Cisco Clean Access: a Network Admissions Control Appliance

DATA SHEET

CISCO CLEAN ACCESS: A NETWORK ADMISSIONS CONTROL APPLIANCE

Cisco ® Clean Access is a self-contained solution that automatically detects, isolates, and cleans infected and/or vulnerable wired and wireless devices that attempt to access a network. The solution identifies whether machines are compliant with security policies and repairs these vulnerabilities before permitting access to the network. As a Network Admissions Control (NAC) appliance, Cisco Clean Access integrates the tasks of authentication, posture assessment, and remediation into one package, making it suitable for organizations that prefer a turnkey solution over an infrastructure-based solution.

PRODUCT OVERVIEW Cisco Clean Access is an end-to-end network registration and enforcement solution that allows network administrators to authenticate, authorize, evaluate, and remediate wired and wireless users and their machines prior to allowing users onto the network. This advanced, integrated suite of network security tools:

• Recognizes users, their devices, and their role in the network. This first step occurs at the point of authentication, before malicious code can cause damage. • Evaluates whether machines are compliant with security policies. Security policies can vary by user type, device type, or operating system. • Enforces security policies by blocking, isolating, and repairing noncompliant machines. The machines are redirected into a quarantine area, where remediation occurs at the discretion of the administrator.

Cisco Clean Access can apply posture assessment and remediation services to LAN-based user devices, wireless users, and remote users connecting through VPN concentrators or dialup servers.

Cisco Clean Access is available in two deployment modes: in-band and out-of-band. With the Cisco Clean Access in-band deployment, the Clean Access Server is always inline with user traffic—before, during, and after authentication, posture assessment, and remediation. The server securely controls authenticated and unauthenticated user traffic by managing traffic policies based on protocol/port or subnet, providing bandwidth policy management based on shared or per-user, or using time-based sessions and heartbeat controls.

In a Cisco Clean Access out-of-band deployment, the Clean Access Server is in-band only during the processes of authentication, posture assessment, and remediation. Once a user’s device has successfully logged on, its traffic bypasses the Clean Access Server and traverses the switch port directly. In the meantime, the Clean Access Manager provides port- or role-level control by assigning ports to specific VLANs, assigning users to specific roles that map to specific VLANs, and providing a time-based session timeout per role.

Table 1 outlines the differences between in-band and out-of-band deployment modes.

Table 1. Comparing In-Band and Out-of-Band Modes

In-Band Out-of-Band Environments Wireless, shared media Fast core switching infrastructures; high throughput requirements NAC Enforcement Point Cisco Clean Access Server in-band Cisco Clean Access Server with authentication/quarantine VLAN Quarantine Based on access control list (ACL) Based on VLAN Switches Supported Vendor-agnostic Cisco Catalyst ® 2950, 3550, 3560, 3750, 4500, and 6500 switches

Please check with your Cisco sales representative for the latest list of supported switches, or visit: http://www.cisco.com/en/US/partner/products/ps6128/prod_release_notes_list.html

FEATURES AND BENEFITS Networks with Cisco Clean Access primarily benefit from:

• Minimized network outages caused by viruses and worms • Enforced security policies by making compliance a condition of access • Minimized vulnerabilities on user machines through periodic evaluation and remediation • Significant cost savings by automating the process of repairing and updating user machines

Authentication Integration Cisco Clean Access serves as an authentication proxy for most forms of authentication, natively integrating with Kerberos, Lightweight Directory Access Protocol (LDAP), RADIUS, Active Directory, S/Ident, and others. Roles-based access control is supported as well, enabling administrators to maintain multiple user profiles with varying degrees of access.

Vulnerability Assessment Cisco Clean Access supports the scanning of all Windows-based operating systems, Mac OS, Linux machines, and non-PC networked devices such as Xbox, PlayStation 2, and personal digital assistants. The solution conducts network-based scans or can use custom-built scans as required. In a managed domain, it can also conduct scans of Windows registries without client software.

Device Quarantine Cisco Clean Access can place noncompliant machines into quarantine, which prevents the spread of infection while maintaining access to remediation resources. Quarantine can be accomplished by using subnets as small as /30, or by using a quarantine VLAN.

Automatic Security Policy Updates Automatic security policy updates from Cisco Systems provide predefined policies for the most common network access criteria, including policies that check for critical operating system updates and common antivirus software virus definition updates. This eases the management effort for network administrators, who can rely on the Clean Access system to constantly maintain updated policies.

Centralized Management The Web-based management console allows administrators to define the types of scans required for each role, as well as the related remediation packages necessary for recovery. One management console can manage several servers.

Remediation and Repair Quarantining gives devices access to remediation servers that can provide operating system patches and updates, virus definition files, or endpoint security solutions such as Cisco Security Agent. Administrators have the option of automatically installing these fixes using the Cisco Clean Access enforcement agent.

Discretionary Certified Devices List The Certified Devices List allows administrators to simplify access for devices known to be clean through other means. If the Certified Devices List is empty, all machines are subject to scanning each time they enter the network. The Certified Devices List can be cleared with one mouseclick during times of high virus and worm activity.

Adaptable Levels of Enforcement Network administrators can adapt to the flow of malicious code incidents by adjusting the scans required, the roles subject to scans, the use of the Certified Devices List, and the types of remediation required. They can also limit the bandwidth and protocols used based on user roles.

PRODUCT ARCHITECTURE Cisco Clean Access is a software solution that is loaded onto standard, off-the-shelf servers provided by the customer. A typical deployment consists of:

• Cisco Clean Access Server—The device that initiates assessment and enforces access privileges based on endpoint compliance. In in-band mode, this server sites inline with all traffic. In out-of-band mode, this server sits in the quarantine VLAN, where all devices not found on the Certified Devices List are redirected upon entry. Users are blocked at the port layer, restricting them from access to the trusted network until they successfully pass inspection. • Cisco Clean Access Manager—A centralized, Web-based console for establishing roles, checks, rules, and policies. • Cisco Clean Access Agent (optional)—A thin agent that enhances some vulnerability assessment functions and streamlines remediation.

Figure 1 is a logical diagram of Cisco Clean Access in in-band deployment mode. In this configuration, Cisco Clean Access works with any 802.11 wireless access point including Cisco Aironet ® Series access points.

Figure 1. Cisco Clean Access Architecture in In-Band Mode

Figure 2 is a logical diagram of Cisco Clean Access in out-of-band deployment mode.

Figure 2. Cisco Clean Access Architecture in Out-of-Band Mode

PRODUCT SPECIFICATIONS The Cisco Clean Access Server in out-of-band mode communicates with switches using Simple Network Management Protocol (SNMP). Table 2 lists the switches that are supported.

Table 2. Supported Switches

Switch Minimum Operating System Cisco Catalyst 2950 Cisco IOS ® Software Release 12.1(6)EA2 Cisco Catalyst 2950 LRE Cisco IOS Software Release 12.1(11)YJ Cisco Catalyst 3550 Cisco IOS Software Release 12.1(8)EA1b Cisco Catalyst 3560 Cisco IOS Software Release 12.2(25) Cisco Catalyst 3750 Cisco IOS Software Release 12.1(14)EA1 Cisco Catalyst 4500 (for Cisco IOS Software) Cisco IOS Software Release 12.1(13)EW2 Cisco Catalyst 4500 (for Cisco Catalyst OS) Cisco Catalyst OS Release 7.1 Cisco Catalyst 6500 (for Cisco IOS Software) Cisco IOS Software Release 12.1(8a)EX Cisco Catalyst 6500 (for Cisco Catalyst OS) Cisco Catalyst OS Release 7.5

Please check with your Cisco sales representative for the latest list of supported switches, or visit: http://www.cisco.com/en/US/partner/products/ps6128/prod_release_notes_list.html

SYSTEM REQUIREMENTS At present, Cisco Clean Access is shipped as a software solution. Cisco recommends the minimum configuration listed in Table 3 for the Clean Access Server and Clean Access Manager:

Table 3. Server System Requirements

Feature Minimum Requirement CPU Single 2.4-GHz or better CPU Memory 1 GB or better NetworkInterface Card (NIC) Dual Fast Ethernet or Gigabit Ethernet; Intel or Broadcom recommended (Clean Access Manager only requires a single NIC, unless using high availability) Hard Disk Space 10 GB or better (IDE or SCSI); no RAID support

Please check with your Cisco sales representative for the latest list of specific hardware supported, or visit: http://www.cisco.com/en/US/products/ps6128/products_device_support_table09186a008043a8d9.html .

The optional Cisco Clean Access Agent works on systems with the characteristics listed in Table 4.

Table 4. Cisco Clean Access Agent System Requirements

Feature Minimum Requirement Supported OS Windows XP, 2000, 98/ME Hard Drive Space Minimum of 10 MB of free hard drive space Hardware No minimum hardware requirements (works on various client machines)

Cisco Clean Access also is preconfigured to offer checks for the applications listed in Table 5. Please note that not all check types are supported for all products, and that some vendors do not support Windows 9x.

Table 5. Supported Applications

Vendor Supported Versions Critical Windows Updates • Windows XP, 2000, 98/ME Authentium, Inc. • Authentium Command Anti-Virus Enterprise 4.x • The River Home Network Security Suite 1.x ClamWin • ClamWin Antivirus 0.x Computer Associates International, Inc. • Computer Associates eTrust Antivirus Version 7.x • Computer Associates eTrust EZ Antivirus Version 6.2.x, 6.4x, 7.x • Computer Associates eTrust EZ Armor 6.1.x, 7.x Eset Software • NOD32 Antivirus system NT/2000/2003/XP 2.0 F-Secure Corporation • F-Secure Anti-Virus 5.x Frisk Software International • F-Prot Antivirus Version 3.14e, 3.15

Vendor Supported Versions Grisoft, Inc. • AVG Antivirus Version 7.0 Version 7.x • AVG Antivirus 7.0 Free Edition Version 7.x • AVG Antivirus Version 6.0 Version 6.x • AVG Antivirus Version 6.0 Free Edition Version 6.x H+BEDV Datentechnik GmbH • AntiVir/XP 6.x Kaspersky Labs • Kaspersky Anti-Virus Personal Version 4.5, 5.0.x • Kaspersky Anti-Virus Personal Pro Version 4.5 McAfee, Inc. • McAfee VirusScan 4.5.x, 8.x, 9.x • McAfee VirusScan Enterprise Edition 7.0.x, 7.1.x, 7.5.x, 8.0.x • McAfee VirusScan Professional Edition Version 7.x, 8.x, 9.x Panda Software • Panda Anti-Virus Light 1.x • Panda Anti-Virus Platinum Version 6.x, 7.04.x, 7.05.x, 7.06.x • Panda Platinum Internet Security Version 8.03.x • Panda Titanium Anti-Virus 2004 3.x • Panda Titanium Anti-Virus 2005 4.x SaID, Ltd. • DrWeb Antivirus Version 4.32.x SOFTWIN • BitDefender Free Edition Version 7.x \ • BitDefender Standard Edition 7.x • BitDefender Professional Edition 7.x • BitDefender 8 Standard • BitDefender 8 Professional Plus Sophos, PLC • Sophos Anti-Virus Enterprise Version 3.80 Symantec • Norton AntiVirus 2005 Version 11.0.x • Norton AntiVirus 2004 Version 10.0.0 • Norton AntiVirus 2004 Professional Version 10.0.13 • Norton Internet Security 2004 Version 10.0.x • Norton AntiVirus 2003 Version 9.7.0 • Norton AntiVirus 2003 Professional Version 9.5.0, 9.0.0 • Norton AntiVirus 2002 Professional Version 8.0.58 • Norton AntiVirus Corporate Edition Version 7.01 • Symantec Internet Security 2005 Edition 8.0.x • Symantec AntiVirus Scan Engine Edition 4.x • Symantec AntiVirus Corporate Edition Version 9 • Symantec AntiVirus Corporate Edition Version 8 Trend Micro • Trend Micro Internet Security Version 11.x, 12.x • Trend Micro AntiVirus 11.x • Trend Micro OfficeScan Corporate Edition Version 5.x, 6.x • Trend Micro PC-Cillin 2004 Version 11.x • Trend Micro PC-Cillin 2003 Version 10.x • Trend Micro PC-Cillin 2002 Version 9.x Zone Labs • ZoneAlarm with Antivirus Version 5.x • ZoneAlarm Security Suite 5.x

Please check with your Cisco sales representative for the latest list of applications that are supported in Cisco Clean Access as preconfigured checks. You may also visit http://www.cisco.com/en/US/partner/products/ps6128/prod_release_notes_list.html for the latest list.

SERVICE AND SUPPORT Cisco offers a wide range of services programs to accelerate customer success. These innovative programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you to protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, see Cisco Technical Support Services or Cisco Advanced Services .

FOR MORE INFORMATION For more information about Cisco Clean Access, visit http://www.cisco.com/go/cca or contact your local account representative.

Corporate Headquarters European Headquarters Americas Headquarters Asia Pacific Headquarters Cisco Systems, Inc. Cisco Systems International BV Cisco Systems, Inc. Cisco Systems, Inc. 170 West Tasman Drive Haarlerbergpark 170 West Tasman Drive 168 Robinson Road San Jose, CA 95134-1706 Haarlerbergweg 13-19 San Jose, CA 95134-1706 #28-01 Capital Tower USA 1101 CH Amsterdam USA Singapore 068912 www.cisco.com The Netherlands www.cisco.com www.cisco.com Tel: 408 526-4000 www-europe.cisco.com Tel: 408 526-7660 Tel: +65 6317 7777 800 553-NETS (6387) Tel: 31 0 20 357 1000 Fax: 408 527-0883 Fax: +65 6317 7799 Fax: 408 526-4100 Fax: 31 0 20 357 1100

Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices .

Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe

Copyright ¬ 2005 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet , PIX, Post- Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are© the2005 property Cisco of Systems,their respective Inc. owners. All rights The usereserved. of the word partner does not imply a partnership relationship between Cisco and any other company.Important (0502R) notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com205208.M_ETMG_KL_6.05. Page 8 of 9 Printed in the USA