Isnin, 10 November 2008

Combine the strengths of Infrastructure NAC with an easy to deploy software approach
. Compliant PC’s act like “Neighborhood Watch”
. The existing normal PC’s become the infrastructure (enforcers) to quarantine rogues
. Enforcers manage ARP to control and limit a Rogue ability to send/receive traffic on the network
. Enforcers watch for new endpoints, using ARP redirection to protect the network and community

DNAC Strengths
. Zero network upgrades or changes (Low TCO)
. Scales cost effectively across multiple subnets
. Authentication agnostic (Windows Domain, 802.1x, other)
. Friendly fail-open design
. Extremely responsive quarantine and remediation mechanisms

These are the comparison that we can see between Tradional NAC and Software Based NAC

Traditional Infrastructure based

Software based

In-line NAC

Cisco NAC V1 V2

802.1x NAC

Host based NAC (CAF)

Dynamic NAC

Enforcement Type

Appliance in line

Switch based

Client Self enforcement

Other compliant PC’s

Supports LAN Enforcement

Yes – but requires multiple appliances

YES

YES

YES

Supports Remote Access VPN’s

YES

NO

YES

NO

Network needs

Re-architecting

YES

Extensive

None

None

Detects Rogue Users \ Devices

NO

YES

NO

YES


. Traditional Infrastructure NAC is too difficult to deploy. Too many switch NAC need to deploy for a large scale deployment.
. Software NAC solutions are easy to deploy and have many key weaknesses
. The DNAC solution method offers a hybrid approach – Strong enforcement with ease of installation. It doesn't involve any re-achitecting the exsting network infrastructure.

Dynamic NAC and Infrastructure NAC comparison

DNAC

DNAC + 802.1x authentication

Infrastructure NAC

Client Software

DNAC Client

DNAC Client + Supplicant

NAC client +
Supplicant

Server Software

Policy server

RADIUS server + policy server

RADIUS server +
policy server

Minimum switch requirements

-

802.1x authentication

802.1x authentication
with VLAN assignment

Ongoing port config

-

Config 802.1x ports

Config 802.1x ports

Ongoing switch config

-

-

New VLAN and subnet, router ACL, DHCP, RADIUS

One time network Reconfiguration

-

-

New VLANs and subnets, router ACL, DHCP, RADIUS, RADIUS VLAN assignment


One time network configuration and ongoing switch config are generally difficult to deploy since it involve configuration for Radius server, DHCP server and VLAN subnetting.

For 802.1x implementions, it is considered as an acceptable method for most NAC deployment. It offers better security enforment and easy to deploy.

Client and server software based considered as normal acceptable deployment.