission Control

>Page three: Microsoft Network Access Protection

Page four: TCG Trusted Network Connect

Page five: IETF Network Endpoint Assessment