CCDE 400-007: Which component should be built into NAC design?

Table of Contents

Question
Answer
Explanation
Reference

Question

An architect receives a functional requirement for a NAC system from a customer security policy stating that if a corporate Wi-Fi device does not meet current AV definitions, then it cannot access the corporate network until the definitions are updated. Which component should be built into the NAC design?

A. posture assessment with remediation VLAN
B. quarantine SGTs
C. dACLs with SGTs
D. quarantine VLAN

Answer

A. posture assessment with remediation VLAN

Explanation

The correct answer is A. posture assessment with remediation VLAN.

In the given scenario, the customer security policy requires that corporate Wi-Fi devices must have up-to-date antivirus (AV) definitions to access the corporate network. To enforce this policy, a Network Access Control (NAC) system needs to be implemented. The purpose of the NAC system is to authenticate and authorize devices connecting to the network, ensuring compliance with security policies before granting access.

Posture assessment is a key component of a NAC system. It involves evaluating the security posture of a connecting device by checking various attributes such as antivirus status, operating system patches, firewall configuration, etc. In this case, the posture assessment will specifically check if the corporate Wi-Fi device has the latest AV definitions.

If the posture assessment determines that the AV definitions on a device are not up to date, the device should not be allowed direct access to the corporate network. Instead, the device should be placed in a remediation VLAN. The remediation VLAN is a restricted network segment where the device can only access resources necessary to update its AV definitions. By segregating the device in the remediation VLAN, it prevents potential threats from spreading to the corporate network while giving the device an opportunity to update its AV definitions.

Therefore, option A, posture assessment with remediation VLAN, aligns with the requirement of the customer security policy. It ensures that if a corporate Wi-Fi device does not meet current AV definitions, it will be placed in a separate VLAN until the definitions are updated. Once the device complies with the policy, it can be granted access to the corporate network.

Options B, C, and D are not the most suitable choices for this scenario:

Option B, quarantine SGTs (Security Group Tags), is not the best approach as it is more commonly associated with Software-Defined Access (SD-Access) architectures, where SGTs are used for segmentation and policy enforcement. It does not specifically address the requirement of updating AV definitions before accessing the network.
Option C, dACLs (Downloadable Access Control Lists) with SGTs, is another approach used for enforcing segmentation and policies in SD-Access environments. While it provides granular control, it does not directly address the requirement of ensuring AV definitions are up to date before network access is granted.
Option D, quarantine VLAN, is similar to the remediation VLAN mentioned in option A. However, it does not explicitly specify the requirement of updating AV definitions before granting access, which is the specific requirement mentioned in the question.

In summary, the most appropriate component to include in the NAC design to enforce the customer security policy is A. posture assessment with remediation VLAN. This ensures that corporate Wi-Fi devices without current AV definitions are placed in a separate VLAN until they update their definitions before accessing the corporate network.

Reference

Cisco Certified Design Expert CCDE v3.0 400-007 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Cisco Certified Design Expert CCDE v3.0 400-007 exam and earn Cisco Certified Design Expert CCDE v3.0 400-007 certification.