Initial impression: Cisco Network Admission Control, Volume 1: NAC Framework Architecture and Design.

So, a few days ago, I received shipment of a pair of books on Cisco Network Admission Control. Volume 1 and 2, which focus on architecture/design and deployment/troubleshooting respectively.

Both are really really good books from a technical perspective. The authors, three of which are CCIEs, have a very good informational style, and aren't afraid to kick in a few jokes where appropriate. I like that as it breaks up the hard data and gives your brain a moment to process what it read, which I find is a key component to learning the information.

The information in both is relatively deep dive, but remains clear and concise enough to make a useful tool for presenting the concepts of NAC to a small audience. The books make excellent use of visio diagrams, flowcharts, tables, and other graphical data representation to really put the topic in perspective.

Here's a bit of what i've learned so far, and keep in mind I have not yet read the whole first volume.

NAC is essentially a way to control the state of devices that connect to your network. You set up a series of servers that:

1. Validate the access credentials of a host coming onto the network, or
   
2. Provide confidence that a non-user device (AP, printer) is what it claims to be
3. Audit host systems for compliance with security policy
4. Place hosts in the appropriate Vlan based on their credentials and level of compliance
5. Remediate unacceptably non-compliant hosts before granting them access
   

That really allows a company to ensure that finance people are always in the finance Vlan wherever they connect up, and that network guys are always in the network Vlan wherever they connect up. It also decreases the costs of support by giving users the ability to self-serve things like required patch updates and critical virus definitions for products like McAffee or Norton on a regular basis.

You can also apply it to the VPN connections coming in to ensure that non-corporate machines connecting into the network are acceptably secure and free of viruses or worms before allowing them access to critical resources. The NAC framework actually proactively scans the connecting host for things like worms and keyloggers over the VPN tunnel prior to putting them in the Vlan they have the credentials for.

I highly recommend Cisco Network Admission Control Volume 1: NAC Framework Architecture and Design for anyone who is concerned about securing their network endpoints and corporate assets from compromise locally, on the WAN, and via VPN.

You can find more about the book at CiscoPress.com

Many thanks to my friend David Dusthimer for the opportunity to review this book.