Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
41424344454647484950
1-18
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 1 Introduction
Client Posture Assessment Overview
The Cisco NAC Appliance Network Scanner method provides network-based vulnerability assessment
and web-based remediation. The network scanner in the local Clean Access Server performs the actual
network scanning and checks for well-known port vulnerabilities to which a particular host may be
prone. If vulnerabilities are found, web pages configured in the Clean Access Manager can be pushed to
users to distribute links to websites or information on how users can fix their systems.
Network scans are implemented with Nessus plugins. Nessus (http://www.nessus.org) is an open-source
vulnerability scanner. Nessus plugins check client systems for security vulnerabilities over the network.
If a system is scanned and is found to be vulnerable or infected, Cisco NAC Appliance can take
immediate action by alerting vulnerable users, blocking them from the network, or assigning them to a
quarantine role in which they can fix their systems.
Note If a personal firewall is installed on the client, network scanning will most likely respond with a timeout
result. You can decide how to treat the timeout result by quarantining, restricting, or allowing network
access (if the personal firewall provides sufficient protection) to the client machine.
As new Nessus plugins are released, they can be loaded to your Clean Access Manager repository.
Plugins that you have loaded are automatically published from the CAM repository to the Clean Access
Servers, which perform the actual scanning. The CAM distributes the plugin set to the Clean Access
Servers as they start up, if the CAS version of the plugin set differs from the CAM version.
Agent checking and network scanning can be coordinated, so that the Agent checks for software to fix
vulnerabilities prior to network scanning. For example, if a Microsoft Windows update is required to
address a vulnerability, you can specify it as a required package in the Agent. This allows the Agent to
help users pass network vulnerability scanning before it is performed.
Note You can use Nessus 2.2 plugins to perform scans in Cisco NAC Appliance. The filename of the
uploaded Nessus plugin archive must be plugins.tar.gz. Cisco NAC Appliance software releases are
shipped with Nessus version 2.2.7 only. Nessus version 2.2.7 has a NASL_LEVEL value of less than
3004. Cisco NAC appliance does not support Nessus plugins which require the NASL_LEVEL to
be equal to or greater than 3004. Cisco NAC Appliance currently does not support Nessus version 3
plugins due to vendor licensing restrictions.
Due to a licensing requirement by Tenable, Cisco is no longer able to bundle pre-tested Nessus
plugins or automated plugin updates to Cisco NAC Appliance, effective Release 3.3.6/3.4.1.
Customers can still download Nessus plugins selectively and manually through the Nessus site. For
details on available plugins, see http://www.nessus.org/plugins/index.php?view=all.
For details on Nessus plugin feeds, see http://www.nessus.org/plugins/index.php?view=feed.
Cisco recommends using no more than 5-8 plugins for network scanning of a client system. More
plugins can cause the login time to be long if the user has a firewall, as each plugin will have to
timeout.
Table 1-3 summarizes the web pages that appear to users during the course of login and perform Nessus
Scanning, and lists where they are configured in the web admin console.
Table 1-3 Web Login User Page Summary
Page Configured in: Purpose
Web Login Pages