Cisco Systems this week will announce availability of its Network Admission Control security technology for Cisco routers, and lay out a road map for adding NAC capabilities to its lines of LAN switches.
These technologies coupled with the fact that later this year the company plans to offer NAC to standards bodies and other vendors could lead to automated network security on every desktop, preventing PCs from spreading harmful traffic.
But with the most critical phase of NAC -- LAN switch support -- and standardization plans not due out unitl early 2005, some observers say Cisco is not meeting users' immediate security needs. Also, enterprise users say a standards-based technology is needed sooner for securing LANs and WANs.
First announced last November, NAC is supposed to make every piece of Cisco gear a security enforcement point, where client machines must meet security and policy criteria to access a router or switch port. Cisco partnered with Trend Micro, Symantec and Network Associates to make client-side anti-virus software work with Cisco's Trust Agent software, a PC-based agent that communicates client security status to Cisco network equipment and security servers. In November 2003, Cisco aimed to deliver router support for NAC by the middle of this year, but future support on other equipment was uncertain. Now Cisco says its entire Catalyst switch line and VPN 3000 series products will be NAC-capable by the first quarter of next year.
NAC is being tested at United Parcel Services (UPS) as a potential security measure.
"(NAC) could be another level of defence, but it can't be the only defence," says Ed Gotthelf, director of network architecture for UPS in Atlanta. Gotthelf says NAC "is a step in the right direction," but he says he would like to see a more industry-wide approach to LAN/WAN security.
"What the industry should do is rally around one solution that's fully interoperable," he says. UPS has an installed base of Cisco routers and switches, along with equipment from other vendors. "One solution (is needed) that works with all software platforms and all networking platforms, so it can run on your Nortel and Cisco and other products," he says.
Cisco is working on this, according to Russell Rice, product marketing manager at the company.
"When we first announced (NAC), we said upfront that a goal was to provide an open framework on how network security gets done," Rice says.
Part of Cisco's Phase II plan for NAC will include proposing NAC's authentication technology as a standard to the IETF this August. Additional plans include opening the Trust Agent API to any vendor interested in writing software that works with NAC, on the client or server side. This would let vendors in the client software, server software and network equipment areas create products that work in a NAC infrastructure.
Cisco would not give a definitive time frame as to when switches and routers from competing vendors could plug into NAC via standards-based technology.
Another NAC feature, due next year, is a client audit technology for digging into non-PC machines -- such as printers, IP phones, cameras and network appliances -- trying to access a network. Also, NAC now works only on Windows 2000, NT and XP clients. Support is planned for Linux and Solaris machines by the fourth quarter of this year, Cisco says. The company is working with a few network auditing vendors for this part of NAC.
Missing from Phase II of NAC is a plan for wireless. Cisco's Rice says Layer 2 NAC support for Cisco Aironet gear will be introduced in a later phase sometime next year. In the meantime, users can implement Layer 3 NAC configurations by putting NAC-enabled Cisco routers behind Aironet access points to enforce anti-virus and security polices.
NAC works by having Trust Agents -- available for free from Cisco -- check the status of virus software on client machines when a PC or laptop attempts to access a Cisco-based network. The NAC authentication process begins with a message based on Extensible Authentication Protocol (EAP), running over User Datagram Protocol (UDP). Access control lists (ACL) on routers are set to block all traffic except EAP over UDP. The routers then send the connection attempt to a back-end Cisco Access Control Server, which verifies end-user credentials and forwards network policies, to be applied to the client via the router.
Depending on the configuration, clients can be permitted access, blocked or quarantined, in which case they would have limited network access. (This EAP/UPD-based scheme will be proposed as an RFC to the IETF.) Cisco plans to move this authentication scheme to EAP over 802.1X when it adds NAC support for Layer 2 switches next year.
Some observers say Cisco's NAC blueprint will be a good additional security layer in a Cisco-based infrastructure. But the capabilities offered now are not unique, and the timeframe for release might be too drawn out for some customers who face new security threats on a weekly or daily basis.
"Some enterprises are suffering badly right now from infections of mobile laptops," says Mark Bouchard, an analyst with Meta Group. He says individual and joint product offerings from vendors such as Network Associates, Check Point, Nortel and Sygate already deliver what Cisco is making available next week.
Also, the road map for including LAN switch support in NAC, "is not a lot different than what Enterasys talks about right now," says Zeus Kerravala, an analyst with The Yankee Group.
"What Cisco has going for it is the lion's share of the enterprise switch market," Kerravala says.