Cisco NAC Appliance Enforcing Host Security with Clean Access

by ; ; ;
  • ISBN13:


  • ISBN10:


  • Edition: 1st
  • Format: Paperback
  • Copyright: 2007-08-06
  • Publisher: Cisco Press
  • Purchase Benefits
  • Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • Get Rewarded for Ordering Your Textbooks! Enroll Now
List Price: $67.00 Save up to $2.21
  • eBook
    Add to Cart


Supplemental Materials

What is included with this book?

  • The eBook copy of this book is not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.


The ultimate reference guide for the Cisco NAC (Network Access Control) Appliance with easy-to-follow guides to major security applications.

Author Biography

About the Author

Jamey Heary, CCIE No. 7680, is currently a security consulting systems engineer at Cisco Systems, Inc., and works with its largest customers in the Northwest United States. Jamey joined Cisco in 2000. He currently leads its Western Security Asset team and is a field advisor for the U.S. Security Virtual team. Prior to working at Cisco, he worked for the Immigration and Naturalization Service as a network consultant and project leader. Before that he was the lead network and security engineer for a financial firm whose network carries approximately 12 percent of the global equities trading volume worldwide. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. He has been working in the IT field for 13 years and in IT security for 9 years. He has a BS from St. Lawrence University.


About the Contributing Authors

Jerry Lin, CCIE No. 6469, is a consulting systems engineer for Cisco and is based in southern California. He specializes in security best practices. Jerry has worked with a variety of Cisco enterprise customers in areas such as software development, local government agencies, K—12 and universities, high tech manufacturing, retail, and health care, as well as managed web-hosting service provider customers. He holds his CCIE in routing and switching as well as in CCDP and CISSP. Jerry has been working in the IT industry for the past 12 years. During the late 1990s, he worked as a technical instructor. Jerry earned both a bachelor’s degree and a master’s degree in mechanical engineering from the University of California, Irvine.


Chad Sullivan, CCIE No. 6493 (Security, Routing and Switching, SNA/IP), CISSP, CHSP, is a senior security engineer and owner of Priveon, Inc., which provides leading security solutions to customers globally. Prior to starting Priveon, Chad worked as a security consulting systems engineer at Cisco. Chad is recognized within the industry as one of the leading implementers of the Cisco Security Agent product and is the author of both Cisco Press books dedicated to the Cisco Security Agent.


Alok Agrawal is the technical marketing manager for the Cisco NAC Appliance (Clean Access) product. He leads the technical marketing team developing technical concepts and solutions and driving future product architecture and features. He works with the Cisco sales and partner community to scale the adoption of the NAC Appliance product line globally. Prior to joining the Cisco Security Technology Group, he worked in the switching team of the Cisco Technical Assistance Center. He has a strong background in routing and switching and host security design and implementation. Alok holds a master’s degree in electrical engineering from the University of Southern California and a bachelor’s degree in electronics engineering from the University of Mumbai.

Table of Contents

Introductionp. xxii
The Host Security Landscapep. 3
The Weakest Link: Internal Network Securityp. 5
Security Is a Weakest-Link Problemp. 6
Hard Outer Shell with a Chewy Inside: Dealing with Internal Security Risksp. 7
The Software Update Race: Staying Ahead of Viruses, Worms, and Spywarep. 9
Summaryp. 10
Introducing Cisco Network Admission Control Appliancep. 13
Cisco NAC Approachesp. 13
NAC as an Appliancep. 13
NAC as an Embedded Solutionp. 15
Cisco NAC Integrated Implementationp. 16
Cisco NAC Appliance Overviewp. 16
Cisco NAC Return on Investmentp. 17
Summaryp. 18
The Blueprint: Designing a Cisco NAC Appliance Solutionp. 21
The Building Blocks in a Cisco NAC Appliance Designp. 23
Cisco NAC Appliance Solution Componentsp. 23
Cisco NAC Appliance Managerp. 24
Cisco NAC Appliance Serverp. 25
Cisco Clean Access Agentp. 28
Cisco NAC Appliance Network Scannerp. 29
Cisco NAC Appliance Minimum Requirementsp. 30
Cisco NAC Appliance Manager and Server Requirementsp. 31
Cisco Clean Access Agent Requirementsp. 32
Scalability and Performance of Cisco NAC Appliancep. 33
Summaryp. 33
Making Sense of All the Cisco NAC Appliance Design Optionsp. 35
NAC Design Considerationsp. 35
Single-Sign-On Capabilitiesp. 36
In-Band Versus Out-of-Band Overviewp. 36
Layer 2 Versus Layer 3 Client Adjacency Overviewp. 37
Virtual Gateway Versus Real IP Gateway Overviewp. 37
Deployment Optionsp. 38
Table of Contents provided by Publisher. All Rights Reserved.


= 0) {slash = '\\';} else {slash = '/';}openLoc = figLoc.substring(0, figLoc.lastIndexOf(slash) + 1);while (pPage.substring(0,3) == '../') {openLoc = openLoc.substring(0, openLoc.lastIndexOf(slash, openLoc.length - 2)+ 1);pPage = pPage.substring(3, pPage.length + 1);}popUpWin =window.open('','popWin','resizable=1,scrollbars=1,location=0,toolbar=0,width=525,height=394');figDoc = popUpWin.document;zhtm= ' ' + pPage + ' ';zhtm += ' ';zhtm += ' ';zhtm += ' ';zhtm += '' + pPage.substring(pPage.lastIndexOf('/') + 1, pPage.length) + '';zhtm += ' ';figDoc.write(zhtm);figDoc.close();}// modified 3.1.99 RWE v4.1 --> Cisco NAC Appliance: Enforcing Host Security with Clean Access Cisco NAC Appliance: Enforcing Host Security with Clean Access IntroductionAlmost every contemporary corporation and organization has acquired and deployed security solutions or mechanisms to keep its networks and data secure. Hardware and software tools such as firewalls, network-based intrusion prevention systems, antivirus and antispam packages, host-based intrusion prevention solutions, and vulnerability scanners have proven effective to a certain degree, but only if they are kept up to date. For example, classic virus attacks sent via e-mail attachments, such as netsky and MyDoom, can easily be detected and prevented by any up-to-date antivirus and antispam software package. The key to stopping host attacks is being able to proactively enforce security policies that ensure all hosts must be fully patched and have up-to-date security software running before allowing them full network access. Existing security solutions do not proactively stop a PC from entering the network if its security software and operating system software are not current. Frequently, users will manually disable their host security software because it either reduces the overall performance of their PC or prevents an application from installing. When antivirus and antispam packages are out of date or not running, the likelihood of PC virus infections increases. This in turn increases the overall security risk to the organization.The same principle applies to OS hotfixes. Take Microsoft Windows as an example. If you fail to implement new Windows security hotfixes in a timely manner to address newly discovered vulnerabilities, the probability of those unpatched hosts being compromised, or "owned," greatly increases. This can result in a loss of productivity due to system downtime, theft of company and personal confidential information, or unauthorized access to sensitive information. Unfortunately, loss of a client's confidential information us

Rewards Program

Write a Review