KEEPING YOUR NETWORK CLEAN
WITH CISCO CLEAN ACCESS (CCA)
Tom Leary-Southeast Sales Specialists
tleary@cisco.com
Tom Blodgett-SE
tblodget@cisco.com
© 2004 Cisco Systems, Inc. All rights reserved.
1
Agenda
• Education Challenges
• Cisco = Security
• Clean Access Overview
• Roadmap
• Demo
© 2004 Cisco Systems, Inc. All rights reserved.
2
Challenges in Education
• Diverse User Community: Students, Staff, Visiting
Professors, Conference Attendees
• Balance: Network Security / Core Academic Values
• Pain Points:
Helpdesk
Network down time and crashes due to unmanaged user systems
No effective method of enforcing network policy
• Liability: Criminal and Civil
“Colleges have a well deserved reputation for lax security. As a
result they risk increased insurance costs and expensive
lawsuits.” - Michael McRobbie - VP of IT, Indiana University
© 2004 Cisco Systems, Inc. All rights reserved.
3
Challenges in Education
• Spiking: Fall/Spring/Winter Semester
• Assets: Medical information; SS#’s
• Network: Wireless and Wireline
• Cost: One virus/worm incident costs $100,000*.
-Source: ICSA 2003 Annual Virus Survey
Sources of infection can come from
Unmanaged student laptops
Visiting scholars and guests
Conferences attendees
© 2004 Cisco Systems, Inc. All rights reserved.
4
Education Customer Sampling
• 2 Million end users on CCA protected networks
• Over 400+ education customers deployed
• Considered “de facto” solution among higher
education for network admission control
© 2004 Cisco Systems, Inc. All rights reserved.
5
Cisco is Committed to Security
 Last year, we spent $300M in just security
R&D…10% of our R&D budget. ( $300M is more than
all of the other security vendors, combined).
 We’ve acquired seven security companies since
2002.
 All of that technology has made it to the street in
short order (Psionics/CTR, Okena/CSA, Twingo,
Riverhead/Guard-Detector, Perfigo, Protego).
 We are the number one vendor, no matter how you
slice it, in firewalls, intrusion detection, and VPN.
 We have a long-term vision that is keeping us
relevant and on-track. (End-point security, Active-X
Defense System, Self-Defending Network Initiative).
© 2004 Cisco Systems, Inc. All rights reserved.
6
Security Acquisitions
 Airespace, Inc – Wireless (management and NIDS) – Jan 2005




Protego – Security Alert Processing – Dec 2004
Perfigo – Cisco Clean Access – Oct 2004
Riverhead – Cisco Guard/Detector – Mar 2004
Twingo – SSL (Clientless) VPN – Mar 2004 (Twelve in 2004)
 Okena – Cisco Security Agent – Jan 2003 (Four in 2003)
 Psionics – Cisco Threat Response – Oct 2002 (Five in 2002)
 Allegro Systems – VPN Acceleration – Jul 2001 (Two in 2001)
 Arrowpoint – Content Acceleration – May 2000
 Altiga – Remote Access VPN – Jan 2000
 Compatible Systems – Service Provider VPN – Jan 2000 (Twenty-three in 2000)
 The Wheel Group in 1998
© 2004 Cisco Systems, Inc. All rights reserved.
7
Network Security
 Do you have a security policy in place?
 Are you enforcing your security policy company wide?
 Will your existing networking infrastructure allow you to provide threat
defense and enforce your security policy?
 Does your security strategy consider desktop to Internet access
protection with unified management?
 Do you have sufficient control over end users desktops and laptops?
 Are you currently able to protect against and identify network threats
that disrupt your business?
© 2004 Cisco Systems, Inc. All rights reserved.
8
Self Defending Network Strategy
Cisco strategy to
An
initiative toimprove
dramatically
dramatically
the
improve
the network’s
network’s
abilityability
identify, prevent,
prevent, and
totoidentify,
and
adapt to
to threats
adapt
threats
CONTINUOUS
TECHNOLOGY
INNOVATION
INTEGRATED
SECURITY
• Secure Connectivity
• Threat Defense
• Trust & Identity
•
•
•
•
Endpoint Security
Application Firewall
SSL VPN
Network Anomaly
Detection
SYSTEM LEVEL
SOLUTIONS
• Endpoints
• Network
• Services
• Partnerships
SDN Foundations
© 2004 Cisco Systems, Inc. All rights reserved.
9
Cisco NAC Umbrella: Two Models
NAC FRAMEWORK
Traditional Cisco
NAC
NAC APPLIANCE
Leverages Cisco
Clean Access
Sold through NACenabled products
Sold as virtual or
integrated appliance
Integrated solution
leveraging Cisco
network and vendor
products
Self-contained product
integrates but does not
rely on partners
• Offers customers a deployment timeframe choice
• Adapts to customers’ investment protection requirements
© 2004 Cisco Systems, Inc. All rights reserved.
10
PRODUCT
OVERVIEW
9101_01_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
11
What Does Clean Access Do?
Before allowing users onto the network, whether it’s
a wired or wireless network, Clean Access:
RECOGNIZES
ENFORCES
Recognizes:
Users, device, and role
(guest, employee, contractor)
Evaluates:
Identify vulnerabilities on
devices
Enforces:
Eliminate vulnerabilities
before network access
EVALUATES
© 2004 Cisco Systems, Inc. All rights reserved.
12
Key Cisco Clean Access Features
All-in-one policy compliance and remediation solution
•
•
Role-based authentication
–
Clean Access Server enforces
authorization policies and privileges
–
Supports multiple user roles (e.g.
guests, employees, and contractors)
Scans for security requirements
–
Agent scan for required versions of
Hotfixes, AV, and other software
–
Network scan for virus and worm
infections
–
Network scan for port vulnerabilities
© 2004 Cisco Systems, Inc. All rights reserved.
•
•
Network quarantine
–
Isolate non-compliant
machines from rest of
network
–
MAC & IP-based quarantine
effective at a per-user level
Repair and update
–
Network-based tools for
vulnerability and threat
remediation
–
Help-desk Integration
13
Cisco Clean Access Components
• Cisco Clean Access Server
Formerly CleanMachines SmartServer
Serves as an inline or out-of-band device for
network access control
• Cisco Clean Access Manager
Formerly CleanMachines SmartManager
Centralizes management for administrators,
support personnel, and operators
• Cisco Clean Access Agent
Formerly CleanMachines SmartEnforcer
Optional client for device-based registry scans
in unmanaged environments
© 2004 Cisco Systems, Inc. All rights reserved.
14
The Birds-Eye View: Cisco Clean Access
THE GOAL
1. End User Attempts to Access a Web
Page or Uses an Optional Client
• Network access is blocked until end
user provides login information
Authentication
Server
Cisco Clean
Access Manager
2. User Is
Redirected to a Login Page
Cisco Clean
Access Server
• Clean Access validates
username and password;
also performs device and
network scans to assess
vulnerabilities on the device
3a. Device Is Non-Compliant
or Login Is Incorrect
• User is denied access and assigned
to a quarantine role with access to
online remediation resources
© 2004 Cisco Systems, Inc. All rights reserved.
Intranet/
Network
3b. Device Is “Clean”
Quarantine
Role
• Machine gets on “clean
list” and is granted
access to network
15
End User Experience: with Agent
Login
Screen
Scan is performed
(types of checks depend on user role)
Scan fails
Remediate
4.
© 2004 Cisco Systems, Inc. All rights reserved.
16
End User Experience: Web-based
Login
Screen
Scan is performed
(types of checks depend on user role/OS)
Click-through remediation
© 2004 Cisco Systems, Inc. All rights reserved.
17
Pre-Configured Clean Access Checks
Critical Windows Update
McAfee
Windows XP, Windows 2000, Windows 98,
Windows ME
Symantec
Norton AntiVirus 2005 v. 11.0.x
Norton AntiVirus 2004 v. 10.x
Norton AntiVirus 2004 Professional v. 10.x
Norton Internet Security 2004
Norton AntiVirus 2003 v. 9.x
Norton AntiVirus 2003 Professional v. 9.x
Norton AntiVirus 2002 Professional v. 8.x
Norton AntiVirus Corporate Edition v. 7.x
Symantec Internet Security 2005 Edition 8.0.x
Symantec AntiVirus Scan Engine Edition 8.0.x
Symantec AntiVirus Corporate Edition v. 9.x
Symantec AntiVirus Corporate Edition v. 8.x
Sophos
McAfee VirusScan Enterprise v. 8.0i beta
McAfee VirusScan Enterprise Edition v. 7.5
McAfee VirusScan Enterprise Edition v. 7.1
McAfee VirusScan Enterprise Edition v. 7.0
McAfee VirusScan Enterprise Edition v. 4.5.x
McAfee VirusScan Professional Edition v. 8.0.x
McAfee VirusScan Professional Edition v. 7.x
McAfee VirusScan ASaP
Trend Micro
Trend Micro Internet Security v. 12.x
Trend Micro Internet Security v. 11.2
Trend Micro Internet Security v. 11.0
Trend Micro OfficeScan Corporate Edition v. 6.x
Trend Micro OfficeScan Corporate Edition v. 5.x
Trend Micro PC-Cillin 2004
Trend Micro PC-Cillin 2003
Cisco Systems
Sophos Anti-Virus Enterprise v. 3.x
Cisco Security Agent v. 4.x
Clean Access allows customers to add
custom checks for other applications
© 2004 Cisco Systems, Inc. All rights reserved.
18
Pre-Configured Checks (cont’d)
Computer Associates (eTrust)
Computer Associates eTrust Antivirus v. 7.x
Computer Associates eTrust EZ Antivirus v. 6.2.x
Computer Associates eTrust EZ Antivirus v. 6.1.x
F-Secure
F-Secure Anti-Virus for Workstations TBYB 5.x
F-Secure Anti-Virus Client Security 5.x
F-Secure Anti-Virus 2004 5.x
Panda
Panda Titanium Anti-Virus 2004 v. 3.x
Panda Anti-Virus Platinum v. 7.x
Panda Anti-Virus Platinum v. 6.x
Panda Internet Security Platinum v. 8.x
Panda Anti-Virus Light v. 1.9x
Kaspersky
SOFTWIN (BitDefender)
BitDefender Free Edition v. 7.x
BitDefender Standard/Professional Edition 7.x
BitDefender Standard v. 8.0.x
BitDefender Professional Plus v. 8.0.x
Grisoft (AVG)
AVG Antivirus v. 7.0
AVG Antivirus v. 6.0
AVG Antivirus v. 6.0 Free Edition
Frisk Software International
F-Prot Antivirus v. 3.x
SalD
DrWeb Antivirus v. 4.31b
Eset
Kaspersky Anti-Virus Personal v. 5.x
Kaspersky Anti-Virus Personal v. 4.x
Kaspersky Anti-Virus Personal Pro v. 4.x
Authentium
NOD32 Antivirus system NT/2000/2003/XP 2.0
Zone Labs
ZoneAlarm with Antivirus v. 5.x
Authentium Command Anti-Virus Enterprise 4.x
© 2004 Cisco Systems, Inc. All rights reserved.
19
Inline Deployment Options
FEATURES:
• VLAN trunking support
• ~1 GB/sec throughput support
• Failover support
Border
Router
Intranet
Firewall
CCAServer
Bridged Central
Deployment
CCAServer
Routed Central
Switch Deployment
Switch
Core
CCAServer
Edge Deployment
CCAManager
© 2004 Cisco Systems, Inc. All rights reserved.
Authentication
Server
20
Multiple Deployment Options
Out-of-band:
For high throughput environments for
deployment in
• Campus Environments
• Branch Offices
• Extranet environments
• Highly routed environments
Inline:
Supports environments
including
• Wireless
• Hubs
• Shared Media
© 2004 Cisco Systems, Inc. All rights reserved.
23
CCA: User Access, Non-certified Machine
7
1
Network


6
3
Switch
Host with
CCA Agent
2
4
5
CCA Manager

CCA Server
1
End user attaches host to network
2
Switch sends MAC address via SNMP-based alert to CCA Manager
3
CCA Manager decides whether host has been previously certified
4
If NO, CCA Manager instructs switch to put device on quarantine VLAN.
CCA Server acts as a gateway or bridge for the quarantine VLAN
CCA Server intercepts device request
Performs posture assessment and remediation
5
CCA Server certifies MAC address and forwards to CCA Manager
6
CCA Manager instructs switch to change to the appropriate VLAN
7
Host is granted access to network
© 2004 Cisco Systems, Inc. All rights reserved.
24
CCA: Other Roadmap Items
• In-line L3 multi-hop support (Jul 2005)
• Remote Access support (Jul 2005)
• Wireless support for Airespace (avail now)
• Wireless support for VPN (avail now)
• Enhanced support for Anti-Spyware apps (Jul 2005)
• NAC Appliance for the commercial market (Sep 2005)
• Auto Launching Clean Access Agent (Oct 2005)
• CCA on NAC Framework (TBD)
© 2004 Cisco Systems, Inc. All rights reserved.
26
THANK YOU.
9101_01_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
27