Module 1 Cisco NAC Endpoint Security Solutions Lesson 1 Introducing Cisco Self- Defending Networksh Changing Landscape of Security * Anetwork can no longer be secured by simply securing the network perimeter. « Wireless and mobility have made network boundaries more ambiguous. « E-commerce infrastructure has introduced a new set of vulnerabilities. « Viruses and worms and their rate of propagation have enormous impact on businesses. * HIPAA has forced fundamental changes in the manner in which corporate networks, servers, databases, and hosts are organizedh Need for Effective Network Security The key abilities of effective network security are: = Comprehensive end-to-end security « Network integration © Built-in intelligence « Adaptive security solutionsr Cisco Host Security Strategy ® Endpoint Protection—Cisco Security Agent ~ Alleviates patching and signature update pressure with behavior-based protection technology = Cisco NAC ~ Preserves enterprise resilience by auditing and enforcing adherence to corporate endpoint security policies when accessing the network = Network Infection Containment — Limits the severity of infections by reducing the response time spent identifying and isolating infected systems and cleaning trafficBuilding a Cisco SDN = The Cisco SDN strategy describes the Cisco vision for security systems. The foundation for a Cisco SDN is integrated security. Creating a “security ecosystem” includes elements of security products, technologies, and services.ee k Evolution of Cisco Security Strategy SON aie Mn ce rec kety SN oe Ue Tek ae ore etre eT eae + Secure connectivity, threat defense, trust, and identity Bee eure Pada are lee mote ICUS eet een eee ee rk + policies Ba eee w ese eee ee LEC Cr eo a) Pe ucad + NAC. Identity-Based Network Services. Cisco Structured Wireless-Av Nerd SON TREE MBC Mes oa} BI ee Rae ue aetna) Derails Se eee eo Se eee a ay + Application recognition and inspection for secure application Ceti)LS » Critical Elements of the SDN Three elements are critical to effective network security: Threat Defense System Secure Connectivity System Trust and Identity Management SystemRe uC Rees Creates trusted network Guarantees identity and domains Endpoint policy enforcement intearity of entities Expands LAN access Evaluates, permits, denies, Provides network visibility seaurly redirects (restricts, and management quarantines, or remediates) Auto-VLAN creation and Allows for secure assignment based on policy |~ Ensures that network. management of remote reaches all access devices devices Prevents rogue access points Extends function of CSA, Provides AAA services anti-X, third-party solutions Wired or wireless Solution: Solution: Solution: Acs 802.1%, ACS Cisco NAC solutions, CTA, CSACisco NAC Products Cisco NAC Cisco NAC Framework Traditional Cisco NAC = Software module ‘embedded within NAC- enabled products = Integrated framework leveraging multiple Cisco and NAC-aware vendor products Cisco NAC Appliance In-band NAC Appliance solution can be used on any switch or router platform Self-contained, turnkey solution = Offers customers a deployment timeframe choice = Adapts to customer investment protection requirementsiN Differentiating NAC Products Unknown Threats Known Threats Cisco NAC-Enabled Architecture Cisco Trust Agent ieco NAC Appl isco ance Cisco Trust Posture Agent Pp Cisco Security Agent Host agent software Host agent software Aggregates credentials from posture Peer ainas CleaaeSaIN Implements vulnerability assessment by providng files, registry, service, Agent and antivirus vendors eed sppcaton checes ‘Communicates with NAC-aware + Communicates with Cisco NAM and network devices such as NAC- Gao enabled routers and switches» Differentiating NAC Products (Cont.) Hosts Attempting Network Policy Server Network Access. Access Decision Points Devices and Remediation Enforcement go Cisco Credentials Credentials AAA Vendor POStUte | me EE server Credentials Servers ‘Agent EAPIUDP, RADIUS , EAP/802.1% a> —_—_—_ ——— comply? *” Notification ‘Access Rights cisco NAM Cisco _ Credentials Credentials Cisco.com er —s UDP (discovery) SNMP S| ss St ———<— ; Update Server = Notification Cisco Comply or Fix (windows. Symantec, Mesos Trond, Sones, Zone, CA ee)Summary Complexity of networks and network vulnerabilities require adaptive and proactive defenses. The Cisco SDN initiative has the ability to identify, prevent, and adapt to threats using three phases: -TDS — Secure Connectivity System — Trust and Identity Management System Cisco NAC is an important solution component of the Trust and Identity Management System. Cisco NAC Appliance provides networks with the ability to identify, prevent, and adapt to security threats.