|
SUMMARY
With today's new security challenges, perimeter defense alone and traditional security products working independently are no longer sufficient. Organizations need more comprehensive, pervasive, and tightly integrated information security solutions.
Cisco® Network Admission Control (NAC) provides a powerful policy enforcement mechanism tailored to meet these new challenges. Cisco NAC allows organizations to enforce their security policies on all endpoint devices (managed and unmanaged) as they enter the network, regardless of their access methods, ownership, device types, application configurations, and remediation models. Cisco NAC provides proactive protection for the infrastructure and greatly improves network resiliency. It allows pervasive and in-depth security defenses throughout an organization's infrastructure.
I. THE CURRENT SECURITY LANDSCAPE
Organizations today face many information security threats and challenges. They include:
Financially motivated attacks and exploits. A clear trend in the latest attacks and exploits is a motivation shift from fame and curiosity to profit and financial gains. The Zotob worm, for example, first appeared in 2005 and attacked major institutions such as CNN. The FBI announced that they had concrete evidence to link this attack to a group of people involved in credit card fraud [Ref. 1].
Rapid threat propagation. Information security threats are growing faster than ever. The time between discovering a vulnerability and the availability of malware to exploit it has decreased from months and weeks to days or even hours. System downtime, recovery, and remediation efforts due to these threats are costly and unpredictable. Organizations are left with little time if they rely on reactive measures only.
New business environments with diminished security boundaries. Several drivers are changing business environments from closed entities to opened ones. Mobile users bring their laptops and handheld devices in and out of the office. Remote-access users connect from homes and public locations. Business outsourcing requires direct partner access into the internal network. Onsite visitors, vendors, and contractors may need physical access to the internal network to accomplish their work. Even traditional, "in-the-office" workers are subject to threats coming through Internet access, e-mail use, instant messaging, and peer-to-peer (P2P) activities. Traditional security products designed to protect closed environments with well-defined security perimeters are no longer effective in the new business environment.
Corporate governance and compliance. Information security is not only a technology challenge, but also a corporate governance issue. Organizations must create and adopt their business and security policies. They must also take firm steps to implement effective controls based on these policies. Information security must become an integral part of core business decisions and operations. This is a continuous and incremental improvement process. Over time, organizations will be rewarded for mandating such consistent requirements with improved internal processes and reliable controls.
Limited resources. Many organizations are facing a long list of security initiatives and goals, with only a limited number of qualified IT/security staff and constrained financial resources available. Adding to the challenge are the growing complexity and sophistication of new security threats, diverse user communities, mixed infrastructures, and often, less-than-efficient operations. Given a limited budget and headcount, organizations must aim to streamline work processes, lower operational costs, and reduce security incidents in order to address their high-priority security issues efficiently.
II. A PROVEN WINNING STRATEGY
A comprehensive security strategy, time-tested and well-accepted in the industry, is to use a combination of people, processes, and best available technologies to address today's security challenges.
The people factor includes senior management support on security initiatives and policies (the "top-down" approach), understanding that security is accepted as everyone's responsibility, as well as consistent and lasting user awareness campaigns (the "bottom-up" approach). Together, they form a solid foundation for an organization's security program.
Strong IT and security governance, up-to-date security policies and standards, and streamlined and effective processes are the critical ingredients that allow organizations to be prepared and to execute both in their daily operations and during a crisis.
By applying the best-available technologies and products, implementing a well-designed architecture and infrastructure, and deploying a multilayered security defense, organizations can achieve a robust security posture.
To implement this kind of comprehensive strategy successfully, it is critical to have the ability to enforce necessary security policies and standards on all networked devices. For instance, the best host security software will not be useful if it is not installed and enabled on endpoint devices. Rather, an independent enforcement mechanism, applicable to not only corporate-owned devices, but all devices that seek network access, would effectively ensure that the requirement is met to enable the required host security software. Cisco is the first to provide this solution, with NAC.
III. THE CISCO NAC SOLUTION
The Cisco NAC solution enables the network to enforce security policy compliance on all devices seeking to access the network. Access is permitted only to compliant and trusted endpoint devices, which can include PCs, servers, IP phones, and printers. Cisco NAC can deny access to noncompliant devices or redirect them to a quarantine and remediation area.
Cisco NAC fundamentally changes how security is implemented because it allows comprehensive security policies to be translated into actionable rules and then reliably enforced, resulting in proactive and pervasive security for an organization. Cisco NAC accomplishes this by adopting a scalable architecture with a central policy decision component, a distributed security enforcement component at the network level, and extensive integration with additional security products and technologies.
Cisco NAC is available immediately, delivered in the form of the Cisco NAC Appliance (formerly known as Cisco Clean Access). The Cisco NAC Appliance can be rapidly deployed everywhere in an organization's network, or it can be deployed in focused areas (such as remote access or wireless access networks) to resolve critical security concerns. The Cisco NAC Appliance delivers endpoint compliance assessment, user identity authentication, policy management and enforcement, and remediation services in all types of network environments. It consists of the following components:
Clean Access Manager. The Clean Access Manager provides a Web-based interface for creating security policies and managing online users. It can also act as an authentication proxy to authentication servers. Administrators can use a Clean Access Manager to establish user roles, compliance checks, and remediation requirements. It communicates with, and manages, the Clean Access Server, which is the enforcement component of the NAC solution.
Clean Access Server. This security enforcement device is implemented at the network level and performs device compliance checks as users attempt to access the network. It can be implemented in-band or out-of-band, in Layer 2 or Layer 3, as a virtual gateway or as a real IP gateway, and can be centrally deployed or distributed throughout the network, therefore providing deployment flexibility for virtually any network environment.
Clean Access Agent (optional). This lightweight, read-only agent runs on an endpoint machine. It performs a deep inspection of a local machine's security profile by analyzing registry settings, services, and files. Through this inspection, it can determine whether a device has installed and enabled a required hotfix, the correct antivirus software version, Cisco Security Agents (personal firewall/host intrusion detection/prevention systems) and other host security software. For unmanaged assets, the Clean Access
Agent is downloadable in real time.
Cisco also offers the NAC Framework, which integrates an intelligent network infrastructure with solutions from more than 90 leading antivirus, security, and management software manufacturers [Ref. 2]. The Cisco NAC Framework provides the same security policy enforcement as the Cisco NAC Appliance and it represents an embedded approach. It natively integrates security policy enforcement into an organization's intelligent network infrastructure.
The Cisco NAC Framework may be more appropriate in the near term for some customers if one or more of the following conditions apply:
• Deep NAC partner integration is a starting requirement
• Deploying a NAC-compatible 802.1x solution is needed
• Cisco Secure Access Control Server (ACS) is required as the central policy server in the NAC deployment
In the future, Cisco NAC Appliance components will be completely interoperable with the NAC Framework architecture, providing customer investment protection and an integration path.
IV. CISCO NAC BENEFITS
Cisco NAC is comprehensive; it is also easily deployed, integrates tightly with many additional components of a security strategy, and delivers an array of advantages and benefits not available through perimeter or point products.
Securing both corporate and noncorporate assets
Cisco NAC provides a solid foundation for a secure infrastructure, ensuring that configuration standards are applied across all assets, both corporate and noncorporate. Effective asset management and controls result in standardization, lower total cost of ownership of the infrastructure, and lower operational expenses.
Reducing vulnerability-based exploits
Cisco NAC reduces and controls large-scale vulnerability-based exploits and attacks by ensuring that all endpoint devices enter the network with the proper protection installed and enabled (such as antivirus software, security fixes and updates, and personal firewalls). This is particularly useful for organizations in which corporate assets are individually controlled by the users to which they are assigned. These assets are easy targets for infections, which may substantially disrupt productivity if permitted to spread.
Host-based security software alone does not solve the "unmanaged asset" problem, due to lack of practical delivery mechanisms. Cisco NAC provides an effective solution by making policy compliance an enforceable requirement for all assets, regardless of whether they are managed by the organization. The end result is lower operational spending for repair and damage control, as well as higher employee productivity.
Preventing unauthorized access
Cisco NAC can be deployed in an otherwise open environment so that onsite visitors and guests must meet certain security requirements before they can connect. Cisco NAC can assign different types of network access depending on user credentials, so that, for example, onsite visitors and guests may be provided with general Internet access without exposing the internal network to risk. Cisco NAC can also control connections from a remote site. This is especially useful in dealing with partner connections, in which it is difficult, if not impossible, to determine who is sitting behind a connection at a remote partner site. Having the ability to control access after a user is authenticated provides a highly effective way to maintain security and protect an organization's confidential information.
Ensuring policy compliance and minimizing inside threats
Cisco NAC enhances control by providing security policy compliance enforcement at the network level. Policy compliance allows organizations to mitigate security threats caused by disappearing security boundaries, unauthorized access, and internal attacks. By enforcing security policies, Cisco NAC also assists organizations in adhering to privacy and regulatory compliance requirements, including Sarbanes-Oxley, HIPAA, and GLBA.
Cisco NAC enables users and their devices to achieve policy compliance so that they are proactively protected as they work in different environments. Cisco NAC quarantines noncompliant devices so that they are not compromised and used as a hiding place for malicious users to launch further attacks, and then updates the devices to bring them into compliance. The authentication capabilities of Cisco NAC can track and audit user activities. The log information can be used to assist incident response, forensics, and analysis purposes.
Quantifiable return on investment (ROI)
Cisco NAC can deliver a rapid and quantifiable return on investment. Customers can calculate their annual savings based on the threats and risks that an organization intends to address using NAC. For example, an enterprise customer who recently adopted Cisco NAC calculated that they were handling between 3000 and 4000 incidents annually related to PCs with uncontrolled access to their network. Using their incident-costing model, they estimated that each incident costs between $750 to $1,000. Based on their calculations, their Cisco NAC solution will pay for itself in six to nine months, and provide ongoing multimillion dollar savings annually by dramatically reducing such incidents [Ref. 3].
Integration and collaboration with the Cisco Self-Defending Network
Cisco NAC is a strategic element of the Self-Defending Network. Working together with other Self-Defending Network components such as the Cisco Security Agent and Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS), Cisco NAC helps organizations achieve more accurate threat identification and prevention while increasing patch management efficiency.
In summary, Cisco NAC provides proactive security protection for an organization's infrastructure and greatly improves network resiliency. It allows pervasive and in-depth security defenses throughout an organization's infrastructure. A stable, efficient, and secure environment helps organizations enhance employee productivity, protect confidential information, reduce total cost of ownership, and prepare for new business challenges.
|
