Cisco Clean Access is a software solution provided by Cisco, Inc. that performs network validation. Cisco Clean Access automatically detects, isolates, and cleans infected and/or vulnerable wireless devices that attempt to access the network. It identifies whether wireless devices are compliant with security policies and provides direction on how to repair these vulnerabilities before permitting access to the network
Cisco NAC Appliance (formerly Cisco Clean Access) is an easily deployed Network Admission Control (NAC) product that allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. It identifies whether networked devices such as laptops, desktops, and corporate assets are compliant with a network's security policies, and it repairs any vulnerabilities before permitting access to the network.
Cisco NAC Appliance is an end-to-end network registration and enforcement solution that allows network administrators to authenticate, authorize, evaluate, and remediate users and their machines prior to allowing users onto the network. This advanced network security product:
^^ Recognizes users, their devices, and their roles in the network. This first step occurs at the point of authentication, before malicious code can cause damage.
^^ Evaluates whether machines are compliant with security policies. Security policies can vary by user type, device type, or operating system.
^^ Enforces security policies by blocking, isolating, and repairing noncompliant machines. The machines are redirected into a quarantine area, where remediation occurs at the discretion of the administrator.
Cisco NAC Appliance can apply posture assessment and remediation services to all devices, regardless of:
^^ Device type. Cisco NAC Appliance can enforce security policies on all networked devices, including Windows, Mac, or Linux machines, laptops, desktops, personal digital assistants (PDAs), and corporate assets, such as printers and IP phones.
^^ Device ownership. Cisco NAC Appliance can apply security policies to systems owned by the corporation, employees, contractors, and guests.
^^ Device access method. Cisco NAC Appliance applies network admission control to devices connecting through the LAN, WLAN, WAN, or through VPNs.
Cisco NAC Appliance is unique in its ability to enforce policies for all operating scenarios without requiring separate products or additional modules.
FEATURES AND BENEFITS
Networks with Cisco NAC Appliance primarily benefit from:
^^ Healthy networks as a result of making compliance a condition of access
^^ Proactive prevention of viruses, worms, spyware, and other malicious applications
^^ Minimized vulnerabilities on user machines through periodic evaluation and remediation
^^ Significant cost savings by automating the process of repairing and updating user machines
Authentication Integration with Single Sign-On
Cisco NAC Appliance serves as an authentication proxy for most forms of authentication, natively integrating with Kerberos, Lightweight Directory Access Protocol (LDAP), RADIUS, Active Directory, S/Ident, and others. To minimize the inconvenience to end users, Cisco NAC Appliance supports single sign-on for VPN clients, wireless clients, and Windows Active Directory domains. Administrators can maintain multiple user profiles with different permission levels through the use of roles-based access control.
Cisco NAC Appliance supports scanning of all Windows-based operating systems, Mac OS, Linux machines, and non-PC networked devices such as game consoles, PDAs, printers, and IP phones. It conducts network-based scans or can use custom-built scans as required. Cisco NAC Appliance can check for any application as identified by registry key settings, services running, or system files.
Cisco NAC Appliance can place noncompliant machines into quarantine, which prevents the spread of infection while enabling the machines to maintain access to remediation resources. Quarantine can be accomplished by using subnets as small as /30, or by using a quarantine VLAN.
Automatic Security Policy Updates
Automatic security policy updates provided by Cisco Systems as part of the standard software maintenance package provide predefined policies for the most common network access criteria, including policies that check for critical operating system updates, common antivirus software virus definition updates, and common antispyware definition updates. This eases the management cost on network administrators, who can rely on the Cisco NAC Appliance to constantly maintain updated policies.
The Cisco NAC Appliance Web-based management console allows administrators to define the types of scans required for each role, as well as the related remediation packages necessary for recovery. One management console can manage several servers.
Remediation and Repair
Quarantining gives devices access to remediation servers that can provide operating system patches and updates, virus definition files, or endpoint security solutions such as Cisco Security Agent. Administrators can enable self-remediation through the optional agent or specify a series of Webpages with remediation instructions.
Flexible Deployment Modes
Cisco NAC Appliance offers the broadest array of deployment modes to fit into any customer network. Customers can deploy the product as a virtual or real IP gateway, at the edge or centrally, with Layer 2 or Layer 3 client access, and in-band or out-of-band with network traffic.
Cisco NAC Appliance can be deployed in several ways to best accommodate a customer's network. Table 1 illustrates the options for deployment: