SolutionBase: Get familiar with Cisco's NAC solution

Shopping around for an enterprise NAC solution? In this article, David Davis shares his research on Cisco's two current NAC solutions and how they stack up to the competition.

Network Admission Control (NAC) is a solution that allows network administrators to define and enforce security policies across network devices. NAC allows only healthy hosts to access your network, but which are the healthy hosts? As this is not a simple question to answer, the solution can also be complex. Cisco NAC (CNAC) is no different. In this article, we will learn about Cisco's solution to NAC and see how it stacks up to the competition.

What is Cisco's NAC solution?

Cisco's original NAC solution is the NAC Framework. Later, Cisco bought a company called Perfigo and released the NAC Appliance. Both of these solutions have merit, and one is not a replacement for the other. So while these are two valid but distinctly separate choices, Cisco has announced that they plan to combine these solutions in the future. It's rumored that Cisco will call the solution OneNAC, which makes one wonder if the second revision would be called TwoNAC, and so on.

Why should I use NAC?

There are a number of benefits to using a NAC system from any vendor, not just Cisco Systems. As malware, viruses, and spyware just continue to become greater issues, NAC becomes more important. If your manager asks why you're looking into NAC, you can give an informed response:

  • Protects your company's assets: Those assets could be your data (many times, that's the company's most valuable asset). NAC enforces the policies that you define to prevent your company's data from being sent out to Russia or China.
  • Protects against business disruption: When a computer connects to your network, an Internet worm on that computer could bring your whole network down.

What is the Cisco NAC Framework?

The Cisco NAC Framework is just a framework, not really a solution. The NAC Framework is architecture that Cisco offers to partners and customers. By using their framework, the third-party partner's products can interoperate with Cisco's products to create a complete solution. Once the Framework solution is put together with the partners' products, it can create a highly-automated NAC infrastructure.

One of my initial concerns with the Cisco NAC Framework is that it's really a framework to which over 75 Cisco security partners subscribe to make their products compatible and interoperable. The framework isn't a solution in itself, nor is it a standalone product. Can the products of 75 different vendors really work together to create a successful solution? And who would you buy these products from; 75 different vendors? Initially, it doesn't sound like a solution that's easy to understand or implement.

However, based on my research, most people say that the products of the multiple Cisco NAC framework partners work well with the Cisco NAC policy controller. However, just as with any complex project, you may have to invest heavily in software, hardware, and services to make a Cisco NAC Framework implementation a success.

What is the Cisco NAC Appliance?

Previously called Cisco Clean Access, Cisco NAC Appliance is the alternative to the Cisco NAC Framework. The Cisco NAC Appliance offers companies an option to deploy a self-contained endpoint assessment, remediation service, and policy management solution all in one box. The best part is that this is all implemented quickly without need for modifications.

The downside of the Cisco NAC Appliance is that its capabilities are narrower when compared to a full-blown NAC Framework implementation; however, the time and effort needed to implement the NAC Appliance is generally also smaller. Figure A shows what the Cisco NAC Appliance looks like.

Figure A

The Cisco NAC Appliance.

Which is right for you?

There's a lot of talk about the NAC Framework, but Cisco recommends the NAC Appliance for initial deployments in their FAQ:

Cisco recommends the NAC Appliance to most customers as their initial deployment method. The NAC Appliance delivers a successful solution to solve our customers' real world business problems. We have established a large and rapidly growing customer install base with worldwide NAC Appliance deployments.

However, that is only a recommendation for initial deployments. You might not be facing a clean scenario that could be described as an initial deployment; perhaps you're using 802.1X, or you have part of a solution installed, but not others. In some cases, the Cisco NAC Framework can also turn out to be useful. This is especially true when you require extensive integration with third-party NAC-enabled products. When the NAC Appliance isn't possible for you, the NAC Framework is the option to choose.

While the NAC Appliance is the easiest road for a single network, it doesn't scale well. And though the NAC Framework might sound like a great all-encompassing alternative, most IT shops don't end up deploying a full NAC framework when they choose that option, simply because of the time, resources, and infrastructure costs involved.

Interoperability of NAC solutions

Cisco's NAC Framework is what Cisco will really point to when it comes to questions of interoperability. However, you have to look at the multitude of NAC parts and pieces and wonder how or if they could all work together. Just in the Cisco arena, all of these pieces can be part of a NAC solution:

  • Cisco Secure Agent (CSA)
  • Cisco Security Monitoring, Analysis, and Response System (MARS)
  • Cisco Trust Agent (CTA)
  • Cisco Secure Access Control Server (ACS)
  • Cisco routers with NAC
  • Cisco switches with NAC
  • Cisco VPN concentrators
  • Cisco wireless devices

As those are all Cisco devices, it's likely that they all can work together to provide a NAC solution; however, the computing environment is not homogenous. So what about your PCs, laptops, PDAs, and such?

Fortunately, for those of us who use the Windows OS, Microsoft and Cisco announced a deal to make Cisco NAC and Microsoft NAP compatible with each other. This seems like a win/win situation for the consumer; we don't have to choose, and allows us to protect our investment in their NAC/NAP infrastructure. I wish more vendors would follow their lead; this interoperability isn't functional until you start using Windows Server 2008.

Cisco NAC and the competition

Although Cisco's NAC and Microsoft's NAP may be two most recognizable buzzwords revolving around NAC, that doesn't mean they're the only game in town; there's a lot of competition out there. NAC is still a young technology with lots of innovation going on in the marketplace. Here's the short list of CNAC competitors:

  1. Bradford Networks: All Bradford does is NAC.
  2. ConSentry Networks: Their product line is called LAN Shield and they focus on NAC.
  3. ForeScout Technologies: Their two products are CounterACT and ActiveScout. Forescout has had good reviews for their NAC solutions.
  4. InfoExpress: Offers CyberGatekeeper Dynamic NAC. They claim that you won't have to make any network changes.
  5. Juniper Networks: The large firewall & router manufacturer produces Unified Access Control (UAC) and sells the Infranet Controller as their policy controller.
  6. Lockdown Networks: Produces Real NAC and has had good reviews in tests.
  7. McAfee: The large software company produces McAfee Policy Enforcer and ePolicy Orchestator. Together, these are supposed to provide a complete NAC solution, but they still lack some basic NAC features.
  8. StillSecure: Their NAC product is called Safe Access.
  9. Symantec: This large software company offers SNAC (Symantec NAC), which won the title of best overall NAC solution in a recent test.
  10. Vernier Networks: They claim that over 1,000 organizations have deployed their NAC product.

While Cisco's NAC solution may seem like a safe bet, you might want to take a look at the other vendors: in a recent unbiased test done between 13 NAC vendors (including Cisco), Symantec's solution won (the runners-up were Forescount, LockDown, and Juniper). To Cisco fans, it may seem unimaginable for Cisco not to rate in the top four NAC vendors; but, in my opinion, the test results show that Cisco's solution is more fragmented and immature than the competition.

In summary

Cisco currently offers two NAC solutions: Framework and Appliance. The framework is an architecture of which many parts of your network (Cisco or non-Cisco) can belong. The framework is more of a guide on how various pieces might fit together to create a NAC solution. However, a complete Cisco NAC Framework can be difficult and costly to implement. On the other hand, the Cisco Appliance can be deployed in-band or out-of-band and is used to block or quarantine clients directly.

As the NAC market is still young, Cisco has some tough competition out there. Although it is just one of many NAC solutions available today, I feel that the Cisco NAC appliance deserves a review when considering enterprise NAC solutions.