March 18th, 2007, 07:17 AM
NAC Appliance and NAC Framework - ambiguous quires
I have gone through couple of resources about Network Admission Control (NAC)
I am looking for a correction to my understanding, because I got little bit confused
There are two admission control solution choices :
1 NAC Appliance (standalone box)
2 NAC Framework
NAC Framework (2) includes the following main components :
a- Endpoint security application
b- Posture agent
c- Network access devices
d- Cisco Policy server [Cisco Secure Access Control Server (CS ACS)]
e- Optional servers that operate as policy server decision points and audit servers
f- Optional management and reporting tools are highly recommended
Q1- NAC Appliance it standalone box ,,,,does that mean that NAC appliance includes (built-in) all the necessary (not optional) components , which are belong to NAC Framework (please see above) ?
Q2- The architecture of NAC Framework includes many different components from Cisco and other vendors (third party),,,,,,What about NAC appliance does it also include same components from other vendors (third party) ?
Q3- How does NAC appliance get updated ? since it is standalone box ? do we have to connect it to net to get the necessary updates ?
Q4- If I am looking to implement (install) NAC Appliance within my network do I need to use CS ACS (I guess we do not need to use CS ACS, see link below) or I have to use other components ?
Q5- The initial release of cisco NAC Framework became available June 2004 ,,,,what about NAC Appliance ? (i.e is it new technology )?
Customers are recommended to consider the NAC Framework only when one of the following applies:
Cisco Secure Access Control Server (ACS) is required as the central policy server in the NAC deployment
Q6- I could not get what does he mean by : words " in-band " and " inline " in the below quote ?
NAC Appliance must be deployed as an in-band deployment to support WLANs. In an in-band
deployment, the NAC Appliance server is always inline
with user traffic-before, during, and after authentication, posture assessment, and remediation.
Last edited by zillah; March 18th, 2007 at 05:06 PM.
March 18th, 2007, 12:46 PM
First of all, Cisco NAC is not meeting the promises they deliver. This is true even if you update all of your IOS code to meet the baseline required for their "self healing network".
If I were you, I'd look at a company called Forescout. http://www.forescout.com
They make an appliance based solution that hangs off of spanning ports. The appliance receives updates a number of ways but the most common is simply by hanging the device off your network on a management interface where it will get updates via your management console.
I've tested this solution out and I'd place this in production WAY before I'd consider Cisco. Cisco, in my opinion, is still about a year away from being able to meet the promises they've made.
These are terms used to describe the placement of the NAC in regards to your network architecture. For example, inline means that the traffic must pass through the device (in one interface and out another). Typically this config is used when you're going to do some sort of IPS. In band simply means that the NAC is architected into your current network. In contrast, out of band means that it communicates and/or is configured outside of your current network. An example of out of band would be a management rail which is used to manage devices on a network completely separate from your production network.
I could not get what does he mean by : words ? in-band ? and ? inline?
Last edited by thehorse13; March 18th, 2007 at 12:49 PM.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
March 18th, 2007, 01:30 PM
Thanks TH13 for your input