CCNP Network Engineer must know: NAC Network Admission Control
Network Admission Control (NAC) is a program initiated by Cisco and participated by multiple vendors. Its purpose is to prevent emerging hacking technologies such as viruses and worms from harming corporate security. With NAC, customers can only allow legitimate and trusted terminal devices (such as PCs, servers, and PDAs) to access the network, but not other devices.
According to the 2005 CSI/FBI Security Report, although security technology has been developing for many years and the implementation of security technology has cost millions of dollars, viruses, worms, spyware and other forms of malware are still facing institutions now main problem. The large number of security incidents encountered by the organization every year causes problems such as system interruption, loss of revenue, data damage or destruction, and reduced productivity, which have brought huge economic impact to the organization.
Obviously, traditional security solutions alone cannot solve these problems. Therefore, we have developed a comprehensive security solution that combines leading antivirus, security, and management solutions to ensure that all devices in the network environment comply with security policies. NAC allows you to analyze and control all devices that try to access the network. By ensuring that each terminal device complies with corporate security policies (such as the most relevant and advanced security protection measures in operation), organizations can significantly reduce or even eliminate the number of terminal devices that are common sources of infection or harm the network.
Although most organizations use identity management and authentication, authorization, and accounting (AAA) mechanisms to authenticate users and assign network access rights to them, these have little effect on verifying the security status of user terminal devices. Without accurate methods to assess the condition of the device, even the most trusted users may inadvertently pass infected devices or devices that are not properly protected to expose all users on the network to great risks.
1. Help to ensure that all user network devices comply with the security strategy, thereby greatly improving the security of the network without being affected by scale and complexity. By actively defending against worms, viruses, spyware, and malware, organizations can focus on active defense (rather than passive response).
2. Expand the value of existing Cisco networks and anti-virus, security, and management software through extensive deployment and integration by well-known manufacturers.
3. Detect and control all devices that try to connect to the network without being affected by their access methods (such as routers, switches, wireless, VPN, and dial-up, etc.), thereby improving enterprise sustainability and scalability.
4. Prevent non-compliant and unmanageable terminal devices from affecting network availability or user productivity.
5. Reduce the operating costs associated with identifying and repairing non-compliant, unmanageable and infected systems.
There are usually 5 types of admission control:
1. 802.1x admission control
The advantage of 802.1x admission control is that when the switch supports the 802.1x protocol, 802.1x can truly protect the network boundary. The disadvantage is that it is not compatible with the old switch, and the new switch must be replaced. At the same time, when the switch is not connected to the switch that does not enable the 802.1x function, access control of the terminal cannot be performed.
2. DHCP admission control
The advantage of DHCP admission control is compatibility with older switches. The disadvantage is that it is not as powerful as the 802.1x protocol.
3. Gateway type admission control
Gateway-type admission control is not strictly admission control. The gateway type admission control does not control the terminal access to the network, but only controls the terminal to go out of the network. At the same time, the gateway-type admission control will cause the bottleneck effect of the exit failure.
4. MVG admission control
Its predecessor was Cisco’s VG (Virtual Gateway) technology. But this technology can only support Cisco equipment. Inspired by this technology, some domestic companies have developed MVG (multi-vendor virtual gateway) technology. This technology can support almost all the switch equipment on the market.
5. ARP type admission control
ARP admission control is achieved through ARP spoofing. ARP spoofing is actually a disguised virus. It is easy to cause network congestion. As more and more terminals install ARP firewalls, ARP admission control cannot work in this situation.
The main advantages of NAC include:
① Large control range-it can detect all access methods used by the host to connect to the network, including campus network switching, wireless access, router WAN link, IPSec remote access and dial-up access;
② Utilize network and anti-virus investment—NAC combines existing investment in network infrastructure with anti-virus technology to conduct host health check on terminal access.
③ Strong control—usually adopt the method of isolation and repair area at the network level. Before the terminal accesses the network to access service data, it can be controlled accordingly.
IE-LAB provides valid materials(accurate dumps) to help you pass your CCIE. For the written, we have valid workbooks that cover all real exam questions. You can easily pass the exam, usually 7 days’ preparation in enough. For the Lab exam, we will offer valid workbooks（real exam）, rack which is the same as real exam, one to one support, professional tutor and timely update.
This article is exclusively published by James from IELAB.NETWORK and cannot be reproduced without permission.
We have huge promotion going on right now, this is your best chance to get accurate written and lab materials.
Get any two Cisco written dumps for 150USD only.
Deposit 150USD now and enjoy 50% off for CCIE next-level lab.
Get 100% accurate CCIE/ CCNP/CCNA/HCIE dumps in IELAB .
Please follow us if you like our articles.
visit us: http://ielab.network
Facebook : https://www.facebook.com/ielab.network/