Network Admission Control (NAC) is a solution that allows
network administrators to define and enforce security policies across network
devices. NAC allows only healthy hosts to access your network, but which are
the healthy hosts? As this is not a simple question to answer, the solution can
also be complex. Cisco NAC (CNAC) is
no different. In this article, we will learn about Cisco’s solution to NAC and
see how it stacks up to the competition.
What is Cisco’s NAC solution?
Cisco’s original NAC solution is the NAC Framework. Later,
Cisco bought a company called Perfigo and released the NAC Appliance. Both of
these solutions have merit, and one is not a replacement for the other. So
while these are two valid but distinctly separate choices, Cisco has announced
that they plan to combine these solutions in the future. It’s rumored that
Cisco will call the solution OneNAC, which makes one
wonder if the second revision would be called TwoNAC,
and so on.
Why should I use NAC?
There are a number of benefits to using a NAC system from
any vendor, not just Cisco Systems. As malware, viruses, and spyware just continue
to become greater issues, NAC becomes more important. If your manager asks why
you’re looking into NAC, you can give an informed response:
your company’s assets: Those assets could be your data (many times, that’s
the company’s most valuable asset). NAC enforces the policies that you define
to prevent your company’s data from being sent out to Russia or China.
against business disruption: When a computer connects to your network, an
Internet worm on that computer could bring your whole network down.
What is the Cisco NAC
NAC Framework is just a framework, not really a solution. The NAC Framework
is architecture that Cisco offers to partners and customers. By using their
framework, the third-party partner’s products can interoperate with Cisco’s
products to create a complete solution. Once the Framework solution is put
together with the partners’ products, it can create a highly-automated NAC
One of my initial concerns with the Cisco NAC Framework is
that it’s really a framework to which over 75 Cisco security partners subscribe
to make their products compatible and interoperable. The framework isn’t a
solution in itself, nor is it a standalone product. Can the products of 75
different vendors really work together to create a successful solution? And who
would you buy these products from; 75 different vendors? Initially, it doesn’t
sound like a solution that’s easy to understand or implement.
However, based on my research, most people say that the
products of the multiple Cisco NAC framework partners work well with the Cisco
NAC policy controller. However, just as with any complex project, you may have
to invest heavily in software, hardware, and services to make a Cisco NAC Framework
implementation a success.
What is the Cisco NAC
Previously called Cisco Clean Access, Cisco NAC Appliance is
the alternative to the Cisco NAC Framework. The Cisco NAC Appliance offers
companies an option to deploy a self-contained endpoint assessment, remediation
service, and policy management solution all in one box. The best part is that
this is all implemented quickly without need for modifications.
The downside of the Cisco NAC Appliance is that its
capabilities are narrower when compared to a full-blown NAC Framework implementation;
however, the time and effort needed to implement the NAC Appliance is generally
also smaller. Figure A shows what the Cisco NAC Appliance looks like.
Which is right for
There’s a lot of talk about the NAC Framework, but Cisco
recommends the NAC Appliance for initial deployments in their FAQ:
Cisco recommends the NAC Appliance to most customers as
their initial deployment method. The NAC Appliance delivers a successful
solution to solve our customers’ real world business problems. We have
established a large and rapidly growing customer install base with worldwide
NAC Appliance deployments.
However, that is only a recommendation for initial
deployments. You might not be facing a clean scenario that could be described
as an initial deployment; perhaps you’re using 802.1X, or you have part of a
solution installed, but not others. In some cases, the Cisco NAC Framework can
also turn out to be useful. This is especially true when you require extensive
integration with third-party NAC-enabled products. When the NAC Appliance isn’t
possible for you, the NAC Framework is the option to choose.
While the NAC Appliance is the easiest road for a single
network, it doesn’t scale well. And though the NAC Framework might sound like a
great all-encompassing alternative, most IT shops don’t end up deploying a full
NAC framework when they choose that option, simply because of the time, resources,
and infrastructure costs involved.
Cisco’s NAC Framework is what Cisco will really point to
when it comes to questions of interoperability. However, you have to look at
the multitude of NAC parts and pieces and wonder how or if they could all work
together. Just in the Cisco arena, all of these pieces can be part of a NAC
- Cisco Secure Agent (CSA)
- Cisco Security Monitoring,
Analysis, and Response System (MARS)
- Cisco Trust Agent (CTA)
- Cisco Secure Access Control
- Cisco routers with NAC
- Cisco switches with NAC
- Cisco VPN concentrators
- Cisco wireless devices
As those are all Cisco devices, it’s likely that they all can work together to provide a NAC
solution; however, the computing environment is not homogenous. So what about
your PCs, laptops, PDAs, and such?
Fortunately, for those of us who use the Windows OS,
Microsoft and Cisco announced
a deal to make Cisco NAC and Microsoft NAP compatible with each
other. This seems like a win/win situation for the consumer; we don’t have to
choose, and allows us to protect our investment in their NAC/NAP
infrastructure. I wish more vendors would follow their lead; this
interoperability isn’t functional until you start using Windows Server 2008.
Cisco NAC and the competition
Although Cisco’s NAC and Microsoft’s NAP may be two most
recognizable buzzwords revolving around NAC, that doesn’t mean they’re the only
game in town; there’s a lot of competition out there. NAC is still a young
technology with lots of innovation going on in the marketplace. Here’s the
short list of CNAC competitors:
- Bradford Networks: All
Bradford does is NAC.
- ConSentry Networks:
Their product line is called LAN Shield and they focus on NAC.
- ForeScout Technologies:
Their two products are CounterACT and ActiveScout. Forescout has had
good reviews for their NAC solutions.
Offers CyberGatekeeper Dynamic NAC. They claim
that you won’t have to make any network changes.
- Juniper Networks: The large firewall
& router manufacturer produces Unified Access Control (UAC) and sells
the Infranet Controller as their policy
- Lockdown Networks: Produces
Real NAC and has had good reviews in tests.
- McAfee: The large software company
produces McAfee Policy Enforcer and ePolicy Orchestator. Together, these are supposed to provide a
complete NAC solution, but they still lack some basic NAC features.
- StillSecure: Their
NAC product is called Safe Access.
- Symantec: This large software company
offers SNAC (Symantec NAC), which won the title of best overall NAC
solution in a recent test.
Networks: They claim that over 1,000 organizations have deployed their
While Cisco’s NAC solution may seem like a safe bet, you
might want to take a look at the other vendors: in a recent unbiased test
done between 13 NAC vendors (including Cisco), Symantec’s solution won (the
runners-up were Forescount, LockDown,
and Juniper). To Cisco fans, it may seem unimaginable for Cisco not to rate in
the top four NAC vendors; but, in my opinion, the test results show that Cisco’s
solution is more fragmented and immature than the competition.
Cisco currently offers two NAC solutions: Framework and Appliance.
The framework is an architecture of which many parts of your network (Cisco or
non-Cisco) can belong. The framework is more of a guide on how various pieces
might fit together to create a NAC solution. However, a complete Cisco NAC Framework
can be difficult and costly to implement. On the other hand, the Cisco
Appliance can be deployed in-band or out-of-band and is used to block or
quarantine clients directly.
As the NAC market is still young, Cisco has some tough
competition out there. Although it is just one of many NAC solutions available
today, I feel that the Cisco NAC appliance deserves a review when considering
enterprise NAC solutions.