One of the most difficult aspects of network access control is supporting
network devices such as cameras, printers, scanners, and other appliances
within a NAC framework. Unable to install an agent and unable to
authenticate, unmanaged devices are oftentimes simply white-listed by IP
address or MAC address. That's a quick and dirty fix, but it leaves potentially
gaping holes when you're trying to lock down access.
Cisco's NAC Profiler, for which Cisco licensed the identification and classification
engine from Great Bay Software, attempts to identify unmanaged network
devices passively by monitoring their network behavior and assigning
devices to a class. For example, a network printer uses certain network
protocols and may even have identifying information in the payload that can
positively identify it as network printer. If a device identified as a printer
starts using telnet to contact other network devices or starts downloading files,
then it's either not a printer or it has been broken into. In either case,
you probably want to quarantine it.
Device identification is sent to Cisco's NAC appliance, which can then apply an appropriate NAC policy. Cisco developed the management infrastructure and integration with its NAC appliance.
One Cisco ROI example shows that without Profiler, a hospital estimated it would've used 6,240 hours at $75 per hour for a total of $468,000 in labor to
identify all of its unmanaged devices. Using Profiler, they spent 80
hours for a total cost of just $6,000 in labor.
The near half-million dollars previously spent to identify unmanaged devices
may seem extremely high, but regardless, automating device discovery and
classification can certainly save a great deal of effort in managing unknown
network devices during an initial deployment as well as over time.
It's an interesting feature, but a big unknown is how accurate Profiler's
discovery and classification is. We've never tested Great Bay's software, so
we can't speak to its accuracy. But having tested all manner of passive
discovery devices over the years, we've found that the classifications
were usually accurate, but not 100% of the time. Often, not even 75%, and sometimes less. Network designs such as in-line proxy servers, network address translation, or encryption, make classification difficult. The further you get from 100% accuracy, the less value the discovery and classification becomes.
The Profiler collector runs on the NAC appliance, or Network Module discussed, and the license is between $5,000 and
$10,0000. The Profiler Server, which integrates with the NAC appliance, costs
Before committing to the Profiler, be sure to test its discovery and
classification features in common situations such as proxying, network
address translation, asymmetric routing, and other network designs that can
alter the look of network traffic, as well as with a sample of network
equipment you're using.
Cisco Adds Modularity to NAC
Lockdown NAC Wins Cisco Seal of Approval
Vendor's network access control solution is certified as interoperable with Cisco's NAC framework.