Securing Complexity with Cisco NAC Appliance (Clean Access) Cisco NAC Appliance Team June 2006 Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Agenda • Securing Complexity • Cisco Network Admission Control (NAC) Solutions • NAC Appliance Product Overview • NAC Appliance Values to Business Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
The Challenge of Securing Complexity This is a story about network security. Specifically, how you can have without compromising productivity. security More to the point, your company may already be bristling with network defenses, but you still have one glaring vulnerability—your network users. Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Productivity Causes Complexity • What system is it? • Windows, Mac or Linux • Laptop or desktop or PDA • Printer or other corporate asset • Who owns it? • • • • • Company Employee Contractor Guest Unknown • • • • VPN LAN WLAN WAN • Where is it coming from? • What’s on it? Is it running? • What’s the preferred way to check/fix it? Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Complexity Demands Defense-in-Depth Identity AAA Endpoint Security Anti-spyware HIPS Personal Firewalls Employee IDS/IPS X Anti-virus X Identity alone fails: VPNs Protects against unauthorized access, but not malware Identifies user, but not device Endpoint security alone fails: 99% have AV, but infections persist! Host based apps are easily manipulated—even unintentionally Time gap between virus and virus def/repair Session Number Presentation_ID Network Security Guest access © 2006 Cisco S
Agenda • Securing Complexity • Cisco Network Admission Control (NAC) Solutions • NAC Appliance Product Overview • NAC Appliance Values to Business Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
What Is Network Admission Control? Using the network to enforce policies ensures that incoming devices are compliant. Identity Please enter username: Device Security NAC Network Security Si Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Four Key Capabilities of NAC Securely Identify Device and User Enforce Consistent Policy Quarantine and Remediate Configure and Manage What it means Uniquely identifies users and devices, and creates associations between the two Assess and enforce a ubiquitous policy across the entire network Acts on posture assessment results, isolates device, and brings it into compliance Easily creates comprehensive, granular policies that map quickly to user groups and roles Without it . . .
Before We Continue, You May Be Asking … • Do I need separate solutions for my VPN users, my LAN users, my unmanaged users? • Am I your guinea pig? What’s your experience in deploying NAC? • Is this going to take months to deploy? • How can I be sure that this solution will fit MY situation? • Do I need to upgrade my entire infrastructure? Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Agenda • Securing Complexity • Cisco Network Admission Control (NAC) Solutions • NAC Appliance Product Overview • NAC Appliance Values to Business Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
The Cisco NAC Appliance Advantage 1. Managed LAN Users Unmanaged/ Guest LAN Users One product for ALL use cases Wireless LAN Users Session Number Presentation_ID VPN/Remote/ WAN Users © 2006 Cisco Systems, Inc. All rights reserved. 2. 600+ customers across all use cases: No. 1 NAC solution 3. Most deployments ready under 5 days 4. Scales from 100 users to 100,000+ user, across 150+ locations 5.
NAC Appliance Enforces Compliance What are the requirements for access? What are the steps to meet requirements? How do I create or modify requirements? Securely Identify Device and User Enforce Consistent Policies Quarantine and Remediate Configure and Manage Authenticates and authorizes users (local db, RADIUS, LDAP, Kerberos, AD, etc.
NAC Appliance (formerly known as Clean Access) Components • Cisco Clean Access Server Serves as an in-band or out-of-band device for network access control • Cisco Clean Access Manager Centralizes management for administrators, support personnel, and operators • Cisco Clean Access Agent Optional lightweight client for device-based registry scans in unmanaged environments • Rule-set Updates Scheduled automatic updates for anti-virus, critical hot-fixes and other applications Session Number Presentation_ID
Sampling of Pre-Configured Checks Critical Windows Updates Windows XP, Windows 2000, Windows 98, Windows ME Anti-Virus Updates Anti-Spyware Updates Cisco Security Agent Other 3rd Party Checks Customers can easily add customized checks Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Product User Flow Overview The Goal 1. End user attempts to access a Web page or uses an optional client Network access is blocked until wired or wireless end user provides login information 2. User is redirected to a login page Clean Access Server Clean Access validates username and password, also performs device and network scans to assess vulnerabilities on the device 3a. Device is noncompliant or login is incorrect © 2006 Cisco Systems, Inc. All rights reserved.
User Experience with Agent Login Screen Scan is performed (types of checks depend on user role) Scan fails Remediate 4. Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
User Experience via Web Browser Login Screen Scan is performed (types of checks depend on user role/OS) Guided self-remediation Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
NAC Appliance Sizing Users = online, concurrent Super Manager Enterprise and Branch Servers Standard Manager Manager Lite manages up to 40 manages up to 20 Enterprise and Branch Servers manages up to 3 1500 users each Branch Office or SMB Servers 1500 users each 100 users 250 users 500 users Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
NAC Appliance Options Customers can choose from a variety of product and deployment options to tailor NAC Appliance for individual networks Software-only (customer provides hardware) Virtual Gateway Session Number Presentation_ID or Appliance (Cisco provides hardware) or Real-IP Gateway (bridged) L2 Client Access or L3 Client Access In-band Server or Out-of-band Server © 2006 Cisco Systems, Inc. All rights reserved.
Agenda • Securing Complexity • Cisco Network Admission Control (NAC) Solutions • NAC Appliance Product Overview • NAC Appliance Values to Business Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
NAC Appliance Top Values to Business Proven Product With 500+ deployments, we understand both the technical—and organizational—impact on your business Complete Solution NAC Appliance is self-contained, rapidly-deployable, and possesses all 4 key NAC capabilities Flexible Deployment The wide breadth of NAC Appliance deployment options fits your network—not the other way around Future Proof Session Number Presentation_ID NAC Appliance is core to Cisco’s strategic NAC vision and can be leveraged across
Customer Return on Investment Average number of infected computers requiring help desk intervention per year, as reported by customers. Assuming $200 per intervention cost, average savings = $318,000 3500 3000 2500 1808 1683 2000 1500 1000 218 500 Baseline 2003 (Year of Blaster etc.) After NAC Appliance Source: Customer reports, average customer size = 5,000 users Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Q and A Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
