Cisco recently released version 4.1(3) of their NAC Appliance product line. 4.1(3) has a slew of new features in it that I thought you might be interested in. The most noteworthy, to me anyway, is the addition of a web agent client delivered via java or activeX. This web agent client does not require admin privileges to run, unlike the traditional clean access agent.
Another nice new feature is auto-remediation for a requirement action. So, if a user fails a NAC policy check and auto-remediation is enabled, then the NAC agent will perform the required remediation action. This is done in the background and does not require the user to click or do anything. Auto-remediation works with Anti-Virus and Anti-Spyware definition updates, Windows updates, launching a program, URL link distribution, and Windows Server Update Services(WSUS).
Several upgrades to the way NAC Appliance handles guest login and registration were made. Quoting from the Cisco release notes this is what it adds:
Release 4.1(3) enhances the way the CAM handles Guest user login, registration, and access with a new Guest Registration feature. Rather than allow users to simply gain undifferentiated Guest access to the system, the administrator can now configure guest users to register their own local accounts on the CAM using a variety of fields, including email, phone number, or affiliation. The new feature provides a customizable level of guest authentication using a new Guest Auth Server Type, new Guest Registration configuration pages, and the default guest role.
The CAM can automatically time out guest accounts using token expiration, or flush out unused guest accounts from the local database after a configurable number of days. Administrators can view newly created guest accounts on a new Guest Users local users list, and on the Certified Device List and Online Users List by configured Guest Auth Provider and Guest role.
Those are some of the big items that were added in this latest minor release of NAC Appliance. For a complete list see the release notes here
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/413/413rn.html#wp301991
The opinions and information presented here are my personal views not those of my employeer.
Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.
|
|
Is that really the right way to deploy a NAC agent?
I read this post with interest, primarily because it highlights two things: just how long it has taken Cisco to release a dissolving agent, and b) that they did it in a manner that presents real practical issues to IT, security and help desk teams.
ActiveX agents require IE, and that ActiveX is enabled, something some enterprises discourage or disallow. Java requires a Java installation for Windows.
The ideal is a small executable that installs without admin credentials and removes itself. From a deployment and support perspective, this allows 1 agent to be deployed on a given OS, without complex dependencies, additional installations, or a choice of agents that complicates usage, and support. I wrote more on this at http://nactalk.lockdownnetworks.com/
Dan Clark
VP Marketing, Lockdown Networks