Cisco Cisco Identity Services Engine 1.2 白皮書
White Paper:
Cisco Systems and the Migration from NAC to EVAS
3
© 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Executive Summary
Network access controls are nothing new. Many organizations have used technologies like RADIUS servers and
802.1X supplicants for years to allow guest access to corporate LANs or identify corporate devices as they access
wireless networks.
802.1X supplicants for years to allow guest access to corporate LANs or identify corporate devices as they access
wireless networks.
While network access controls (NACs) are not a new concept, many security professionals still equate them with a
series of NAC technologies that first appeared a decade ago. This common perception is well behind the times
because NAC has gone through a profound evolution and has become a much more comprehensive and useful
security technology. This white paper concludes:
series of NAC technologies that first appeared a decade ago. This common perception is well behind the times
because NAC has gone through a profound evolution and has become a much more comprehensive and useful
security technology. This white paper concludes:
NAC has evolved into a new segment called endpoint visibility, access, and security (EVAS). The original
NAC technology was fairly binary in nature as it granted or denied network access depending upon the
configuration and security profile of an endpoint. EVAS expands network access control with granular and
contextual access policy enforcement based upon business requirements like user role, location, business
process considerations, and risk management. EVAS also extends beyond PCs, providing granular network
access to mobile and IoT devices.
NAC technology was fairly binary in nature as it granted or denied network access depending upon the
configuration and security profile of an endpoint. EVAS expands network access control with granular and
contextual access policy enforcement based upon business requirements like user role, location, business
process considerations, and risk management. EVAS also extends beyond PCs, providing granular network
access to mobile and IoT devices.
EVAS has become an enterprise requirement. IT initiatives like BYOD, cloud computing, and mobile
application deployment have made information security policy creation, enforcement, and monitoring
much more cumbersome. To address this situation, many CISOs are turning to EVAS to help them manage
and secure the complex matrix of connections between users, devices, internal networks, and cloud
services. In this way, EVAS can support business, security, and compliance requirements.
application deployment have made information security policy creation, enforcement, and monitoring
much more cumbersome. To address this situation, many CISOs are turning to EVAS to help them manage
and secure the complex matrix of connections between users, devices, internal networks, and cloud
services. In this way, EVAS can support business, security, and compliance requirements.
EVAS can help organizations prevent, detect, and respond to security attacks. Organizations are using
EVAS to harden endpoints and networks before attacks occur. EVAS can also help during an attack by
helping security analysts quickly define the scale and scope of an incident. Finally, EVAS provides value after
an attack by accelerating the remediation process and fine-tuning security controls.
EVAS to harden endpoints and networks before attacks occur. EVAS can also help during an attack by
helping security analysts quickly define the scale and scope of an incident. Finally, EVAS provides value after
an attack by accelerating the remediation process and fine-tuning security controls.
EVAS has become an integration hub. EVAS systems collect, process, and store a wealth of information
about endpoint configurations, connection history, and network activities. Given the value of this data, it is
not surprising that EVAS systems share this data with advanced malware detection/prevention
technologies, SIEM platforms, MDM, and other networking and security tools.
about endpoint configurations, connection history, and network activities. Given the value of this data, it is
not surprising that EVAS systems share this data with advanced malware detection/prevention
technologies, SIEM platforms, MDM, and other networking and security tools.
A Brief History of Network Access Control
Network access controls provide fundamental security protection and have been a part of networking since the
early days of Ethernet and IP. Nevertheless, few organizations opted for sophisticated network-layer protection in
the past, and relied on Windows authentication as their primary means for controlling who gets on the network.
These minimalist network access controls were sufficient in the early 2000s but became inadequate soon after.
Why? Users with compromised Windows PCs plugged Ethernet cables into switch ports and then infected corporate
networks with an assortment of Internet worms (i.e., SQL Slammer, MS Blaster, Code Red, etc.), causing business
interruptions and time-consuming IT fire drills. The multitude of worms combined with poor PC hygiene in the early
2000s led to a constant cycle of network worm infection and costly remediation actions.
early days of Ethernet and IP. Nevertheless, few organizations opted for sophisticated network-layer protection in
the past, and relied on Windows authentication as their primary means for controlling who gets on the network.
These minimalist network access controls were sufficient in the early 2000s but became inadequate soon after.
Why? Users with compromised Windows PCs plugged Ethernet cables into switch ports and then infected corporate
networks with an assortment of Internet worms (i.e., SQL Slammer, MS Blaster, Code Red, etc.), causing business
interruptions and time-consuming IT fire drills. The multitude of worms combined with poor PC hygiene in the early
2000s led to a constant cycle of network worm infection and costly remediation actions.
Over time, NAC technology and associated vendors proceeded through a number of industry and technology
phases (see Table 1).
phases (see Table 1).