assessment). It can also be deployed in Layer-2 mode (users are L2-adjacent to CAS) or Layer-3 (users are multiple L3 hops away from the CAS) mode.

￿Clean Access Agent (CAA)

This ia a read-only agent that resides on Windows clients. The Clean Access Agent checks applications, files, services, or registry keys to ensure that clients meet your specified network and software requirements prior to gaining access to the network. (Note that there is no client firewall restriction with Clean Access Agent vulnerability assessment. The Agent can check the client registry, services, and applications even if a personal firewall is installed and running.)

￿Clean Access Policy Updates

These are regular updates of pre-packaged policies/rules that can be used to check the up-to-date status of operating systems, antivirus (AV), antispyware (AS), and other client software.

In-band versus out-of-band

Customers often ask which deployment modes are most appropriate for their networks. In fact, an organization can deploy both, each geared toward certain types of access (in-band for supporting wireless users and out-of-band for wired users, for example). The Cisco Clean Access Manager is designed to support both in-band and out-of-band Cisco Clean Access servers, as well as the switches associated with the out-of-band portion of the network.

With the Cisco Clean Access in-band deployment, the Clean Access Server is always inline with user traffic — before, during, and after authentication, posture assessment, and remediation. The server can be used to securely control authenticated and unauthenticated user traffic by managing traffic policies based on protocol/port or subnet, providing bandwidth policy management based on shared or per-user, or using time-based sessions and heartbeat controls. In-band deployment supports any edge access device as long as the MAC address and IP address of the client machine are visible to the Clean Access Server. Because the server is in-band with traffic, the in-band deployment mode is ideal for environments with the following characteristics:

￿Shared media ports

￿Bandwidth throttling by role required

￿Wireless access points

￿Voice over IP (VoIP) phones

￿Network infrastructure built with products other than Cisco products

In an out-of-band deployment of Cisco Clean Access, the Clean Access Server is in-band only during the process of authentication, posture assessment, and remediation. Once the user's device has successfully logged on, its traffic then bypasses the Clean Access Server and traverses the switch port directly. In the

456Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 473 Page 475
Page 474
Image 474
IBM Tivoli and Cisco manual In-band versus out-of-band
Page 473 Page 475
Top Page Image Contents