Cisco Network Security Solution

Network Access Control-protecting network security

Emerging cyber security threats such as viruses, worms, and spyware continue to harm the interests of customers and cause organizations to lose a lot of money, productivity, and opportunities. At the same time, the popularity of mobile computing has further increased the threat. Mobile users can connect to the Internet or office network from their homes or public hotspots -Viruses are often inadvertently and easily infected with the Internet by bringing them into the enterprise environment. Network Access Control (NAC) A dedicated design ensures adequate protection for all terminal devices (such as PCs, laptops, servers, smart phones, and PDAs) that access network resources to defend against network security threats. As a market-leading program involving renowned manufacturers of anti-virus, security, and management products, NAC has attracted the attention of media, analysis companies, and institutions of all sizes. This article explains how NAC plays a key role as part of a policy-based security strategy and describes and defines available NAC methods. Advantages of NAC According to 2005 According to the CSI/FBI Security Report, although security technology has been developing for many years and its implementation is even more costly than millions of dollars, however, viruses, worms, spyware, and other forms of malware are still the main problems facing various organizations. The large number of security incidents that organizations encounter each year cause system interruptions, loss of income, data damage or destruction, and reduced productivity. This has brought a huge economic impact to institutions. Obviously, traditional security solutions alone cannot solve these problems. Cisco Systems Developed a comprehensive security solution that combines advanced anti-virus, security, and management solutions to ensure that all devices in the network environment comply with security policies. NAC allows you to analyze and control all devices attempting to access the network. By ensuring that each terminal device complies with the enterprise's security policies (for example, the most relevant and advanced security protection measures ), the number of terminal devices that can be used as a common source of infection or damage to the network can be greatly reduced or even eliminated by the Organization. Greatly improve network security Although most organizations use identity management and authentication, authorization, and accounting (AAA) To authenticate users and assign them network access permissions. However, these actions do not affect the security of user terminal devices. If you do not use an accurate method to assess the device's 'status', even the most trusted user may accidentally pass the infected device or the device that is not properly protected, expose all users in the network to great risks. NAC is a series of technologies and solutions built on the Cisco system leader's industry plan. NAC uses network infrastructure to perform security policy checks on all devices attempting to access network computing resources, thus limiting emerging security threats such as viruses, worms, and spyware to damage network security. Customers implementing NAC can only allow trusted terminal devices (PCs, servers, and PDAs) that comply with the security policy to access the network, and control access to networks from devices that do not comply with the policy or are not manageable. NAC is designed and integrated into the network infrastructure, so it is unique. So why should we implement policy compliance and validation strategies on the Network (rather than elsewhere? 1. Data of each bit that the Organization is interested in or interested in is transmitted over the network. 2. Each device of interest or relationship to the Organization is connected to the same network. 3. Implementing Access Control for networks enables organizations to deploy as extensive security solutions as possible, including as many network devices as possible. 4. This strategy leverages the Organization's existing infrastructure, security, and management deployment to minimize it overhead. By running NAC, as long as the terminal device tries to connect to the network, the network access device (Lan, Wan, wireless or remote access device) will automatically apply for installed clients or evaluation tools to provide terminal device security information. Then compare the information with the network security policy, and determine how to process network access requests based on the device's compliance with the policy. The network can allow or deny access. You can also restrict network access by redirecting devices to a CIDR block to avoid being exposed to potential security vulnerabilities. In addition, the network can isolate the device, which redirects the device that does not comply with the policy to the patch server, so that the device can meet the policy compliance level through component update. Some security policy compliance checks executed by NAC include: Determine whether the device is running the authorized version of the operating system. Check whether the operating system has installed appropriate patches or has completed the latest hotfix. Determine whether the device has installed anti-virus software and whether it has the latest series of signature files. Make sure that the anti-virus technology is enabled and running. Determine whether the personal firewall, intrusion protection, or other desktop system security software has been installed and correctly configured. Check whether the enterprise image of the device has been modified or tampered. NAC then makes policy-based informed Network Access decisions based on the answers to the above questions. Some advantages of implementing the NAC solution include: 1. It helps ensure that all network devices of users comply with security policies, greatly improving network security and avoiding the impact of scale and complexity. By actively defending against worms, viruses, spyware, and malware attacks, organizations can focus on active defense (rather than passive response ). 2. Extends the value of existing CISCO networks and anti-virus, security, and management software through the extensive deployment and integration of well-known manufacturers. 3. Detects and controls all devices attempting to connect to the network, and is not affected by their access methods (such as routers, switches, wireless networks, VPN and dial-up devices), thus improving enterprise's permanent and Scalable Performance. 4. Prevent non-compliant and unmanageable terminal devices from affecting network availability or user productivity. 5. Reduces operating costs related to identifying and fixing noncompliant, unmanageable, and infected systems. NAC Implementation Options Cisco also provides product and architecture-based NAC framework methods to meet the functional and operational requirements of any organization, whether simple security policy requirements, there are also complicated security implementation requirements related to a large number of security vendors and Enterprise Desktop System Management Solutions. NAC product 'cisco clean Access' supports quick deployment through built-in terminal evaluation, policy management, and repair services. In addition, the NAC framework integrates smart network infrastructure with solutions provided by more than 50 famous anti-virus product manufacturers and other security and management software solutions. NAC Products Using the NAC products provided by the Cisco Clean Access product series, quick deployment is supported using the built-in terminal evaluation, policy management, and repair services. This rapidly deployed integrated solution technology automatically detects, isolates, and cleans infected or vulnerable wired or wireless terminals that attempt to access the network. Cisco Clean Access provides three key protection functions: Identify users, user devices, and their roles in the network at authentication points. Use scanning and analysis technology to evaluate the security status of the terminal, or use a light proxy to perform more in-depth status evaluation to check security vulnerabilities. Implement Security Policies in the network by blocking, isolating, and repairing terminals that do not comply with the policies. Cisco Clean Access also provides the following implementation advantages: Scalability -Cisco Clean Access can be deployed directly to meet network access requirements and design and evaluate the NAC framework, because the Cisco Clean Access component can be integrated into a wider NAC framework architecture. Quick deployment -Cisco Clean Access is a ready-made "Scaling" Package solutions provide pre-installed support for anti-virus, anti-spyware, and Microsoft updates. Flexibility -Cisco Clean Access supports hybrid network infrastructure that runs multiple desktop operating systems. The most suitable network for deploying Cisco Clean access includes the following features: Non-802.1x LAN environment Wireless, branch, remote, or simple LAN environment Centralized IT environment and management There are unmanageable computers that need access to the network (e.g. guests, contractors or students) Hybrid (multi-vendor) network infrastructure NAC framework solution NAC can also be deployed as an architecture-based framework solution that leverages the existing Cisco Network Technology Library and security and management solutions provided by other manufacturers. The NAC framework solution provides the following advantages: All access methods, including LAN, wireless, remote access, and Wan terminals, can be evaluated for full control. Terminal visibility and control ensures that manageable and unmanageable visitor and malicious devices comply with enterprise security policies The entire process of terminal control supports Automatic Terminal Evaluation, verification, authorization and repair processes. Integrates centralized policy management, smart network devices, and network services with solutions provided by dozens of famous anti-virus, security, and management vendors to provide precise access control management. Standard and flexible APIs allow multiple third parties to participate in the overall solution to support a wide range of partners and technical ecosystems The most suitable network for deploying the NAC framework includes the following features: Large-scale Enterprise deployment Complex LAN/WAN/Wireless Environments Fully or primarily Cisco-based LAN/WAN/wireless infrastructure Operational interoperability with NAC Partner Security and Management Solutions IP phone number implemented or planned to be implemented 802.1X implemented or planned Investment Protection Cisco provides the most comprehensive access control products and solutions to meet the functional needs of any organization. As the requirements of many organizations are constantly changing, the currently installed Cisco Clean The access component can be used to support subsequent NAC Framework implementation. No matter which method you decide to use, Cisco NAC technology can protect your investment in the corresponding network technology. At the same time, interoperability and functional compatibility can ensure Access smoothly transits to the NAC framework technology to take advantage of more advantages and functions. Plan, design, and deploy effective NAC Solutions To help ensure successful deployment of Cisco NAC technology, Cisco advanced services provides the following requirements analysis, planning, design, and implementation services: NAC readiness evaluation -Analyze deployment requirements and assess whether network devices, operations, and architectures are ready to support NAC. NAC limited deployment -Provides installation and configuration services for limited deployment solutions, allowing your staff to test NAC and gain practical experience. NAC Design and Development -Helps your team develop specific design plans to integrate NAC into your network infrastructure. NAC Implementation Project -Support your team to develop specific installation, configuration, integration and management solutions, and provide on-site installation, configuration, and testing services, to help ensure that the deployment is smoothly integrated into your production environment for full implementation. Once the NAC deployment is complete, Cisco technical support services work with your internal staff to ensure the efficient operation of Cisco products, continuous high availability, and installation of the latest system software. What should I do next? 1. Deploy Cisco Clean Access immediately. Cisco Clean Access allows you to immediately gain the benefits of access control solutions. 2. Determine whether you need an architecture-based NAC framework solution. Run Cisco Clean Access, you can begin to evaluate whether you need to meet the architecture-based method requirements. When you choose to deploy any NAC solution, you must consider multiple factors, including the network as the deployment destination and the type of organization that is deploying it. 3. Consider asking for some help. Cisco advanced services can help you design, implement, integrate, and deploy custom NAC solutions. 4. Use your Cisco Clean Access investment. The Cisco Clean Access component can be fully integrated into the NAC framework solution. NAC technology NAC device components Cisco Clean access includes the following components: Cisco Clean Access Server, Evaluate the device and grant the access permission based on the compliance of the terminal Policy Cisco Clean Access Manager, Centralized management of Cisco Clean Access solution, including executing policies and patching services Cisco Clean Access Agent, Optional Free Software, more rigorous terminal policy compliance assessment, and simplified patching processes in manageable and unmanageable Environments Cisco Clean Access Supports Wireless Access through the following technologies: All 802.11 Wi-Fi access points, including Cisco Aironet Access Points Provides all Wi-Fi client devices that support the nac ieee 802.1x request system. NAC framework components The NAC framework provides the following technical support: Provides extensive network equipment support for campus LAN, Wan, VPN, and wireless access points Connect to a third-party host evaluation tool to evaluate unattended, "agentless", and other non-responsive devices, and apply different policies to each device Provides extensive platform support for Cisco trusted agents By far surpassing anti-virus and basic operating system patch applications and operating system status checks, multi-vendor integration functions can be extended The NAC framework is supported by the following technologies: Cisco router: Cisco 83X, 18xx, 28xx, and 38xx series Integrated Multi-Service routers; 1701, 1711, 1712, 1721, 1751, 1751-v and 1760 modular access routers; 2600xm, 2691, 3640 and 3660-ent Multi-Service Access Router and 72xx series router Cisco switches: -Cisco Catalyst 6500 series Supervisor Engine 2, 32 And 720, install Cisco Catalyst OS and Cisco IOS software or hybrid applications (Supervisor Engine 32 and 720 support for Cisco IOS software) -Cisco Catalyst 4000 Series Supervisor Engine II +, II + ts, IV, V and V-10GE, install Cisco IOS software -Cisco Catalyst 4948 and 4948-10ge - Cisco Catalyst 3550, 3560, and 3750 install Cisco ios ip base and IP Services -Cisco Catalyst 2940, 2950, 2955, 2960, 2970 Cisco Wireless Access Point: Cisco Aironet Access Point, Cisco connecting to Cisco Wireless LAN Controller Aironet Lightweight Access Point, Cisco Catalyst 6500 Series Wireless LAN Service Module (wlsm), all Cisco Aironet, Cisco Compatible products, and Wi-Fi customer devices that provide IEEE 802.1x request systems that support NAC Cisco VPN 3000 series Concentrator Cisco trusted proxy Cisco Secure Access Control Server (ACS) Third-party vendor software Recommended components: -Cisco Security Agent -Cisco security monitoring, analysis and response system (MARS) - CiscoWorks Security and Information Management Solution (SIMS)