Cisco NAC Appliance

Last updated

Cisco NAC Appliance, formerly Cisco Clean Access (CCA), was a network admission control (NAC) system developed by Cisco Systems designed to produce a secure and clean computer network environment. Originally developed by Perfigo and marketed under the name of Perfigo SmartEnforcer, this network admission control device analyzes systems attempting to access the network and prevents vulnerable computers from joining the network. The system usually installs an application known as the Clean Access Agent on computers that will be connected to the network. This application, in conjunction with both a Clean Access server and a Clean Access Manager, has become common in many universities and corporate environments today. It is capable of managing wired or wireless networks in an in-band or out-of-band configuration mode, and Virtual Private networks (VPN) in an in-band only configuration mode.

Contents

Cisco NAC Appliance is no longer in production and no longer sold as of the early 2010s. Mainstream support ending in 2015. Extended support ending in 2018.

Clean Access Agent

The Clean Access Agent (abbreviation: CCAA, "Cisco Clean Access Agent") resides on the client's machine, authenticates the user, and scans for the required patches and software. Currently the Clean Access Agent application is only available for some Windows and Mac OS X operating systems (Windows 98, Windows Me, Windows 2000, Windows XP, Windows XP Media Center Edition, Windows Vista, Windows 7, Windows 8 and Mac OS X); [1] most network administrators allow clients with non-Windows operating systems (such as Mac OS 9, Linux, and FreeBSD) to access the network without any security checks (authentication is still required and is usually handled via a Web interface).

Authentication

After successfully authenticating via a web interface, the Clean Access Server will direct new Windows based clients to download and install the Clean Access Agent application (at this time, non-Windows based clients need only authenticate via the web interface and agree to any network terms of service). Once installed, the Agent software will require the user to re-authenticate. Once re-authenticated, the Agent software will typically check the client computer for known vulnerabilities to the Windows operating system being used, as well as for updated anti-virus software and definitions. The checks are maintained as a series of "rules" on the Clean Access Manager side. The Clean Access Manager (CAM) can be configured to check, install, or update anything on the user's system. Once the Agent application checks the system, the Agent will inform the user of the result – either with a success message, or a failed message. Failed messages inform the user of what category(s) the system failed (Windows updates, antivirus, etc.), and instruct the user on how to proceed.

Any system failing the checks will be denied general access to the network and will probably be placed in a quarantined role (how exactly a failed system is handled depends entirely on how the Clean Access Manager is configured, and may vary from network to network. For example: a failed system may simply be denied all network access afterward). Quarantined systems are then typically given a 60-minute window where the user can try to resolve the reason(s) for quarantine. In such a case, the user is only allowed connectivity to the Windows Update website and a number of antivirus providers (Symantec, McAfee, Trend Micro, etc.), or the user may be redirected to a Guest Server for remediation. All other traffic is typically blocked. Once the 60-minute window expires, all network traffic is blocked. The user has the option of re-authenticating with Clean Access again, and continuing the process as needed.

Systems passing the checks are granted access to the network as defined by the assigned role on the Clean Access Manager. Clean Access configurations vary from site to site. The network services available will also vary based on Clean Access configuration and the assigned user role.

Systems usually need to re-authenticate a minimum of once per week, regardless of their status; however, this option can be changed by the network administrator. Also, if a system is disconnected from the network for a set amount of time (usually ten minutes), the user will have to re-authenticate when they reconnect to the network.

Windows Updates

Clean Access normally checks a Windows system for required updates by checking the system's registry. A corrupted registry may keep a user from being able to access the network.

Security Issues and Concerns

User Agent Spoofing

The Clean Access Server (CAS) determines the client's operating system by reading the browser's user agent string after authentication. If a Windows system is detected, then the server will ask the user to download the Clean Access Agent; on all other operating systems, login is complete. To combat attempts to spoof the OS in use on the client, newer versions of the Server and Agent (3.6.0 and up) also probe the host via TCP/IP stack fingerprinting and JavaScript to verify the machine's operating system:

By default, the system uses the User-Agent string from the HTTP header to determine the client OS. Release 3.6.0 provides additional detection options to include using the platform information from JavaScript or OS fingerprinting from the TCP/IP handshake to determine the client OS. This feature is intended to prevent users from changing identification of their client operating systems through manipulating HTTP information. Note that this is a "passive" detection technique that only inspects the TCP handshake and is not impacted by the presence of a firewall. [2]

Microsoft Windows Scripting

The Clean Access Agent makes extensive use of the Windows Script Engine, version 5.6. It was demonstrated that removal or disabling of the scripting engine in MS Windows will bypass and break posture interrogation by the Clean Access Agent, which will "fail open" and allow devices to connect to a network upon proper authentication. [3]

MAC Spoofing Prevention

Device Segregation

While MAC address spoofing may be accomplished in a wireless environment by means of using a sniffer to detect and clone the MAC address of a client who has already been authorized or placed in a "clean" user role, it is not easy to do so in a wired environment, unless the Clean Access Server has been misconfigured. In a correct architecture and configuration, the Clean Access Server would hand out IP subnets and addresses via DHCP on its untrusted interface using a 30-bit network address and 2 bits for hosts, therefore only one host could be placed in each DHCP scope/subnet at any given time. This segregates unauthorized users from each other and from the rest of the network, and makes wired-sniffing irrelevant and spoofing or cloning of authorized MAC addresses nearly impossible. Proper and similar implementation in a wireless environment would in fact contribute to a more secure instance of Clean Access.

Certified-Device Timers

In addition, MAC-spoofing could further be combated with the use of timers for certified devices. Timers allow administrators to clear the list of certified MAC addresses on a regular basis and force a re-authorization of devices and users to the Clean Access Server. Timers allow an administrator to clear certified devices based on user roles, time and date, and age of certification; a staggered method is also available that allows one to avoid clearing all devices at once.

Complaints

Cisco NAC Appliance is notorious[ weasel words ] for creating disruptions in the Internet connections of users, considering a continuous connection between a computer and a server or another computer as suspicious activity. This is problematic for individuals using Skype or any webcam activity as well as online games such as World of Warcraft . With online games, the disruptions created by Cisco NAC Appliance cause the player to be logged off the gaming server. Numerous individuals who have experienced this rather blunt manner of security have openly expressed frustration with this software in forums as well as on Facebook with groups and posts. [4]

Related Research Articles

Telnet Network protocol for bidirectional communication using a virtual terminal connection

Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. User data is interspersed in-band with Telnet control information in an 8-bit byte oriented data connection over the Transmission Control Protocol (TCP).

Wake-on-LAN Mechanism to wake up computers via a network

Wake-on-LAN is an Ethernet or Token Ring computer networking standard that allows a computer to be turned on remotely by a network message. The message is usually sent to the target computer by a program executed on a device connected to the same local area network. It is also possible to initiate the message from another network by using subnet directed broadcasts or a WoL gateway service.

A network operating system (NOS) is a specialized operating system for a network device such as a router, switch or firewall.

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behaviour. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

Proxy server Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.

Internet Small Computer Systems Interface or iSCSI is an Internet Protocol-based storage networking standard for linking data storage facilities. iSCSI provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI facilitates data transfers over intranets and to manage storage over long distances. It can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval.

Zero-configuration networking (zeroconf) is a set of technologies that automatically creates a usable computer network based on the Internet Protocol Suite (TCP/IP) when computers or network peripherals are interconnected. It does not require manual operator intervention or special configuration servers. Without zeroconf, a network administrator must set up network services, such as Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), or configure each computer's network settings manually.

IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

The computer file hosts is an operating system file that maps hostnames to IP addresses. It is a plain text file. Originally a file named HOSTS.TXT was manually maintained and made available via file sharing by Stanford Research Institute for the ARPANET membership, containing the hostnames and address of hosts as contributed for inclusion by member organizations. The Domain Name System, first described in 1983 and implemented in 1984, automated the publication process and provided instantaneous and dynamic hostname resolution in the rapidly growing network. In modern operating systems, the hosts file remains an alternative name resolution mechanism, configurable often as part of facilities such as the Name Service Switch as either the primary method or as a fallback method.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

LogMeIn Hamachi Virtual private network application

LogMeIn Hamachi is a virtual private network (VPN) application developed and released in 2004 by Alex Pankratov. It is capable of establishing direct links between computers that are behind network address translation ("NAT") firewalls without requiring reconfiguration ; in other words, it establishes a connection over the Internet that emulates the connection that would exist if the computers were connected over a local area network ("LAN").

Wireless security Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, or Wi-Fi Protected Access. WPA was a quick alternative to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

Network Admission Control (NAC) refers to Cisco's version of Network Access Control, which restricts access to the network based on identity or security posture. When a network device is configured for NAC, it can force user or machine authentication prior to granting access to the network. In addition, guest access can be granted to a quarantine area for remediation of any problems that may have caused authentication failure. This is enforced through an inline custom network device, changes to an existing switch or router, or a restricted DHCP class. A typical (non-free) WiFi connection is a form of NAC. The user must present some sort of credentials before being granted access to the network.

Supplicant (computer) Part of IEEE 802.1X standard

In computer networking, a supplicant is an entity at one end of a point-to-point LAN segment that seeks to be authenticated by an authenticator attached to the other end of that link. The IEEE 802.1X standard uses the term "supplicant" to refer either to hardware or to software. In practice, a supplicant is a software application installed on an end-user's computer. The user invokes the supplicant and submits credentials to connect the computer to a secure network. If the authentication succeeds, the authenticator typically allows the computer to connect to the network.

Network access control (NAC) is an approach to computer security that attempts to unify endpoint security technology, user or system authentication and network security enforcement.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.


This is a comparison of notable free and open-source configuration management software, suitable for tasks like server configuration, orchestration and infrastructure as code typically performed by a system administrator.

Intel Active Management Technology Out-of-band management platform

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a separate microprocessor not exposed to the user, in order to monitor, maintain, update, upgrade, and repair them. Out-of-band (OOB) or hardware-based management is different from software-based management and software management agents.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to take control of a remote computer or virtual machine over a network connection. RDS is Microsoft's implementation of thin client architecture, where Windows software, and the entire desktop of the computer running RDS, are made accessible to any remote client machine that supports Remote Desktop Protocol (RDP). User interfaces are displayed from the server onto the client system and input from the client system is transmitted to the server - where software execution takes place. This is in contrast to application streaming systems, like Microsoft App-V, in which computer programs are streamed to the client on-demand and executed on the client machine.

Cisco Systems VPN Client

Cisco Systems VPN Client is a software application for connecting to virtual private networks based on Internet Key Exchange version 1.

References

  1. "Support Information for Cisco NAC Appliance Agents, Release 4.5 and Later". cisco.com.
  2. "Release Notes for Cisco Clean Access (NAC Appliance) Version 3.6(4)". Archived from the original on 2006-08-29.
  3. "Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(2)". Archived from the original on 2007-10-12.
  4. "CCIE Labs Workbook" . Retrieved 15 Feb 2018.