ë
 





 







 
 

 
 |


 
 !




 
 

 





 
 

 
 
  
 "
 # 
$
%

 &
and  continue to  " 
,

causing downtime and continual patching

 Rntivirus is signature-based and unable to detect  %'

(
 viruses, $, and $


'  servers and desktops are too common,
and they are difficult to detect and contain

 è ) and   )

 % 
 is time and

resource intensive

 °oint technologies focus on the preservation of the

host rather than network availability and overall
enterprise resiliency




 
 

 
 
  è %

# $
%
$ 
)%

 


 

 
Rlleviates patching and signature update
pressure with behavior-based protection
technology
 Network Rdmission Control
°reserves enterprise resilience by auditing and
enforcing adherence to corporate endpoint
security policies when accessing the network
  !
"
# 


 $
Limit the severity of infections by reducing the
response time spent identifying and isolating
infected systems, and cleansing traffic




 
 

 
 


 

*+
+


 $ 
%&



 
 

 





 
 

 
 
 

 ,
-
$ %

  

 ,
- is Cisco-led, multi-partner
program focused on limiting damage from emerging security threats
such as viruses and worms
 In NRC, customers can allow network access only to compliant and
trusted endpoint devices (e.g. °Cs, servers, ° Rs) and can restrict
the access of non-compliant devices
 The endpoint device is interrogated for its security posture and
compliance with policy
 The network will then determine the appropriate admission
enforcement decision: permit, deny, quarantine, restrict
 NRC is the first phase of the Cisco Self- efending Network Initiative,
an effort designed to dramatically improve the ability of networks to
identify, prevent, and adapt to threats
 These efforts extend Cisco¶s ability to provide secure, intelligent
networks for customers




 
 

 
 [
 ü%

 .

1. Non-compliant endpoint 2. Connection allowed 3. Infection spreads;

attempts connection endpoints exposed

* RNCH O CR
°S
CR
°S
Corporate Net




 
 

 
 å
  

  
ü !

1. Non-compliant endpoint 2. Quarantine 3. Infection containment;

attempts connection remediation endpoints secured

* RNCH CR
°S
Corporate Net

emediation
Cisco
Trust Quarantine VLRN
Rgent




 
 

 
 †
 
$*+
+


NRC Solution: Leverage the network to

intelligently enforce access privileges NRC Characteristics:
based on endpoint security posture biquitous solution for 
connection methods

Hosts Network °olicy Server Validates  hosts

Rttempting Rccess ecision
Network evices °oints Leverages customer investments
Rccess in Cisco network and RV solutions
°olicy Vendor
1 2 2a
(RRR) Svr Svr
Credentials Credentials Credentials Supports
ultiple RV vendors &
Cisco Security Rgent
ER° °, R IS HTT°S
ER°2.1x Quarantine & remediation services
Rccess Comply?
ights
Notification 3
4
6 eployment scalability
Cisco
Trust
Rgent Enforcement
5




 
 

 
 




+

ë"/ 0  

+
1   
%

 Ensure hosts comply to corporate

LRN ser policy (such as RV policy) before
they can pass traffic to the
network
ata Center
 °revent attacks that start as
soon as the device connects
 Enforce on the network access
device ± no reliance on the host
Wireless ser
 Similar to 2.1xRRR services
 Isolatequarantine hosts prior to
Internet access (L34 RCLs & L2 VLRNS)
*ranch Office
 Ensure all ways into and out of
the network are covered
 Cover wired, wireless, L3
emote Rccess Internet
gateways, dial-in, and I°sec
remote access
 °rovide a consistent approach
Telecommute Internet for all methods




 
 

 
 |
 %&  è %

2
3"


  4'+
1 
$  "%

 Endpoint device credentials evaluated by

Endpoint policy infrastructure
evices
 Network provides transport and
emote LRN enforcement service
Rccess Rccess Wireless
 Extensible model, seamless to network
devices
 Ensure security through authentication of
  credential requestor and encrypting the

 Network


  evices information (°ER°)

3 )
 Rllow vendor servers to evaluate their
RRR Svr Rntivirus Svr
client application credentials for
compliance (e.g. RV policy server
evaluates RV credentials
 °rovide scalable environment
°olicy  Centralize the RRR function
Infrastructure
 °rovide µexception¶ handling for non-
responsive hosts (printers, old machines)
 Centralized monitoringreporting &
configuration (initially CiscoWorks SI
S
& V
S)




 
 

 
 ||
 NRC - *enefits
Cisco *enefits
 Network-wide °artner *enefits
Customer *enefits differentiation  Extends partner RV
 ramatically unique to Cisco capabilities and
improved security infrastructure product life
for non-compliant
hosts = Lower TCO  °otential  °rovides potential
incremental opportunities for
 Increased network revenue across
resilience and RV vendor policy
productivity product lines server
 Extended value from  Network security  °articipation in
Cisco leadership security leadership
network recognition initiative
infrastructure
investment  Extended value of
 Increases value of Cisco Security
existing investment Rgent investment
in RV




 
 

 
 |


 


*+
+


 $ 
%&



 
 

 





 
 

 
 |
 
è) 

Late Q2CY4

Network
Rccess
evice

Security CTR ER°o ° R IS HCR°

Rpp °lug-ins

CTR CTR RRR Vendor

Server °olicy
Server

NRC-Enabled Cisco Trust Rgent outers RCS

Rpplications ± (NT, 2, X°)
°osture
Credential
°roviders

onitoring &
eporting




 
 

 
 |

 
'

' "
 

 NRC-enabled applications are posture

credential providers
 egister with CTR based on vendor and
application type e.g. NRI RV espond to
posture queries
 eceive notifications
 Indicate status change
 se existing RV protocols as normal




 
 

 
 |

  1 )
,1-

 °lug-in interface to register and query

various vendor provided posture providers

uxes and demuxes ER° posture requests
to posture credential providers based on
vendor and application type
 Rcts as posture provider for itself and
basic host information e.g. OS type and
version
 isplays informational messages to user
 esponds to status query messages




 
 

 
 |[

 5


 Initiates full validation with CTR using ER°o ° when intercept RCL is
triggered (similar to Ruth °roxy) and periodically thereafter while data
path active
 elays posture credentials to RRR server using R IS
 eceives configuration info from RRR server (RCL,  L-redirect) and
enforces on interface
 °olls CTR status with Status Query periodically to see if it is still the
same client at same I° address
 °erforms full validation periodically
 Supports exception list based on I° or
RC address
 Sends request to RRR Server for clientless hosts (ER°o ° time-out)
and receives configuration info
 The router is the policy enforcement point




 
 

 
 |å
 
5

$
Cisco 75xx ?
 NRC support available in 12.3(4th)T (°i4 Cisco 72xx ate
release) IOS images with Security Cisco 535, 54, 55 Yes *
Rdvanced Security , Rdvanced Services, and
Rdvanced Enterprise images Cisco 45 No
Cisco 3745, 3725 Yes
 °latform support in table to right
Cisco 366-CO Series No
ate ± °lanned, date T* , maybe post °hase 1 FCS
? ± Still being investigated and possibly post °hase Cisco 366-ENT Series Yes *
1 FCS Cisco 364364R Yes *
Yes * - older platforms that only have NRC support Cisco 362 No
in the Classic IOS FW Feature Sets in 12.3T, these
outers do not have the Rdvanced newer images in Cisco 2691 Yes
12.3T
Cisco 26X

odels Yes
For 17 platforms show in the table, support
planned on following images in addition to the Cisco 26 non-X

odels No
images above: Cisco 171,1711, 1712, 1721,
Yes
I°R SLI°XRTI*
VOXFWI S °lus I°Sec 3 ES, 1751, 1751-V, 176
I°R SLI°XRTI*
FWI S °lus I°Sec 3 ES,
I°R SLVOXFWI S °lus I°Sec 3 ES, I°R SLFWI S Cisco 175, 172, 171 No
°LS I°Sec 3 ES
Cisco 3x ate




 
 

 
 |†

 
 $
%2

$


Rdvanced Enterprise Services

NRC
 The feature inheritance
model ensures purposeful
relationships between feature
Rdvanced I° Services Enterprise Services sets.
NRC  The structure introduces and
combines functionality in a
predictable manner
Rdvanced Enterprise
Security
S° Services
*ase
 Rs you step up you inherit
NRC every feature below
 Thus in this example
Rdvanced Enterprise has
I° Voice everything Cisco IOS offers .
Rll Rdvanced Security
functions and all Enterprise
Services and all Voice

I° *ase




 
 

 
 |

 $
+
,$-

 Communicates with CTR to obtain posture credentials

 Validate posture credentials and map to access policy
to be enforced on Gateway; any notifications to be
sent to CTR
 eturns Rccess-Rccept with network configuration or
Rccess- eject
 Existing RCS authorization support (Network Rccess
estrictions) may be used for clientless hosts
 °osture validation rules and resulting access policies
are configured on the RRR server
 The RRR server is the policy validation and decision
point




 
 

 
 

 &
 %$
+


 Vendor provided server to validate

posture; may include vendor specific
proprietary data
 HCR°HTT°S interface for online
validation




 
 

 
 |
 


 

 NRC-Enabled Rpplications
Cisco Security Rgent
NRI
cRfee Rntivirus
Symantec Rntivirus
Trend
icro Rntivirus
 Cisco Trust Rgent
No cost component
Support for Windows 2, X° and NT
To be distributed by Cisco and partners, potentially
bundled with RV solutions
 RRR Server - Cisco RCS v3.3

onitoring & eporting ± CiscoWorks SI
S