As Cisco launched phase two of its Network Access Control strategy last month, Jayshree Ullal, the company's senior VP for switching, data centres and security - and the woman in overall charge of NAC - talked about how Cisco sees the future of network security.

First off, she says that security can no longer be regarded as a topic in its own right. Instead, it has to become part of everything else.

"Security is too important to silo," she says. "It needs to be integrated with applications and with the network - 10 to 40 percent of products deployed now have integrated security.

"Also today we have desktop security and network security operating in their own worlds, so wouldn't it be nice to have some synergy and connect them up? You can't think of security as a stand-alone function any more - it's integrated. And it's not just one function, either."

Port-level control
She offers the example of network switches, saying that they need port-level capabilities so you can shut off a rogue wireless access point, say. (Some rival manufacturers have had these sorts of features for a good while now - Ed.)

On the desktop front, Ullal highlights the ability to use software agents or specialist vulnerability scanning software from companies such as Qualys to verify that client systems are clean and up to date.

"We have developed the most complex form of NAC - a Cisco trusted agent (CTA) that resides on the end system and give you the information to act on and set policies," she explains. "Based on that, you can allow the system access, block it, or quarantine it for remediation. Where not every host or client can be CTA-enabled, we have Qualys.

"This is an industry movement, we are not just trying to do this as Cisco. It's about connecting together the desktop and network security." To demonstrate the breadth of support for these aims, she adds that NAC is embedded in Intel's AMT, and that Microsoft too is working on NAC-type functionality.

She warns too that none of these approaches to secure networking can be applied in isolation, hence the need for broad co-operation. Plus of course the problem is getting more complex as we rely more and more on the Internet.

The web makes it worse
"It's difficult now to just solve individual problems," she says. "The real problem is that network attacks are more malicious, but they are also more application-embedded - and that's getting worse as more applications are web-enabled. Every port-80 application has its port wide open, so deeper inspection becomes critical and we need to look much more at deep classification techniques, such as payload analysis."

This in turn means an ever-growing need for technology which can automate the necessary expert analysis and policy enforcement - the self-defending network, as Cisco calls it. That's technology which is rather different from what's in use today, because it will need to do more things in more places on the network.

"Today you would probably look at layers 1-4 - MAC, IP, TCP, but layers 5-7 are not secured. So we need a sophisticated payload engine with the ability to inspect packets and enforce policy for application feature usage and user controls," Ullal notes.

"Security is no longer being thought of as point technology. We have to move from providing security at the perimeter to solving the problem at every layer of the IT infrastructure. That means moving to trusted domains, and towards standard ways to secure applications - what you do at the perimeter is very different from what you'd do in the core."