White Paper | May 2006

Harnessing the Power of McAfee and Cisco

for Enterprise-Ready Network Admissions
and Access Control

www.mcafee.com
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control White Paper | 2006 Page 

Table of Contents
Executive Summary 3
Mitigating the Risk of Extended Networks 3
The Price of Admission for Collaborative Business 4
Powerful Policy Enforcement with McAfee Policy Enforcer and Cisco NAC 4
McAfee Policy Enforcer in a Cisco NAC Infrastructure 5
Enforcing Policies Opens Doors 8
Learn More 8

Note: This document is not to be construed as a promise by McAfee to develop, deliver or

market a product with any particular functionality or attribute. McAfee reserves the right to
revise this document or the product described therein and to make changes to the content
of the document or the product described therein, at any time, without obligation to notify
any person or entity.

www.mcafee.com
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control White Paper | 2006 Page 

Executive Summary correctly, possesses up-to-date patches, and has no high-

risk viruses or worms. Security experts agree: enforcing
Extended networks bring risk. Guests and traveling employees policies when devices try to access the network is essential
may connect systems that do not comply with your security in today’s complex security environment.

policies. Network access control solutions challenge and “Enterprises experience an average of 501 hours of network
evaluate systems when they try to access the network. downtime every year, and as a result lose millions of dollars
in annual productivity and revenue. Overall downtime costs
Compliant systems are allowed access. Non-compliant
average 3.6 percent of annual revenue, a significant number,
systems are denied access and/or sent to remediation portals. and one likely to surprise many large organizations.
Cisco provides an enforcement framework for network access Implementing policy enforcement is important to maintain
control. McAfee® provides powerful policy management. The the integrity of your IT infrastructure and reduce costs
associated with network downtime,” said Jeff Wilson,
joint solution allows organizations to extend their networks
principal analyst of Infonetics Research.
without risking infection from non-compliant systems.
If you proactively enforce IT security policies you can
minimize potential damage from security threats that are
Mitigating the Risk of Extended Networks
introduced by users’ desktop PCs, laptops, mobile devices—
In today’s highly competitive business environment, you any endpoint device.
must open your enterprise applications to guests, partners,
McAfee is working closely with Cisco Systems to address the
suppliers and customers. Carefully, you extend your reach
escalating challenges of endpoint security and to deliver
with offices around the globe and employees who work
effective network access control:
from home. While collaborative business creates a great
advantage in a global economy, it is a challenge to protect • Cisco has defined a network architecture and
and secure critical business information. communications framework to protect enterprise
networks from users’ systems that do not comply
You’ve established security policies and put in place an
with established IT security policies called Network
arsenal of system and network protection, but this is not
Admission Control (NAC). Cisco NAC lays the
enough. The problem isn’t lack of protection—it’s the lack of
groundwork for enforcement of network access devices
compliance with your security policies when systems access
(NAD)—such as switches, routers, wireless solutions, or
your network. While attacks from viruses, worms, spyware,
VPN concentrators and McAfee Policy Enforcer (MPE)
and malicious code may be stopped dead by properly
performs assessments that drive Cisco NAC enforcement
protected systems, you remain vulnerable to the damage
actions. When you limit network access to compliant
that can be caused by endpoints that are not current with
systems, you limit damage from security threats such as
operating system patches, anti-virus signatures, and other
viruses, worms, and spyware.
security applications and updates. These “unhealthy” or
non-compliant systems can rapidly spread attacks and • McAfee Policy Enforcer is the core of McAfee’s network
infections within your infrastructure. And they will usually access control solution. It is easy to manage, works with
spread unchecked until they reach a traditional perimeter the security and network infrastructure you already
defense. While even the most vigilant IT organization may have, and can support a dynamic and changing network
try to implement rigid update guidelines and policies, you environment. Policy definition with McAfee Policy
still face the challenge of systems that elude your corporate Enforcer is intelligent and easy-to-use and McAfee
policy—be they managed or not, partner or employee. The Policy Enforcer provides robust security and compliance
damage from breaches carries a greater price than ever, assessment and powerful remediation for your Cisco
measured in a loss of your customers’ trust, a hit to your NAC environment. You can centrally define and
revenues, downtime for your critical applications, and the manage your network access control policies through
cost to clean up the mess. McAfee ePolicy Orchestrator ® (ePO™), leveraging
your investment in this enterprise-class scalable
To combat today’s highly aggressive attacks, you need
management infrastructure. McAfee Policy Enforcer
to go beyond traditional layered security. Yes, you need
performs deep assessments on all of your systems, and
anti-virus, anti-spyware, host intrusion prevention, host
provides multiple enforcement options if systems fail
firewall, and patch management software. But you also need
to comply with your security policies. McAfee Policy
a solution that enforces security policies when endpoints
Enforcer offers the most comprehensive and effective
try to access your network. You need to make sure that
network access control available for your Cisco NAC-
any device that connects to your network is configured
enabled infrastructure and beyond.

www.mcafee.com
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control White Paper | 2006 Page 

The Price of Admission for Collaborative Policy enforcement at the time of network access can
mitigate your risk in this landscape of shifting threats. A
Business
policy enforcement or network access control solution for
The business need for more open access to information the enterprise encompasses both policy control and an
resources compounds the risk. Opening your corporate enforcement framework:
network to mobile employees, customers, and partners
• Policy control, provided by McAfee Policy Enforcer, is
extends what was once a trusted network across
the “brains” of your network access control solution.
uncontrolled environments like the Internet. Your
It enables you to centrally define the IT security
employees, guests and other users can unwittingly cause
network access policy for all systems—managed and
significant damage from inside your enterprise walls.
unmanaged—that connect to your network through
The proliferation of mobile employees and the steep rise
the WAN/LAN or remotely. MPE works with multiple
in the number of contractors, consultants, partners, and
enforcement methods, such as a Cisco NAC-enabled
customers who need to access your corporate information
infrastructure. It also enables you to assess whether
resources means their computers can become conduits for
endpoints measure up to your security policies and
attacks and misuse.
determines what remediation actions to take.
Your employees use their corporate laptops and mobile
• The enforcement framework, as provided by a Cisco
devices on the road or at home, and then later reconnect
NAC-enabled infrastructure, is the “brawn” of your
to your trusted enterprise network. Although they use a
network access control solution. It detects new systems
system that has the appropriate security software and
as they request a network connection and enforces
patches, they may still introduce a threat into your network.
compliance based on what the MPE tells it to do..
By using their laptop on an unprotected network, perhaps
at home or at an airport hotspot, their system may become
infected with new malicious code—before they can get the Powerful Policy Enforcement with McAfee
latest protection with their regularly scheduled security Policy Enforcer and Cisco NAC
update. Your employees in branch offices may have PCs with
Together, McAfee and Cisco provide complete network
outdated anti-virus definition (DAT) files or that may not be
access control for a Cisco NAC-enabled infrastructure.
compliant with your current security standards.
Leaders in system security and networking, McAfee and
Cisco have collaborated to deliver a robust policy definition,
system discovery, system assessment, quarantining, and
remediation solution for network access control. McAfee
Policy Enforcer integrates with Cisco NAC APIs for a
complete policy enforcement solution in conjunction with
your Cisco NAC-enabled network.

McAfee Policy Enforcer delivers an intelligent, integrated

flexible approach to enforce security-policy compliance
and remediation on non-compliant endpoints when they
attempt to access a Cisco NAC-enabled infrastructure.
McAfee Policy Enforcer offers scalable policy creation and
management, all from your ePolicy Orchestrator console. It
provides deep system assessments that include checks for
infections, malware, and worms, leveraging the embedded
powerful McAfee Foundstone® engine. It scans both
managed and unmanaged systems, and can use either a
remote- or host-based scanner. McAfee Policy Enforcer also
supports system remediation to ensure that systems comply
Figure 1: Managed and Unmanaged Systems with specified application and patch levels before being
granted network access.
Your IT department has little control over the security
standards for computers used by guests, consultants, and Cisco NAC discovers systems as they attempt to access
other visitors, either onsite or remote. Even your employees, the network and enforces the policies set by McAfee
customers, and partners who connect via an IPsec or SSL Policy Enforcer. Cisco NAC allows you to determine and
VPN can unknowingly introduce an infection to your enforce the level of network access to grant to an endpoint,
enterprise network. based on the security posture that delivered by the MPE

www.mcafee.com
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control White Paper | 2006 Page 

assessment. Systems are not permitted on your network as appropriate. McAfee also adds critical management
until the assessment is complete, and only when the system capabilities, such as the ability to set company-wide policies
is compliant with your policies. With MPE, McAfee protects and effective management reporting and auditing. Cisco
against internal and external threats in a Cisco NAC- NAC provides active enforcement by discovering systems as
enabled network. they request network connections and enforcing the policies
(either by blocking or limiting access to certain subnets), by
McAfee Policy Enforcer extends management, enforcement,
quarantining non-compliant systems, or permitting access
and support for Cisco networks. You can use McAfee ePO
for compliant systems.
to define measure and manage your system security policy.
The highly tunable centralized management framework of Organizations need to ensure their Cisco network
ePO provides a single console for your system security and environments are NAC-enabled as they work to meet their
network access control products. McAfee Policy Enforcer specific business-security requirements and timelines.
simplifies deployment of the Cisco NAC framework with So, depending on your Cisco NAC migration timeline,
the ability to use ePO’s enterprise-scalable centralized your organization may require multiple enforcement
management to deploy the Cisco Trust Agent (CTA) to methods, such as Cisco NAC, IPsec VPN, SSL VPN, 802.1X
all ePO-managed systems. McAfee Policy Enforcer helps or McAfee’s built-in enforcement methods for legacy
simplify administration for your non-threat platforms (like Cisco or heterogeneous environments for both managed
printers and phones) by allowing the creation of both a and unmanaged systems. Regardless of the enforcement
dynamic rules-based approach that automatically allows methods used, with McAfee Policy Enforcer the process
access to certain devices based on their hardware profile or of centrally defining policies, assessing systems against
specified exception lists. policy, and remediating non-compliant systems remains the
same. Policy Enforcer gives you the most intelligent policy
McAfee Policy Enforcer in a Cisco NAC enforcement available.

Infrastructure 1. Define network access policies: The first step to a strong

enforcement foundation is when you define the rules
Together, Cisco and McAfee provide a complete end-to-
by which systems are judged as compliant. In a Cisco
end solution for network access control. Use McAfee Policy
NAC framework, your administrators can set policies at
Enforcer to define security policies, assess systems to
the network-access level using the Cisco Secure Access
determine their security posture, and remediate systems
Control Server (ACS), an implementation of RADIUS.

Subject Enforcement Decision & Remediation

Cisco ACS 4.0

LAN Directory

McAfee
INTERNET Policy
Enforcer

WAN
Other
Vendor
ANY Servers

Remote McAfee
Remediation
Server

Figure 2: Cisco-NAC infrastructure with McAfee Policy Enforcer

www.mcafee.com
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control White Paper | 2006 Page 

That may not be enough. You may want a more robust McAfee Policy Enforcer scanner. Otherwise, posture
way to set security policies across all enforcement information will be determined by the agentless
methods that provides strong management, reporting, McAfee Policy Enforcer assessment engine integrated
and monitoring capabilities. into the Cisco NAC framework through the Generic
Authorization Message Exchange (GAME) protocol API.
McAfee is the leader in providing enterprise-class,
scalable policy management. McAfee Policy Enforcer 3. Assess systems: Next, the system is assessed for
enables you to easily define, measure, and manage compliance with the specified security policy. McAfee
system security policy for a Cisco NAC infrastructure. Policy Enforcer provides agent and agentless scanners
With McAfee, you can set policies governing the that perform hundreds of checks. Systems are assessed
required security patches for a particular operating at the time of network access, and then continuously—
system and the minimum versions of anti-virus, firewall, based on pre-configured rules—throughout the network
and host intrusion prevention software plus much more. session.
Role-based access makes it easy to define and manage
• Host-based assessment: If the system has both the
policies. McAfee Policy Enforcer leverages McAfee
Cisco Trust Agent (CTA) and the Policy Enforcer
ePO for centralized management and consolidated
scanner (software update to McAfee ePO agent),
reporting, which makes policy enforcement easier to
the CTA asks the Policy Enforcer scanner to assess
deploy and administer. For example, you may be using
and collect the most current security policy
a Cisco NAC-enabled network with a Cisco IPsec VPN as
information to determine the system’s security
well as a Juniper SSL VPN. In this instance, with McAfee
posture. That information is forwarded to the Cisco
Policy Enforcer, you would centrally create the security
Secure ACS via the CTA. In turn, and based on the
policies for all these enforcement methods.
system posture provided by McAfee Policy Enforcer,
McAfee Policy Enforcer also manages the deployment the Cisco Secure ACS returns an admissions
and installation of Cisco Trust Agent (CTA) software on decision to the Cisco Network Access Device that
endpoints, significantly easing the task of deploying enforces the decision
and updating this client software. Tight integration
• Agentless assessment: For systems without the
between the Policy Enforcer scanner agent and the CTA
CTA installed, McAfee provides agentless scanning
API provides an agent-based, comprehensive system
to determine compliance and threat levels.
security scanner.
Integration with the Cisco Generic Authorization
McAfee Policy Enforcer also eases ongoing operations. Message Exchange (GAME) API facilitates deep
Tight integration with the Cisco Host Credentials scanning of systems without the CTA agent as
Authorization Protocol (HCAP) API facilitates well as for accurate platform identification.
centralized policy definition using ePO. You may save McAfee’s agentless scanner can run credentialed
hours or weeks of deployment time, as well as ongoing checks, non-credentialed checks, and OS/
management time. McAfee Policy Enforcer provides platform-fingerprinting algorithms to determine
the ability to centrally define and administer policies a comprehensive risk assessment for each device
across a variety of enforcement methods, enabling you attempting to access the network.
to intelligently set network access policy based on your
McAfee provides a deep, granular system assessment
corporate security requirements, rather than based on
of the device’s configuration and critical security
the limitations of each enforcement method.
applications, including third-party applications. McAfee
2. Discover new systems: Cisco NAC-enabled network Policy Enforcer scanner provides a rich set of compliance
access devices discover systems as they attempt checks that helps you quickly define flexible and powerful
to access the network, whether the connection is a compliance policies and rules (see Table 1: McAfee Provides
wired LAN, wireless LAN, through an IP Phone, a VPN Comprehensive Enforcement Checks). It checks for active
connection or a WAN connection. When a desktop PC, instances of viruses, Trojans, and worms. It verifies the
server, laptop, or any other endpoint attempts to connect existence and minimum required versions of McAfee
to the network through a Cisco NAC-enabled switch, and third-party security applications, such as anti-virus,
router, or other compatible network access device, the desktop firewall, host intrusion prevention, and anti-
access device first requests posture credentials from the spyware. The Policy Enforcer scanner assesses the system
endpoint in addition to the usual user authentication configuration for the required operating system version,
credentials. If the Cisco Trust Agent (CTA) is installed service pack, patch management products, the overall
on the endpoint, the request for credentials is sent to security health status, and many other factors. McAfee

www.mcafee.com
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control White Paper | 2006 Page 

leverages the Foundstone engine for powerful systems Policy Enforcer scanner. Cisco Secure ACS passes the
scanning. Additionally, McAfee’s sophisticated policy admission-control decision to the Cisco NAC-enabled
controls can prevent disruption of access to non-threat network-access device. If the system complies with the
platforms like printers and phone. policy, it is granted network access. If it does not comply,
it may be denied access or restricted to a quarantine
4. Enforce system polices: The Cisco Secure ACS
network segment with limited access. Preventing a
determines the appropriate access action (allow access,
non-compliant system from accessing the network
deny access, restrict access, or quarantine) based
can contain infections before they spreads throughout
on the system posture as determined by the McAfee
the network.

Table 1: McAfee Provides Comprehensive Enforcement Checks

Category Supported Products

Threat/Infection Checks • Mydoom

• Sasser
• Zotob
• Bagle
• Nachi
• Netsky
• Plus many others

Host Anti-Virus • McAfee VirusScan® Enterprise

• Symantec AntiVirus and Norton AntiVirus
• Trend Micro OfficeScan and ServerProtect
• Computer Associates eTrust AV
• Sophos Anti-Virus

Microsoft Service Packs • Microsoft Windows Update Service

• Microsoft patches for service packs, operating
systems, and Internet Explorer

Host Firewall • McAfee Host Intrusion Prevention*

• Sygate Firewall
• Symantec Firewall
• Microsoft Windows XP Firewall

Host Intrusion Prevention • McAfee McAfee Host Intrusion Prevention

Patch Management Agents • Patchlink Update

• BigFix Patch Manager
• Microsoft Windows Update
• BMC Marimba Patch Management Agent

Host Anti-Spyware • McAfee AntiSpyware Enterprise

• Webroot Spysweeper
• Computer Associates PestPatrol

System/Policy Management Agents • Microsoft SMS

• IBM Tivoli Agent
• Symantec ESM

Patch Assessment • Microsoft Security Patches

*Firewall capabilities are built into McAfee Host Intrusion Prevention.

www.mcafee.com
Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control White Paper | 2006 Page 

5. Remediate non-compliant systems: Remediating Enforcing Policies Opens Doors

non-compliant systems is critical to a successful
network access control deployment. Without adequate Today’s business climate is dynamic. Organizations must
remediation capabilities, blocking non-compliant provide anywhere, anytime access to critical applications,
systems from the network can impede user productivity but you must also deliver exacting security and business
and increase help-desk calls. McAfee Policy Enforcer continuity. That’s not only good business practice—it is
provides enhanced remediation options to ensure more and more a matter of law. You can depend on the
that systems comply with specified security policy. security expertise of McAfee and the network expertise of
Administrators can customize the remediation portal Cisco for an effective network access control solution. With
for a user-friendly remediation process with one- McAfee, you get effective policy management, deep granular
click updates. Administrators can also configure the assessment, and powerful remediation and reporting. Cisco
quarantined system to run a McAfee auto-update adds comprehensive admission control across all access
capability, so that users’ systems can automatically methods and all endpoints that prevents non-compliant and
be remediated without calling the helpdesk. Once rogue endpoints from impacting your network availability.
remediated, the endpoint will automatically be You can implement network access control today by
rescanned for compliance and, if the endpoint is leveraging your existing endpoint security and network
then compliant, it will be granted access to the infrastructure investments. Powered by the world’s largest
corporate network. dedicated network and security companies, your operation
will run more efficiently and you will enhance business
6. Management and reporting: IT managers need greater continuity with comprehensive protection
visibility into policy compliance. McAfee ePO provides
comprehensive enforcement reporting, monitoring, Learn More
auditing, and alerting for McAfee Policy Enforcer. ePO
For more information on network access control, visit:
provides proactive notifications and comprehensive
reporting on all systems that have accessed your About McAfee
network, including systems blocked or quarantined,
http://www.mcafee.com/us/enterprise/products/network_
and details on all the checks that passed or failed.
access_control/policy_enforcer.html
Because of the shifting landscape of security threats,
McAfee Policy Enforcer allows you to periodically About Cisco
evaluate compliance, based on administrator policy.
http://www.cisco.com/go/nac
Integration with the Cisco NAC reporting logs enables
McAfee to provide centralized graphical reporting,
monitoring, and notification.

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com

McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is
distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2006 McAfee, Inc. All rights reserved.
6-sps-mpe-001-0506