Cisco's new approach to security will become a reality this week with the release of a range of routers featuring its Network Admission Control (NAC) technology. At the same time, it will lay out its road map for adding NAC capabilities to its LAN switches.
Later this year, Cisco will put NAC to standards bodies and other vendors in the hope of creating automated network security on all desktops, preventing them from spreading harmful traffic.
But with the most critical phase of NAC - LAN switch support - and standardisation plans not due out until early 2005, some observers say Cisco is not meeting users' immediate security needs. Enterprise users say a standards-based technology is needed sooner for securing LANs and WANs.
First announced last November, NAC is supposed to make every piece of Cisco gear a security enforcement point, where client machines must meet security and policy criteria to access a router or switch port (read more about it in our feature on NAC).
Cisco partnered with Trend Micro, Symantec and Network Associates to make client-side anti-virus software work with Cisco's Trust Agent software, a PC-based agent that communicates client security status to Cisco network equipment and security servers. IBM has also signed up. In November 2003, Cisco aimed to deliver router support for NAC by the middle of this year, but future support on other equipment was uncertain. Now Cisco says its entire Catalyst switch line and VPN 3000 series products will be NAC-capable by the first quarter of next year.
NAC is being tested at United Parcel Services (UPS) as a potential security measure. "NAC could be another level of defence, but it can't be the only defence," says Ed Gotthelf, director of network architecture. Gotthelf says NAC "is a step in the right direction," but he says he would like to see a more industry-wide approach to LAN/WAN security. "What the industry should do is rally around one solution that's fully interoperable," he says. UPS has an installed base of Cisco routers and switches, along with equipment from other vendors. "One solution is needed that works with all software platforms and all networking platforms, so it can run on your Nortel and Cisco and other products," he says.
Part of Cisco's Phase II plan for NAC will include proposing NAC's authentication technology as a standard to the IETF this August. Additional plans include opening the Trust Agent API to any vendor interested in writing software that works with NAC, on the client or server side. This would let vendors in the client software, server software and network equipment areas create products that work in a NAC infrastructure.
Cisco would not give a definitive time frame as to when switches and routers from competing vendors could plug into NAC via standards-based technology.
Another NAC feature, due next year, is a client audit technology for digging into non-PC machines - such as printers, IP phones, cameras and network appliances - trying to access a network. Also, NAC now works only on Windows 2000, NT and XP clients. Support is planned for Linux and Solaris machines by the fourth quarter of this year, Cisco says. The company is working with a few network auditing vendors for this part of NAC.
Missing from Phase II of NAC is a plan for wireless. Cisco's Rice says Layer 2 NAC support for Cisco Aironet gear will be introduced in a later phase sometime next year. In the meantime, users can implement Layer 3 NAC configurations by putting NAC-enabled Cisco routers behind Aironet access points to enforce anti-virus and security polices.
NAC works by having Trust Agents - available for free from Cisco - check the status of virus software on client machines when a PC or laptop attempts to access a Cisco-based network. The NAC authentication process begins with a message based on Extensible Authentication Protocol (EAP), running over UDP. Access control lists on routers are set to block all traffic except EAP over UDP. The routers then send the connection attempt to a back-end Cisco Access Control Server, which verifies end-user credentials and forwards network policies, to be applied to the client via the router.
Depending on the configuration, clients can be permitted access, blocked or quarantined, in which case they would have limited network access.
Some observers say Cisco's NAC blueprint will be a good additional security layer in a Cisco-based infrastructure. But the capabilities offered now are not unique, and the timeframe for release might be too drawn out for some customers who face new security threats on a weekly or daily basis. "Some enterprises are suffering badly right now from infections of mobile laptops," says Mark Bouchard, an analyst with Meta Group.
He says individual and joint product offerings from vendors such as Network Associates, Check Point, Nortel and Sygate already deliver what Cisco is making available this week. Also, the road map for including LAN switch support in NAC, "is not a lot different than what Enterasys talks about right now," says Zeus Kerravala, an analyst with The Yankee Group. "What Cisco has going for it is the lion's share of the enterprise switch market," Kerravala said.