Friday, November 9, 2007

Deploying Cisco NAC Profiler


Cisco NAC Profiler is an OEM software from Great Bay Software’s Beacon product(Read more). The basis and need for NAC Profiler is to secure Non-Responsive Hosts(NRHs). This is performed by using state of the art Endpoint Profiling and Behavior Monitoring technologies.

Endpoint profiling is defined as recording a network endpoint’s observable behaviors and analyzing identifiable characteristics of the endpoint in order to classify it as belonging to a particular group (Profile) and to assess each endpoint’s ability in a certain sphere. That certain sphere could be an endpoint’s ability to participate in a given authentication or Cisco NAC Appliance as an example. In essence, Endpoint Profiling is best described as behavior-based characterization of endpoints for the purpose of identifying and grouping together those that are similar in function, capability or other defining characteristics.

Behavior Monitoring is the ability to ensure endpoints are behaving in a way that is consistent with the classification leading to being provided with the authentication or NAC accommodation, and not indicating behaviors associated with endpoints that should in fact be participative in the full authentication or admission control process prior to being allowed onto the network.

Enough with the formal definitions (that’s what the great documentation is for), what is the real value of this solution to an organization with or without Cisco NAC and pre and post deployment of Cisco NAC?

The Value of Cisco NAC Profiler:

When planning for a NAC Appliance deployment the question of NRHs is sure to come up. How does someone find all of the Printers, Game Consoles, UPSs, IP Phones, etc. in the network? The answer is never easy. The bottom line is that the average organization’s network consists of over 50% of devices that are NRHs. The traditional method of accounting for NRHs is to manually find and record all MAC Addresses and import all of them into the NAC Manager’s Device Filter list. The challenges that this method presents are resources(Who is going to perform this task), Human Error(48bit MAC Addresses can start to look very complex after writing down hundreds or thousands of them), Adds/Moves/Changes become a nightmare, and by the time you finish recording all of the devices you can guarantee that something has changed since you started.

It becomes very clear how many hours can be saved by implementing Cisco NAC Profiler just from the above. But wait there is more… The above shows how Endpoint profiling can be used to save time and headaches, but the Behavior monitoring goes a step further into the value of NAC Profiler. Take the example of the traditional method of adding NRHs into the device filter table of the NAC Manager: Once a printer’s MAC Address is added it is always there, so if a malicious hacker or auditor walks up to the printer, prints the properties page, gets the MAC address, then he or she unplugs the printer and uses the MAC address of the printer to gain access and bypass NAC. If NAC Profiler is implemented, once the computer that is spoofing the MAC Address of the printer exhibits behavior that is outside of the typical behavior of the printer, that user will be kicked off of Device Filter list and be forced to go through standard NAC Process.

Another key benefit of having NAC Profiler is the accountability and visibility into the devices on the NAC Manager Device Filter List. As devices are placed into the Device Filter list by the Profiler Server, there is a link placed that brings an administrator directly to a page showing which switchport the device is plugged into, the respective endpoint profile data, and when it first came on the network. Any Network Operator understands the value of understanding where devices are at and when they entered and left the network.

Figure 1– NAC Manager Link to NAC Profiler

Minimize deployment costs + Minimize operational costs + Added Visibility + Added security = The value of Cisco NAC Profiler

Designing NAC Profiler:

NAC Profiler is comprised of two components:

- Profiler Server: Aggregates and classifies data from collectors and manages the database of endpoint information. Communicates using the NAC Managers API to add devices into the Device Filter list. Installed on the 3350 Appliance

- Collector Module: Gathers information about endpoints using SNMP, NetFlow, Sniffing, and active profiling. Software already installed on the NAC Server, license activates the feature.

The profiler server can be and is recommended to be configured in an High Availability(HA) pair. The Collector license should be purchased for each NAC Server that will be used to profile devices. If the NAC Server is a HA pair the license should be purchased as an HA license.

For the latest information about licensing of Cisco NAC Profiler, please refer to the Cisco NAC Profiler Data Sheet.

Collector Architecture:

NAC Profiler uses many data feeds to obtain the required information to perform Endpoint Profiling and Behavior Monitoring. The following list gives you the background of how the collectors gather data.

- NetMap Collector component module that queries network devices via SNMP for:

o System information

o Interface information

o Bridge information

o Routing/IP information

This information is used to Build and maintain a model of the network topology within the Endpoint Database.

- NetTrap Collector component module that receives selected traps from network devices to assist NetMap in maintaining the model of the network topology.

- NetWatch The passive network analyzer collector component module. Collects information about endpoints using network traffic received at one or more of the interfaces on the appliance it runs on.

- NetInquiry Active profiling Collector component module that can be used to collect information about endpoints using active techniques

- NetRelay Receives exported data from other systems such as Netflow and prepares it for processing for Endpoint Profiling and Behavior Monitoring

- Forwarder Facilitates communication between the collector and the server, acts as middleware between Collector modules and the Profiler Server.

Each NAC Profiler deployment may include a few of these or all of these depending on the required amount of data. As a best practice it is always good to start by using NetMap, NetTrap, and NetWatch to gather the relative information required to successfully profile endpoints. If any of these collectors are not available in the organization deploying NAC profiler, utilizing the NetInquiry or NetRelay collector is a great alternative. Please note that other than NetInquiry NAC Profiler is completely passive and does NOT actively send traffic to any endpoint.

Profiles Uncovered:

As of version 2.1.7, NAC Profiler comes with 38 default profiles out of the box. This includes many of the major device types in enterprise networks today.

Figure 2 – Default Profiles

In some cases, it will be required to create custom profiles in order to profile organizations’ specific devices. To do this NAC Profiler offers the ability to use the different type of rules to match the types of behavior that are specific to the devices in question. The following shows the different types of rules you can configure using Cisco NAC Profiler:

- MAC Address – Beacon maintains a list of all OUI values for MAC address vendor assignments. MAC Vendor rules allow the endpoints MAC address to be used as a criteria for classification into a Profile.

- IP Address – Beacon can use the host address of endpoints to classify devices using host IP addresses within a designated range as a criterion for classification into a Profile.

- Traffic – analysis of traffic information at layers 3-4. Based oninformation gathered by either the NetWatch collector module (traffic analysis) or NetRelay collector module (Netflow data exported from a Netflow-capable device).

- TCP Open Port – Layer 4 port information that is gathered either by monitoring SYN-ACK information passively or via the Active Profiling capabilities of NetInquiry.

- Application – analysis of application layer behavior including DHCP, Server Banners, DNS names, User Agents, etc.

- Advanced – used to create complex expressions using AND, OR, and/or NOT, or to aggregate multiple rule logic into a single rule.


Cisco NAC Profiler is an amazing add-on to the Cisco NAC Appliance portfolio and shows value for any organization that current has or plan to have Cisco NAC Appliance. Please stay tuned for more best practices, advanced configuration and troubleshooting of Cisco NAC Profiler.

Sources: NAC Profiler ChalkTalk; Beacon Configuration Guide v2.1.8