Although Cisco's NAC Framework isn't as easy to use as the Cisco NAC Appliance, it does offer the benefit of bringing together offerings from various third-party security companies. David Davis explains the different components of the Cisco NAC Framework.
Cisco's NAC Framework is an architectural design for how multiple hardware and software components can work together to protect your network from unhealthy clients. Those clients could be PC's without the latest security patches, the latest anti-virus definitions, or a personal firewall enabled. In this article, I'll attempt to explain the complex NAC Framework as clearly as possible.
What are the components of the Cisco NAC Framework?
Cisco's NAC Framework attempts to solve a complex problem, and is consequently a complex solution. A full-blown implementation of the NAC Framework is not an easy task because the architecture includes lots of different components from Cisco and other vendors. For example, there is a NAC policy manager, multiple network systems, an audit server, a remediation server, and third-party security software posture validation servers. Figure A shows how the framework would work:
It's quite a challenge for both security and network personnel to make sure that above-mentioned components work cohesively. Irrespective of that, the Cisco-led NAC initiative is supported by majority of vendors associated with endpoint security, secure access gateways, and remediation servers.
How does the Cisco NAC Framework work?
So what can the Cisco NAC Framework do for you? Well, a lot. Here's how it works:
- If a PC host is attempting to access the network, it must be authenticated and audited for policy compliance. This attempt triggers a NAC Process.
- The PC host is running the Cisco Trust Agent (CTA).
- The Network Access Device (NAD) is the Ethernet switch attempting to initiate the network access on behalf of the PC host.
- The Extensible Authentication Protocol (EAP) is used and the host credentials are sent to a Cisco Secure Access Control Server (ACS).
- Until the entire process is complete, the PC host (your potentially malicious computer) is only passing credentials through from the Cisco Trust Agent to the network. The PC host cannot really communicate on the network.
- The Cisco Trust Agent passes credentials through a secure tunnel so that the NAD cannot see them.
- The ACS Server can pass the credentials to other servers. For example, much of the time today, these credentials are sent to Windows AD servers who can verify the credentials used. However, the credentials could also go to other servers, like LDAP or one-time-password servers.
- Based on the response of one or more authentication servers, the ACS server can grant, deny, or quarantine the PC host requesting network access. Additionally, the ACS Server can assign different levels of network access.
- To verify security policy compliance of the PC host, Cisco NAC Framework conducts network and agent-based scans.
- The Cisco NAC Framework can implement compliance checks on all types of devices.
- The Cisco NAC Framework notifies users of connection status, and if there's any problem, it automatically corrects problems by updating the machine's patches, firewall, or other settings. Optionally, the host PC can be notified whether his or her credentials allowed them network access with a pop-up window or similar function. For example, the user could get a message: "Your computer is lacking the necessary updates and therefore is not granted access to the network. In order to resume normal network access, please update your computer now at the following location: [URL]."
Figure B helps better explain the process:
You should note that usually the 802.1X network authentication protocol is used to authenticate the devices to the network. The switch that the NAD is connected to must support 802.1X, or the device cannot be truly quarantined until it is authenticated and scanned.
What are the components of Cisco's NAC Framework?
Now that you understand how the framework works, you should learn a little bit about the components of the framework. These are as follows:
- Posture: The posture of a host is a set of credentials and attributes that define the state or health of a user's computer and the applications on that computer.
- Cisco Trusted Agent: Cisco Trusted Agent (CTA) is one of the integral components of Cisco NAC Framework. The CTA is termed a posture agent. Cisco Trusted Agent is basically an installed software client whose main responsibility is to collect state information from security software on the endpoint (the NAD). In addition, it also communicates the "posture" (or what it learns) to the Cisco ACS Policy Server.
It's worth mentioning in this regard that Cisco Trusted Agent only communicates with client applications that are NAC-enabled by Cisco partners. There are around 50 vendors in the market actively participating in the NAC initiative. It includes, leading patch management vendors, client security vendors, and antivirus vendors.
- Network Access Devices (NAD): The NAD is, most commonly, the switch that the PC is connected to. However, it could also be a router, VPN concentrators, or other similar network access device. Many vendors switch manufacturers support the Cisco NAC Framework.
- AAA Policy Server: The AAA policy server is the Cisco Secure Access Control Server (or ACS). The main function of the ACS Server is to act as the policy decision point in NAC deployments. Apart from that, Cisco Secure Access Control Server also evaluates user credentials and calculates the security posture of network endpoints.
Frequently, the Cisco Secure ACS Server sends out per-user authorization to Cisco access devices with the help of downloaded access control lists. If you're running non-Cisco access devices, don't worry: Cisco Secure Access Control Server sends out per user authorization in this scenario as well.
The Cisco ACS Server is a Cisco application that runs on a Windows or Linux Server. ACS Servers can be scaled to very large implementations. Even without NAC, the Cisco ACS system operates as a centralized RADIUS or TACACS+ server. In general, the Cisco Secure Access Control Server manages the authorization, accounting, and authentication of users who access corporate information in a network.
The main advantage of Cisco Secure Access Control Server is that it gives you an authority to control user access to the network. You also get the power to authorize different kinds of network services for users. If you want to keep a record of all network user actions, you can do so easily with Cisco Secure Access Control Server.
- Directory Servers: The Directory Servers offers user IDs, authorization privileges, and group membership information.
- Posture Validation Server: As already mentioned, Cisco Secure Access Control Server has an ability to pass posture data to application-specific posture validation servers, which are normally given by third-party security vendors. Posture Validation Server judges whether endpoint software is up to the mark or not. On the basis of Posture Validation Server evaluation, Cisco Secure Access Control Server allows or disallows user access to networks.
- Remediation Servers: It's the job of remediation servers to bring devices back into compliance. The best part about remediation servers is that they can be as straightforward as a Web server that supports software downloads. Apart from that, remediation servers can automatically evaluate devices and if needed also supply mandatory software updates.
Parts of the greater whole
Cisco's NAC Framework is an architectural design for how multiple hardware and software components can work together to protect your network from unhealthy clients. While the Framework isn't as easy to use as the Cisco NAC Appliance, it does offer the benefit of bringing together offerings from various third-party security companies. At this point, you should understand the different components of the Cisco NAC Framework — posture agent (Cisco Trust Agent), posture validation server (Cisco ACS Server), Network Access Device (NAD) — the Cisco switch, and the remediation server (where users will go to get the firewall, OS, or AV software needed to get the PC host in compliance).