The recent and long-awaited first pass at a display of interoperability between network access control components from Cisco and Microsoft only underscores the complexity of the task that remains and the need to involve more vendors, experts say.
The good news, they add, is that the cooperation building between these industry giants should benefit most those organisations that have built their infrastructures around Microsoft and Cisco products.
"The interoperability is important based on who the players are, but it is hard to get excited about two vendors patching together their proprietary hardware and software," says Andrew Braunberg, senior analyst for information security at Current Analysis. "We are no closer to open standards for network access control."
Openness is being pushed by the Trusted Network Connect (TNC) group, which is working on a set of open NAC specifications within the Trusted Computing Group (TCG) industry association, and by the IETF's Network Endpoint Assessment (NEA) working group. Microsoft is a member of both groups and says it plans to focus more on those efforts after completing its initial work with Cisco. Cisco is not a member of TCG, but does work within the NEA.
At IDG's Security Standard conference last week, the companies put on a demonstration involving integrating Cisco's Network Admission Control (C-NAC) and Microsoft's Network Access Protection (NAP) frameworks. They also released a white paper and announced plans for a private beta later this year.
"They have some form of interoperability, but you still end up with a proprietary architecture that is tied down to their business interests," says Steve Hanna, co-chair of the TNC group, which in May released the final specifications for building an open standards-based NAC system. Hanna says the goals are adoption, greater functionality and compatibility, and compliance testing.
Observers say interoperability gains by Cisco and Microsoft are only small steps forward, because they centre on consolidation around agent protocols used to provide data on the health of network endpoints, not around the frameworks themselves.
In fact, the two vendors specifically pointed out that customers would have to deploy the Cisco Secure Access Control Server (ACS) and the Microsoft Network Policy Server (NPS) for the initial interoperability release.
"It's always 'add all these things together and it will be interoperable,' which is really just them saying 'you must install two separate policy servers to do the job that one was able to handle previously,'" says Joel Snyder, a senior partner with consulting firm Opus One and a member of the Network World Lab Alliance. "It just complicates things at a time when they could have gotten simpler," he adds.
Snyder says one good outcome may be simplicity on the client side, with Microsoft taking responsibility for the client-side agent and APIs.
The two vendors say a single agent, which will ship with the Vista client operating system and Longhorn Server, will operate across the Cisco and Microsoft platforms and be used by third parties to tie their systems into the architecture. Cisco will continue to develop its Trust Agent to support non-Microsoft platforms, and Microsoft will make available APIs so third-parties can develop cross-platform agents.
"We still think this admission control is in its early days," says Mark Ashida, general manager of Windows Networking at Microsoft. He says Microsoft plans to offer licensing on all the protocols in the NAP architecture. "We are working on a licensing program to recreate the NAP implementation."
Ashida bristles at the notion that Microsoft's NAP is a closed architecture, citing standard protocols that it takes advantage of such as RADIUS.
"I feel strongly that among the many things I have seen at Microsoft, this is about the most open," he says. "And through licensing we want to make it more open, but it is not open source."
Cisco officials concur that the Microsoft relationship is a work in progress, but say the fact they have licensed each other's protocols will provide flexibility in meeting customer demands down the road.
"This means if customers come to Cisco and say, we want your RADIUS server to support these NAP features, then we can build that in," says Bob Gleichauf, vice president for the security technology group at Cisco. He says future development will head towards policy. "You are going to see a lot of companies innovating around policy controls, and over time you will see a richness of development in that area."
While that may be the future, observers say what customers have now from Cisco and Microsoft is white-paper-thin until Microsoft ships Vista and Longhorn.
"We are at a point where we have some interesting ideas on paper," says Rob Ayoub, industry analyst for network security with Frost & Sullivan. "We are still a long way from productising all this."
And he says those products will complicate the picture further, because NAC contains a lot of pieces that network administrators have never seen before. "If you are completely a Cisco and Microsoft shop, this might work OK, but if you have other pieces, that is where the real challenges will come in."
Separately and within their own architectures, however, Cisco, Microsoft and the TNC group are making progress in solidifying their NAC platforms.
Next week, Interop Labs will hold the second of its two NAC tests on the three architectures at the fall Interop conference in New York. In May's first round of testing, all three platforms showed interoperability with third-party products designed specifically for their architectures.
For the next round, Cisco is coming in with a partner community of nearly 100 and nearly 1,000 customer deployments, and Microsoft is bringing solid partner support despite delays in Vista and Longhorn. TNC for its part has realised strong vendor uptake across its range of NAC specifications.