Académique Documents
Professionnel Documents
Culture Documents
http://en.wikipedia.org/wiki/Network_Access_Control
an approach to computer network security that
attempts to unify endpoint security technology (such
as antivirus, host intrusion prevention,
and vulnerability assessment), user or
system authentication and network security
enforcement
Aim: to control endpoint security by unifying it with
network device security and the whole network
Result: End devices that do not comply to the set
security policies are identified and quarantined.
The biggest driver for NAC was the realization that after spending
billions on the perimeter, we still were not any more secure. Why?
Internal threats
What is NAC?
http://www.ashimmy.com/2007/03/nac_bust_or_boo.html
Network Security
NAC: Goals
http://en.wikipedia.org/wiki/Network_Access_Control
2. Policy enforcement
-
T. A. Yang
Network Security
Source:
http://www.forescout.com/wp-content/media/ForresterVendorSummary_ForeScout_
publishable_2011.pdf
T. A. Yang
Network Security
Gartners
Magic
Quadrant for
NAC:
published
12/2011
http://www.gartner.com/tec
hnology/reprints.do?id=1-1
8VNF2C&ct=120119&st=sb
(local copy)
T. A. Yang
Network Security
T. A. Yang
Network Security
Network Security
T. A. Yang
Network Security
10
Network Security
11
Ciscos NAC
Source:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps59
23/product_data_sheet0900aecd80119868.html
T. A. Yang
Network Security
12
Why NAC?
Endpoints that do not comply with established
security policies pose a threat and can introduce
a security risk into the network.
Goal of NAC: to prevent vulnerable and
noncompliant hosts from obtaining network
access
Q: Why isnt user authentication (like 802.1x)
sufficient?
Ans?
T. A. Yang
Network Security
13
T. A. Yang
Network Security
14
Source:
http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/
ns617/net_design_guidance0900aecd80417226.pdf
T. A. Yang
Network Security
15
T. A. Yang
Network Security
16
Network Security
17
T. A. Yang
Network Security
18
CSA components
CSA endpoints: enforcing security policies received from the
management server, sending events, interacting with the user
CSA management server: a repository of configuration
database
CSA management console: an admin web-based user interface
and policy configuration tool
T. A. Yang
Network Security
19
T. A. Yang
Network Security
20
1.
2.
3.
4.
5.
6.
7.
8.
9.
T. A. Yang
Network Security
21
Network Security
22
Network Security
23
T. A. Yang
Network Security
24
Source:
http://www.cisco.com/en/US/solutions/ns340/ns394/ns171/ns466/
ns617/net_design_guidance0900aecd80417226.pdf
(2006)
T. A. Yang
Network Security
25
T. A. Yang
Network Security
26
source:
http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns466/n
s617/net_implementation_white_paper0900aecd80217e26.pdf
(2005)
T. A. Yang
Network Security
27
Network Security
28
Source: http://www.itsecurity.com/whitepaper/pdf/nac-comp-guide_8-07.pdf
(2007), local copy
Comparison criteria:
Product type (s/w, appliance)
Endpoint assessment & compliance?
User authentication?
Remediation?
Preadmission?
Post-Admission?
Price
T. A. Yang
Network Security
29
By JafSec.com
Source: http://jafsec.com/Network-Access-Control/Network-Access-Control-AB.html
Network Security
30
More References
T. A. Yang
Network Security
31