Cisco Clean Access: a Network Admissions Control Appliance

Cisco Clean Access: a Network Admissions Control Appliance

DATA SHEET CISCO CLEAN ACCESS: A NETWORK ADMISSIONS CONTROL APPLIANCE Cisco ® Clean Access is a self-contained solution that automatically detects, isolates, and cleans infected and/or vulnerable wired and wireless devices that attempt to access a network. The solution identifies whether machines are compliant with security policies and repairs these vulnerabilities before permitting access to the network. As a Network Admissions Control (NAC) appliance, Cisco Clean Access integrates the tasks of authentication, posture assessment, and remediation into one package, making it suitable for organizations that prefer a turnkey solution over an infrastructure-based solution. PRODUCT OVERVIEW Cisco Clean Access is an end-to-end network registration and enforcement solution that allows network administrators to authenticate, authorize, evaluate, and remediate wired and wireless users and their machines prior to allowing users onto the network. This advanced, integrated suite of network security tools: • Recognizes users, their devices, and their role in the network. This first step occurs at the point of authentication, before malicious code can cause damage. • Evaluates whether machines are compliant with security policies. Security policies can vary by user type, device type, or operating system. • Enforces security policies by blocking, isolating, and repairing noncompliant machines. The machines are redirected into a quarantine area, where remediation occurs at the discretion of the administrator. Cisco Clean Access can apply posture assessment and remediation services to LAN-based user devices, wireless users, and remote users connecting through VPN concentrators or dialup servers. Cisco Clean Access is available in two deployment modes: in-band and out-of-band. With the Cisco Clean Access in-band deployment, the Clean Access Server is always inline with user traffic—before, during, and after authentication, posture assessment, and remediation. The server securely controls authenticated and unauthenticated user traffic by managing traffic policies based on protocol/port or subnet, providing bandwidth policy management based on shared or per-user, or using time-based sessions and heartbeat controls. In a Cisco Clean Access out-of-band deployment, the Clean Access Server is in-band only during the processes of authentication, posture assessment, and remediation. Once a user’s device has successfully logged on, its traffic bypasses the Clean Access Server and traverses the switch port directly. In the meantime, the Clean Access Manager provides port- or role-level control by assigning ports to specific VLANs, assigning users to specific roles that map to specific VLANs, and providing a time-based session timeout per role. All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 1 of 8 Table 1 outlines the differences between in-band and out-of-band deployment modes. Table 1. Comparing In-Band and Out-of-Band Modes In-Band Out-of-Band Environments Wireless, shared media Fast core switching infrastructures; high throughput requirements NAC Enforcement Point Cisco Clean Access Server in-band Cisco Clean Access Server with authentication/quarantine VLAN Quarantine Based on access control list (ACL) Based on VLAN Switches Supported Vendor-agnostic Cisco Catalyst ® 2950, 3550, 3560, 3750, 4500, and 6500 switches Please check with your Cisco sales representative for the latest list of supported switches, or visit: http://www.cisco.com/en/US/partner/products/ps6128/prod_release_notes_list.html FEATURES AND BENEFITS Networks with Cisco Clean Access primarily benefit from: • Minimized network outages caused by viruses and worms • Enforced security policies by making compliance a condition of access • Minimized vulnerabilities on user machines through periodic evaluation and remediation • Significant cost savings by automating the process of repairing and updating user machines Authentication Integration Cisco Clean Access serves as an authentication proxy for most forms of authentication, natively integrating with Kerberos, Lightweight Directory Access Protocol (LDAP), RADIUS, Active Directory, S/Ident, and others. Roles-based access control is supported as well, enabling administrators to maintain multiple user profiles with varying degrees of access. Vulnerability Assessment Cisco Clean Access supports the scanning of all Windows-based operating systems, Mac OS, Linux machines, and non-PC networked devices such as Xbox, PlayStation 2, and personal digital assistants. The solution conducts network-based scans or can use custom-built scans as required. In a managed domain, it can also conduct scans of Windows registries without client software. Device Quarantine Cisco Clean Access can place noncompliant machines into quarantine, which prevents the spread of infection while maintaining access to remediation resources. Quarantine can be accomplished by using subnets as small as /30, or by using a quarantine VLAN. Automatic Security Policy Updates Automatic security policy updates from Cisco Systems provide predefined policies for the most common network access criteria, including policies that check for critical operating system updates and common antivirus software virus definition updates. This eases the management effort for network administrators, who can rely on the Clean Access system to constantly maintain updated policies. © 2005 Cisco Systems, Inc. All rights reserved. Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com. Page 2 of 9 Centralized Management The Web-based management console allows administrators to define the types of scans required for each role, as well as the related remediation packages necessary for recovery. One management console can manage several servers. Remediation and Repair Quarantining gives devices access to remediation servers that can provide operating system patches and updates, virus definition files, or endpoint security solutions such as Cisco Security Agent. Administrators have the option of automatically installing these fixes using the Cisco Clean Access enforcement agent. Discretionary Certified Devices List The Certified Devices List allows administrators to simplify access for devices known to be clean through other means. If the Certified Devices List is empty, all machines are subject to scanning each time they enter the network. The Certified Devices List can be cleared with one mouseclick during times of high virus and worm activity. Adaptable Levels of Enforcement Network administrators can adapt to the flow of malicious code incidents by adjusting the scans required, the roles subject to scans, the use of the Certified Devices List, and the types of remediation required. They can also limit the bandwidth and protocols used based on user roles. PRODUCT ARCHITECTURE Cisco Clean Access is a software solution that is loaded onto standard, off-the-shelf servers provided by the customer. A typical deployment consists of: • Cisco Clean Access Server—The device that initiates assessment and enforces access privileges based on endpoint compliance. In in-band mode, this server sites inline with all traffic. In out-of-band mode, this server sits in the quarantine VLAN, where all devices not found on the Certified Devices List are redirected upon entry. Users are blocked at the port layer, restricting them from access to the trusted network until they successfully pass inspection. • Cisco Clean Access Manager—A centralized, Web-based console for establishing roles, checks, rules, and policies. • Cisco Clean Access Agent (optional)—A thin agent that enhances some vulnerability assessment functions and streamlines remediation. © 2005 Cisco Systems, Inc. All rights reserved. Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com. Page 3 of 9 Figure 1 is a logical diagram of Cisco Clean Access in in-band deployment mode. In this configuration, Cisco Clean Access works with any 802.11 wireless access point including Cisco Aironet ® Series access points. Figure 1. Cisco Clean Access Architecture in In-Band Mode © 2005 Cisco Systems, Inc. All rights reserved. Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com. Page 4 of 9 Figure 2 is a logical diagram of Cisco Clean Access in out-of-band deployment mode. Figure 2. Cisco Clean Access Architecture in Out-of-Band Mode PRODUCT SPECIFICATIONS The Cisco Clean Access Server in out-of-band mode communicates with switches using Simple Network Management Protocol (SNMP). Table 2 lists the switches that are supported. Table 2. Supported Switches Switch Minimum Operating System Cisco Catalyst 2950 Cisco IOS ® Software Release 12.1(6)EA2 Cisco Catalyst 2950 LRE Cisco IOS Software Release 12.1(11)YJ Cisco Catalyst 3550 Cisco IOS Software Release 12.1(8)EA1b Cisco Catalyst 3560 Cisco IOS Software Release 12.2(25) Cisco Catalyst 3750 Cisco IOS Software Release 12.1(14)EA1 Cisco Catalyst 4500 (for Cisco IOS Software) Cisco IOS Software Release 12.1(13)EW2 Cisco Catalyst 4500 (for Cisco Catalyst OS) Cisco Catalyst OS Release 7.1 Cisco Catalyst 6500 (for Cisco IOS Software) Cisco IOS Software Release 12.1(8a)EX Cisco Catalyst 6500 (for Cisco Catalyst OS) Cisco Catalyst OS Release 7.5 © 2005 Cisco Systems, Inc. All rights reserved. Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com. Page 5 of 9 Please

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    9 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us