Hi Max, Thanks for your comments. Currently our AV (Trend office scan) has no integration with NAP which is a bit of a worry. To get full AV update support with NAP we may have to move to another vendor. The problem I can see currently with NAP is that it won't work natively with Cisco VPN clients (to the best of my knowledge). For now I think we will just implement domain authentication with wired 802.1x to at least authenticate the user before allowing access to network resources. This obviously won't allow for remediation but hopefully we will look to implement this in the future as NAP becomes a more mature technology. Thanks again, Aaron Riemer Network Engineer | Wesfarmers Energy Campus Drive (off Murdoch Drive) | Murdoch WA 6150 ph 08 9312 9571 ________________________________
From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Caines, Max Sent: Friday, 1 May 2009 4:02 PM To: [email protected] Subject: Re: NAC vs NAP Hi Aaron We currently use Cisco NAC for students in residences, and we tried using it in OOB mode for staff, but abandoned it as too time-consuming to support. Since then I've looked at NAP for staff, and although we aren't using that, I concluded that it would be quite a lot easier to support. In particular, I think NAP has these advantages: 1. No problems with SSO, group policy, roaming profiles etc. These are difficult if not impossible to do securely under NAC, because many holes have to be punched in the firewall rules on the CAM. 2. Full integration with Windows Update, so patch status assessment is not an issue as it sometimes is with Cisco rules. 3. Full integration with Security Center, so AV suppliers are responsible for making their products work with NAP rather than Cisco. Every release of NAC seems to be unable to recognize the latest version of at least one major AV supplier. I don't blame Cisco - this is just the realities of market power. 4. Use of 802.1X for authentication, which is simpler and more robust (in my experience) than NAC OOB, plus authentication/authorisation is completed before the system gets access to the network. 5. No software to install on clients (provided they all run Windows XP SP3 or Vista). 6. No issues with people using non-local-admin accounts, which need a work-round on NAC (installation of the helper stub). 7. No hardware/software costs, other than hardware and Windows licences for NAP servers. Against this there is the doubt always associated with Microsoft and security, plus NAP is a new product. However, for a new deployment in a corporate environment I can't see why one would go for NAC. I should say however that I have no experience using either product with VPNs, so there could be issues with NAP there that I'm unaware of Regards Max Caines IT Services, University of Wolverhampton Wolverhampton, West Midlands WV1 1SB Tel: 01902 322245 Fax: 01902 322777 ________________________________ From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Aaron Riemer Sent: 01 May 2009 05:27 To: [email protected] Subject: [CLEANACCESS] NAC vs NAP Hi guys, I am new to network access control / protection and would appreciate advice in this area. We are looking to enforce our security policy to ensure workstations connecting remotely via Cisco VPN and to the LAN are both up to date with windows patches and virus definitions (Trend). We are looking at both NAP / NAC. Does anyone have experience in this area or have any advice to share? Thanks guys, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
