Self-Defending Networks: The Next Generation of Network Security
Protect your network with self-regulating network security solutions that combat both internal and external threats.
* Provides an overview of the security components used to design proactive network security
* Helps network security professionals understand what the latest tools and techniques can do and how they interact
* Presents detailed information on how to use integrated management to increase security
* Includes a design guide with step-by-step implementation instructions
Self-Defending Networks: The Next Generation of Network Security helps networking professionals understand how to deploy an end-to-end, integrated network security solution. It presents a clear view of the various components that can be used throughout the network to not only monitor traffic but to allow the network itself to become more proactive in preventing and mitigating network attacks. This security primer provides unique insight into the entire range of Cisco security solutions, showing what each element is capable of doing and how all of the pieces work together to form an end-to-end Self-Defending Network. While other books tend to focus on individual security components, providing in-depth configuration guidelines for various devices and technologies, Self-Defending Networks instead presents a high-level overview of the entire range of technologies and techniques that comprise the latest thinking in proactive network security defenses. This book arms network security professionals with the latest information on the comprehensive suite of Cisco security tools and techniques. Network Admission Control, Network Infection Containment, Dynamic Attack Mitigation, DDoS Mitigation, Host Intrusion Prevention, and Integrated Security Management are all covered, providing the most complete overview of various security systems. It focuses on leveraging integrated management, rather than including a device-by-device manual to implement self-defending networks.
This chapter covers the following topics:
* Network admission control overview
* NAC Framework benefits
* NAC Framework components
* Operational overview
* Deployment models
Network Admission Control (NAC) is a technology initiative led by Cisco Systems working in collaboration with many leading security vendors, including antivirus and desktop management. Their focus is the creation of solutions that limit security threats, such as worms and viruses.
This technology provides a framework using existing Cisco infrastructure to enforce network admission policies on NAC-enabled endpoint devices, guaranteeing software compliance before network access is granted. If an endpoint device is determined noncompliant, a variety of admission actions are available to administrators, and how the actions are implemented is at the discretion of the network administrator. For example, a noncompliant endpoint may be placed in a quarantine area of the network and redirected to a remediation server to load the necessary software or patches. A notification is displayed to the user warning that their device is not compliant or, in the worse case, that they are denied network access entirely.
This chapter describes the Cisco NAC Framework, identifies benefits, describes the solution components and how they interoperate, and describes common deployment models.
Network Admission Control Overview
Worms and viruses continue to be disruptive, even though many businesses have significantly invested in antivirus and traditional security solutions. Not all users stay up to date with the many needed software security patches of antivirus files. Noncompliant endpoints are frequent and the reasons vary; for example:
* A user might choose to wait and install a new update later because they don’t have the time
* A contractor, partner, or guest needs network access; however, the business may not control the endpoint
* The endpoints are not managed
* The business lacks the capability to monitor the endpoints and determine whether they are updated to conform to the business’s security policy
When infected endpoints connect to the network, they unsuspectingly spread their infections to other improperly protected devices. This has caused businesses to examine how they should implement endpoint compliance enforcement besides user authentication before granting access to their networks.
Cisco Systems provides two network admission control solution choices:
* NAC Appliance
* NAC Framework
Chapter 7, “Cisco Clean Access,” describes NAC Appliance, which was originally marketed as Cisco Clean Access (CCA). NAC Appliance is a turnkey self-sufficient package that does not rely on third-party products for determining and enforcing software compliance. This chapter focuses on NAC Framework.
NAC Framework is an integrated solution that enables businesses to leverage many of their existing Cisco network products, along with many third-party vendor products such as antivirus, security, and identity-based software. Vendor products must be NAC-enabled in order to communicate with the NAC-enabled network access devices. NAC Framework is extremely flexible because it can enforce more features available from other vendors’ products. A comparison of customer preferences for choosing the NAC Appliance and NAC Framework is shown in Table 6-1.
Table 6-1. NAC Customer Profile
NAC Framework
NAC Appliance
Uses an integrated framework approach, leveraging existing security solutions from other vendors
Prefers bundled, out-of-the-box functionality with preinstalled support for antivirus and Microsoft updates
Complex network environment, leveraging many types of Cisco network access products
Heterogeneous network infrastructure
Longer, phased-in deployment model
Rapid deployment model
Can integrate with 802.1x
Independent of 802.1x
Source: Cisco Systems, Inc.1
2. NAC Framework Benefits
NAC Framework Benefits
Following are some benefits that can be recognized by businesses that have implemented NAC Framework:
* Protects corporate assets—Enforces the corporate security software compliance policy for endpoints.
* Provides comprehensive span of control—All the access methods that endpoints use to connect to the network are covered, including campus switching, wireless, router WAN links, IP Security (IPSec), and remote access.
* Controls endpoint admission—Validates all endpoints regardless of their operating system, and it doesn’t matter which agents are running. Also provides the ability to exempt certain endpoints from having to be authenticated or checked.
* Offers a multivendor solution—NAC is the result of a multivendor collaboration between leading security vendors, including antivirus, desktop management, and other market leaders. NAC supports multiple security and patch software vendors through APIs.
* Leverages existing technologies and standards—NAC extends the use of existing communications protocols and security technologies, such as Extensible Authentication Protocol (EAP), 802.1x, and RADIUS services.
* Leverages existing network and antivirus investments—NAC combines existing investments in network infrastructure and security technology to provide a secure admission control solution.
more info:
Recent Comments