So, a few days ago, I received shipment of a pair of books on
Cisco Network Admission Control. Volume 1 and 2, which focus on architecture/design and deployment/troubleshooting respectively.
Both are really really good books from a technical perspective. The authors, three of which are
CCIEs, have a very good informational style, and aren't afraid to kick in a few jokes where appropriate. I like that as it breaks up the hard data and gives your brain a moment to process what it read, which I find is a key component to learning the information.
The information in both is relatively deep dive, but remains clear and concise enough to make a useful tool for presenting the concepts of
NAC to a small audience. The books make excellent use of
visio diagrams, flowcharts, tables, and other graphical data representation to really put the topic in perspective.
Here's a bit of what
i've learned so far, and keep in mind I have not yet read the whole first volume.
NAC is essentially a way to control the state of devices that connect to your network. You set up a series of servers that:
- Validate the access credentials of a host coming onto the network, or
- Provide confidence that a non-user device (AP, printer) is what it claims to be
- Audit host systems for compliance with security policy
- Place hosts in the appropriate Vlan based on their credentials and level of compliance
- Remediate unacceptably non-compliant hosts before granting them access
That really allows a company to ensure that finance people are always in the finance
Vlan wherever they connect up, and that network guys are always in the network
Vlan wherever they connect up. It also decreases the costs of support by giving users the ability to self-serve things like required patch updates and critical virus definitions for products like
McAffee or Norton on a regular basis.
You can also apply it to the
VPN connections coming in to ensure that non-corporate machines connecting into the network are acceptably secure and free of viruses or worms before allowing them access to critical resources. The
NAC framework actually proactively scans the connecting host for things like worms and
keyloggers over the
VPN tunnel prior to putting them in the
Vlan they have the credentials for.
I highly recommend
Cisco Network Admission Control Volume 1:
NAC Framework Architecture and Design for anyone who is concerned about securing their network endpoints and corporate
assets from compromise locally, on the WAN, and via
VPN.
You can find more about the book at
CiscoPress.comMany thanks to my friend
David Dusthimer for the
opportunity to review this book.