This section will deal with how to best use the web login with Network Scanner and Clean Access Agent in your Cisco NAC Appliance design. Understanding where and when to use Clean Access Agent or web login is critical to producing a successful design. For this discussion, it should always be assumed that web login will include the Network Scanner function. The Network Admission Control Appliance solution has three main functions: authentication, posture assessment, and remediation. Each of these functions requires the NAC Appliance solution to interact with the clients it is attempting to control. Each of the main functions requires client information and interaction that is unique to their purpose. The agent and web login differ in their capabilities to gather information and interact with a client. An examination of these differences will help in the decision-making process of which approach to use for a given situation.
The first function’s purpose, authentication, identifies who is connecting to the network. Authentication requires the gathering and validating of a user’s credentials, typically username and password. Authentication can also include performing the SSO process. Both Clean Access Agent and web login can perform basic authentication. However, only the Clean Access Agent can perform the duties of SSO. As a result, if you choose to use any of the SSO methods, VPN, Wireless, or AD, you must use Clean Access Agent for
authentication. A nice feature of Clean Access Agent is that it self-discovers when the user needs to authenticate to NAC Appliance and pops up a Windows dialog box to do so. Web login has no equivalent discovery function. It requires the user to know when to open a web browser to log in. Figure 4-16 shows the Clean Access Agent Login dialog box.
Figure 4-16 Clean Access Agent Login
Web login is shown in Figure 4-17. Figure 4-17 Web Login Authentication
The second main function is posture assessment of the user’s host PC. Posture assessment involves validating that a given host complies with the requirements set forth in your host security policy. To accomplish this task, NAC Appliance gathers relevant information about the host and compares it against the requirements set forth in the host security policy. Both Clean Access Agent and the Network Scanner part of web login are capable of performing a host posture assessment. However, Clean Access Agent is by far the more widely deployed of the two. During the creation of your host security policy, you will determine what host posture assessment checks you want to perform. Based on those checks, ask yourself these questions:
•
Where is this information stored? Can it be accessed using a network scan, or must it be gathered by a local agent? If both, which is easiest?•
Will hosts have personal firewalls enabled that will thwart the NAC Appliance network scanner?•
If the information is only available locally, the agent must be used. Are all the clients running operating systems that the Clean Access Agent supports?•
The installation of Clean Access Agent requires the user to have admin rights. Will users have the admin rights necessary to install Clean Access Agent on their PC? If not, a software distribution method, such as Short Message Service, should be used.•
One way to get around the previous requirement is to distribute an agent stub first. A stub provides a convenient way to allow users to install Clean Access Agent without admin rights. But the stub program itself requires the network administrators to have admin rights on the PC it will be installed on. Do you control or have admin rights on all the PCs you want to control?•
How will the posture assessment checks change based on user role and host location? For example, in the public areas you might want to scan only for infected hosts and not use an agent.Clean Access Agent is built to do local checks of a host’s file system, registry, running services, and applications. Clean Access Agent provides an effective mechanism to allow NAC Appliance to check for things such as the running state of antivirus clients, virus definition file versions, Windows hotfixes and service packs, and so on. Figure 4-18 shows Clean Access Agent kicking off its posture assessment process.
The Network Scanner function is built to scan a host to detect known security
vulnerabilities and active worm infections. Nessus is the scanning engine used by Network Scanner. Network Scanner has hundreds of vulnerability plug-ins for you to choose from. For example, you can run plug-ins that scan to see whether a host is infected with the Zotob worm or is vulnerable to a dcom buffer overflow attack. The big downside of Network Scanner is that it performs the scans from the NAC Appliance Server across the network to the host. This means that simple things like a host personal firewall or Intrusion Prevention System will block Network Scanner from gathering any information. Figure 4-19 shows the vulnerability report screen that web login displays.
Figure 4-19 Web Login Vulnerability Report
The purpose of the third function, remediation, is to provide noncompliant users with the necessary tools and information they need to become compliant. This requires that NAC Appliance be able to deliver the tools and information to the user and be able to validate that the changes required for compliancy were completed. Both the agent and the network scanner function of web login are capable of performing the remediation function. However, the capabilities of Clean Access Agent are far superior to Network Scanner. Clean Access Agent’s remediation process walks the user through each individual failed check. This is done using a pop-up Windows dialog box. This dialog box contains information and instructions pertaining to the failed check. It also contains a remediation button. This button can link to web pages, download files, or start windows or antivirus update programs. Clean Access Agent recognizes when a user completes a fix and when the host becomes compliant. After the user is compliant, Clean Access Agent notifies NAC Appliance, which then grants the client access to the network.
Network Scanner works a little bit differently. After performing its vulnerability scan, a web page containing all the vulnerabilities found is displayed on the client’s PC. Instructions and a URL link are provided for each vulnerability listed. Unlike Clean Access Agent, this method does not support the launching of any update programs— antivirus, Windows, and so on—on the host machine. In addition, the capability to recognize when a user completes a fix is not automatic. The user must log out and log in to be rescanned.
As discussed, NAC Appliance interacts with and gathers information from clients in three ways: through Clean Access Agent, Web Login, or both. Either method can be used to accomplish the three main functions—authentication, posture assessment, and remediation—as set forth in the preceding discussion. By and large, the Clean Access Agent method is the recommended design choice. However, both Clean Access Agent and web login have advantages and disadvantages. A good rule of thumb is to use Clean Access Agent on hosts that you or the users have admin rights on. Using web login is a popular choice for guest users that will be given extremely limited access to your internal resources, such as Internet only. And, of course, web login is used for hosts that you cannot install Clean Access Agent on.
The type of interaction method chosen is role dependent. For a given role, both Clean Access Agent and web login can be made available or Clean Access Agent can be made mandatory. For example, the Guest role users might have both methods available, but the Employee role users must use the Clean Access Agent.
Summary
This chapter examined the various design options available in a Cisco NAC Appliance deployment. The function and pros and cons of each option were studied in detail. The following design options were covered: