Almost every contemporary corporation and organization has acquired and deployed security solutions or mechanisms to keep its networks and data secure. Hardware and software tools such as firewalls, network-based intrusion prevention systems, antivirus and antispam packages, host-based intrusion prevention solutions, and vulnerability scanners have proven effective to a certain degree, but only if they are kept up to date. For example, classic virus attacks sent via e-mail attachments, such as netsky and MyDoom, can easily be detected and prevented by any up-to-date antivirus and antispam software package. The key to stopping host attacks is being able to proactively enforce security policies that ensure all hosts must be fully patched and have up-to-date security software running before allowing them full network access. Existing security solutions do not proactively stop a PC from entering the network if its security software and operating system software are not current. Frequently, users will manually disable their host security software because it either reduces the overall performance of their PC or prevents an application from installing. When antivirus and antispam packages are out of date or not running, the likelihood of PC virus infections increases. This in turn increases the overall security risk to the organization.
The same principle applies to OS hotfixes. Take Microsoft Windows as an example. If you fail to implement new Windows security hotfixes in a timely manner to address newly discovered vulnerabilities, the probability of those unpatched hosts being compromised, or "owned," greatly increases. This can result in a loss of productivity due to system downtime, theft of company and personal confidential information, or unauthorized access to sensitive information. Unfortunately, loss of a client's confidential information usually leads to financial losses for affected individuals and the organization.
Data security laws and regulations such as the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, and the Peripheral Component Interconnect (PCI) standard are forcing organizations to implement and enforce tougher data security protection measures. Compliance regulations such as PCI speak directly to the antivirus and OS hotfix issues discussed previously. They make it mandatory that relevant hosts are kept up to date and run antivirus software, among other things. Increasingly, organizations are being forced by various data security laws and regulations to decrease their data security risk. Gone are the days when organizations had the flexibility to decide what their own data security risk tolerance and policy was. Given that many organizations used to choose to save money and time at the expense of data security, mandated security compliance is a welcome change for all.
The motivation for writing this book is to introduce the latest Cisco security technology, called Network Admission Control (NAC) Appliance. This security solution has proven to help minimize the chronic hard and soft dollar losses that corporations are experiencing due to security-related incidents. Additionally, it helps organizations enforce the use of already existing security investments such as antivirus software and patch management solutions. NAC brings to the table an innovative and proactive technique for improving the overall security posture of an organization's hosts and networks.
NAC allows organizations to enforce, for the first time, their previously unenforceable corporate host security policy. It works by authenticating users and posture assessing hosts before allowing them full network access. Hosts that fail the security posture checks (for example, if their OS or antivirus package is not up to date) are network quarantined and given remediation options. After the host is certified, it is allowed on the network. A user, based on a successful authentication, is granted the level of network access privileges appropriate for that user's role.
The objectives of this book are to provide IT and security teams all the information needed to understand, design, configure, deploy, and troubleshoot the Cisco NAC Appliance solution.