Cisco NAC Appliance: Enforcing Host Security with Clean Access [Paperback]

Chad Sullivan (Author), Jamey Heary (Author), Alok Agrawal (Author), Jerry Lin (Author)

Book Description

Publication Date: August 16, 2007 | ISBN-10: 1587053063 | ISBN-13: 978-1587053061 | Edition: 1

Cisco NAC Appliance

Enforcing Host Security with Clean Access

 

Authenticate, inspect, remediate, and authorize end-point devices using Cisco NAC Appliance

 

Jamey Heary, CCIE® No. 7680

Contributing authors: Jerry Lin, CCIE No. 6469,

Chad Sullivan, CCIE No. 6493, and Alok Agrawal

 

With today's security challenges and threats growing more sophisticated, perimeter defense alone is no longer sufficient. Few organizations are closed entities with well-defined security perimeters, which has led to the creation of perimeterless networks with ubiquitous access. Organizations need to have internal security systems that are more comprehensive, pervasive, and tightly integrated than in the past.

 

Cisco® Network Admission Control (NAC) Appliance, formerly known as Cisco Clean Access, provides a powerful host security policy inspection, enforcement, and remediation solution that is designed to meet these new challenges. Cisco NAC Appliance allows you to enforce host security policies on all hosts (managed and unmanaged) as they enter the interior of the network, regardless of their access method, ownership, device type, application set, or operating system. Cisco NAC Appliance provides proactive protection at the network entry point.

 

Cisco NAC Appliance provides you with all the information needed to understand, design, configure, deploy, and troubleshoot the Cisco NAC Appliance solution. You will learn about all aspects of the NAC Appliance solution including configuration and best practices for design, implementation, troubleshooting, and creating a host security policy.

 

Jamey Heary, CCIE® No. 7680, is a security consulting systems engineer at Cisco, where he works with its largest customers in the northwest United States. Jamey joined Cisco in 2000 and currently leads its Western Security Asset team and is a field advisor for its U.S. Security Virtual team. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP®, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. He has been working in the IT field for 13 years and in IT security for 9 years.

 

• Understand why network attacks and intellectual property losses can originate from internal network hosts
• Examine different NAC Appliance design options
• Build host security policies and assign the appropriate network access privileges for various user roles
• Streamline the enforcement of existing security policies with the concrete measures NAC Appliance can provide
• Set up and configure the NAC Appliance solution
• Learn best practices for the deployment of NAC Appliance
• Monitor, maintain, and troubleshoot the Cisco NAC Appliance solution

 

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

 

Category: Cisco Press–Security

Covers: End-Point Security

 

Editorial Reviews

About the Author

About the Author

Jamey Heary, CCIE No. 7680, is currently a security consulting systems engineer at Cisco Systems, Inc., and works with its largest customers in the Northwest United States. Jamey joined Cisco in 2000. He currently leads its Western Security Asset team and is a field advisor for the U.S. Security Virtual team. Prior to working at Cisco, he worked for the Immigration and Naturalization Service as a network consultant and project leader. Before that he was the lead network and security engineer for a financial firm whose network carries approximately 12 percent of the global equities trading volume worldwide. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. He has been working in the IT field for 13 years and in IT security for 9 years. He has a BS from St. Lawrence University.

 

About the Contributing Authors

Jerry Lin, CCIE No. 6469, is a consulting systems engineer for Cisco and is based in southern California. He specializes in security best practices. Jerry has worked with a variety of Cisco enterprise customers in areas such as software development, local government agencies, K—12 and universities, high tech manufacturing, retail, and health care, as well as managed web-hosting service provider customers. He holds his CCIE in routing and switching as well as in CCDP and CISSP. Jerry has been working in the IT industry for the past 12 years. During the late 1990s, he worked as a technical instructor. Jerry earned both a bachelor’s degree and a master’s degree in mechanical engineering from the University of California, Irvine.

 

Chad Sullivan, CCIE No. 6493 (Security, Routing and Switching, SNA/IP), CISSP, CHSP, is a senior security engineer and owner of Priveon, Inc., which provides leading security solutions to customers globally. Prior to starting Priveon, Chad worked as a security consulting systems engineer at Cisco. Chad is recognized within the industry as one of the leading implementers of the Cisco Security Agent product and is the author of both Cisco Press books dedicated to the Cisco Security Agent.

 

Alok Agrawal is the technical marketing manager for the Cisco NAC Appliance (Clean Access) product. He leads the technical marketing team developing technical concepts and solutions and driving future product architecture and features. He works with the Cisco sales and partner community to scale the adoption of the NAC Appliance product line globally. Prior to joining the Cisco Security Technology Group, he worked in the switching team of the Cisco Technical Assistance Center. He has a strong background in routing and switching and host security design and implementation. Alok holds a master’s degree in electrical engineering from the University of Southern California and a bachelor’s degree in electronics engineering from the University of Mumbai.

Excerpt. © Reprinted by permission. All rights reserved.

Cisco NAC Appliance: Enforcing Host Security with Clean Access

Introduction

Almost every contemporary corporation and organization has acquired and deployed security solutions or mechanisms to keep its networks and data secure. Hardware and software tools such as firewalls, network-based intrusion prevention systems, antivirus and antispam packages, host-based intrusion prevention solutions, and vulnerability scanners have proven effective to a certain degree, but only if they are kept up to date. For example, classic virus attacks sent via e-mail attachments, such as netsky and MyDoom, can easily be detected and prevented by any up-to-date antivirus and antispam software package. The key to stopping host attacks is being able to proactively enforce security policies that ensure all hosts must be fully patched and have up-to-date security software running before allowing them full network access. Existing security solutions do not proactively stop a PC from entering the network if its security software and operating system software are not current. Frequently, users will manually disable their host security software because it either reduces the overall performance of their PC or prevents an application from installing. When antivirus and antispam packages are out of date or not running, the likelihood of PC virus infections increases. This in turn increases the overall security risk to the organization.

The same principle applies to OS hotfixes. Take Microsoft Windows as an example. If you fail to implement new Windows security hotfixes in a timely manner to address newly discovered vulnerabilities, the probability of those unpatched hosts being compromised, or "owned," greatly increases. This can result in a loss of productivity due to system downtime, theft of company and personal confidential information, or unauthorized access to sensitive information. Unfortunately, loss of a client's confidential information usually leads to financial losses for affected individuals and the organization.

Data security laws and regulations such as the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, and the Peripheral Component Interconnect (PCI) standard are forcing organizations to implement and enforce tougher data security protection measures. Compliance regulations such as PCI speak directly to the antivirus and OS hotfix issues discussed previously. They make it mandatory that relevant hosts are kept up to date and run antivirus software, among other things. Increasingly, organizations are being forced by various data security laws and regulations to decrease their data security risk. Gone are the days when organizations had the flexibility to decide what their own data security risk tolerance and policy was. Given that many organizations used to choose to save money and time at the expense of data security, mandated security compliance is a welcome change for all.

The motivation for writing this book is to introduce the latest Cisco security technology, called Network Admission Control (NAC) Appliance. This security solution has proven to help minimize the chronic hard and soft dollar losses that corporations are experiencing due to security-related incidents. Additionally, it helps organizations enforce the use of already existing security investments such as antivirus software and patch management solutions. NAC brings to the table an innovative and proactive technique for improving the overall security posture of an organization's hosts and networks.

NAC allows organizations to enforce, for the first time, their previously unenforceable corporate host security policy. It works by authenticating users and posture assessing hosts before allowing them full network access. Hosts that fail the security posture checks (for example, if their OS or antivirus package is not up to date) are network quarantined and given remediation options. After the host is certified, it is allowed on the network. A user, based on a successful authentication, is granted the level of network access privileges appropriate for that user's role.

The objectives of this book are to provide IT and security teams all the information needed to understand, design, configure, deploy, and troubleshoot the Cisco NAC Appliance solution.

Who Should Read This Book?

This book will be of interest to the following professionals:

• IT directors and managers

• Network administrators

• Network and security engineers

• Security analysts and consultants

• Operating systems administrators

• Application developers

© Copyright Pearson Education. All rights reserved.

Product Details

• Paperback: 576 pages
• Publisher: Cisco Press; 1 edition (August 16, 2007)
• Language: English
• ISBN-10: 1587053063
• ISBN-13: 978-1587053061
• Product Dimensions: 9.1 x 7.4 x 1.4 inches
• Shipping Weight: 1.8 pounds (View shipping rates and policies)
• Average Customer Review: 4.8 out of 5 stars  See all reviews (4 customer reviews)
• Amazon Best Sellers Rank: #820,139 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

3 of 3 people found the following review helpful:

5.0 out of 5 stars Exceeded Expectations, August 21, 2007

By 

Jamie Sanbower - See all my reviews
(REAL NAME)   

This review is from: Cisco NAC Appliance: Enforcing Host Security with Clean Access (Paperback)

I want to start out by saying that this book completely exceeded my expectations for the first NAC Appliance book. I wish this was published 3 years ago. The author clearly articulates the business benefits of NAC, including how NAC provides return on investment (ROI), which gives any reader the know-how to wisely purchase Cisco NAC Appliance. He also shows his technical expertise by diving extremely deep into the inner workings of Cisco NAC Appliance, which gives engineers, consultants, and operations the information they need to successfully deploy or maintain the product.

This book shows great details into the process flows of In-Band & Out-of-Band users, Clean Access Agent (CAA) users and network scanning users. The information on the different deployment options and how to use them in diverse environments is great to start your NAC Design. This book makes the confusing topics seem easy and manageable.

Some of the highlights that caught my eye and I thought everyone would like were:

- Chapter on Host Security Policy - An amazing deal of information on how to design/create a Host Security Policy as it relates to NAC Appliance is invaluable to deployments

- Exploration of High Availability and Load Balancing - Information on how to load balance Clean Access Servers using the CSM, CSS, ACE and PBR cannot be found anywhere else. This includes saving money on Failover Bundles by using N+1 Failover

- Layer 3 OOB Deployment options - Walk through of the benefits of the different methods of deploying L3 OOB, e.g. PBR, ACLS, VPNs, etc.

- Deployment Best Practices - An entire chapter on how to plan, schedule, and keep all parties happy for your NAC Appliance deployment

- Monitoring & Troubleshooting information - detailed list of all logs located on the CAM and CAS, as well as the information on how to troubleshoot and monitor online users

All in all this is a great book and I would recommend it for all people interested in Buying, Deploying, Operating, or Troubleshooting Cisco NAC Appliance. This is definitely a great reference manual to have at your desk!

1 of 1 people found the following review helpful:

5.0 out of 5 stars This book delivers!, September 11, 2007

By 

J. Alexander "CCIE (R&S/Security), CISSP" (CO-United States) - See all my reviews
(REAL NAME)   

This review is from: Cisco NAC Appliance: Enforcing Host Security with Clean Access (Paperback)

Over the last couple years NAC has moved from being a niche solution and is becoming a mainstream requirement for enterprise organizations. This creates a new set of skills for the network engineer to master. Unfortunately there have been few resources for self study, until now. This book provides everything you need to get started with NAC, weather you are just evaluating the technology or rolling out a full deployment. Get this book and you will have the skills that are sure to be a requirement of any network engineer in the very near future.

Why this book?

1. Credible - The authors field experience with NAC is evident as you read the book. This wasn't written in some ivory tower, these are folks who work on the technology with real world customers every day.

2. Comprehensive - ROI, design options, best practices, configuration examples, troubleshooting. Weather you are evaluating, implementing, or deploying there is something for everyone.

3. Concise - Weighing in at 576 pages it's hardly a short book, however give the amount of ground covered I would call it concise. The book is light on filler material, and since it isn't a certification guide there is anything in there just because it's on the test. Everything in this book is about how to get the job done.

To summarize... I highly recommend this book. Pick up a copy and get up to speed on this fast growing technology.

1 of 1 people found the following review helpful:

4.0 out of 5 stars Great volume : Consider buying, August 26, 2007

By 

Wole Akpose "wolexca" (dundalk, md United States) - See all my reviews
(REAL NAME)   

This review is from: Cisco NAC Appliance: Enforcing Host Security with Clean Access (Paperback)

The Cisco Self Securing Network platform is currently structured around several cornerstone technologies of which the Cisco Clean Access technology is a leading component. The Cisco Clean Access technology is one of several industry wide Network Admission Control (NAC) technologies which rely on a combination of client-server components. The Cisco Clean Access suite includes a client component which could be host-installed applet or a browser based applet that can read basic configuration data from a host machine and communicate compliance to enterprise defined rules/policies which are pre-defined on a clean access server appliance and other coorperating systems. The book, Cisco NAC Appliance is a good guide for administrators deploying this complex set of solutions brought from Perfigo Inc. after Perfigo's acquisition by Cisco 2006.

The book's organization and tone is aimed at security architects, security managers and security administrators. While a security architect will better understand the various deployment options and thus the place of the Cisco NAC framework in an enterprise, security managers will get a comprehensive enough view of the Cisco NAC framework to make the judgment call on actual deployment of the infrastructure and of course make decisions on cost/facility and better grapple with the potential cost benefit requests from enterprise's executive and the security administrator will have a quick guide handbook to help wade through the myriads of documentations from Cisco on its evolving SAFE architecture in general and the NAC framework in particular.

The organization of this book is excellent for the intended audience; six parts covering the basics of host security landscape, design of Cisco NAC appliance, developing a host security policy, the Cisco NAC configuration, some deployment best practices, and of course NAC appliance maintenance and troubleshooting. The six parts are laid out in fifteen accessible chapters spanning more than 500 pages with generous amount of configuration examples and screenshots.

With Cisco now having more than 45% market share in the endpoint access control market, books like these can only increase in importance as a guide to organizations grappling with the decision on what and where to deploy these technologies.

And for this volume, the taste of the pudding remains in the eating. So if you don't have a copy yet, go grab one (so long as you are interested in some endpoint security solutions now or at some point in the future). As for rating, I'll give it my best rating so far, four star out of five.