Cisco continues network admissions control roll-out

Cisco has extended the network admission control (NAC) solutions on its midrange routers. The NAC programme, which was first announced in November 2003, now supports Cisco 830 series and 7200 series routers as well as Cisco network security management and access products.

  • E-Mail
By  Simon Duddy Published  August 1, 2004

|~|tangle_m.jpg|~||~|Cisco has extended the network admission control (NAC) solutions on its midrange routers. The NAC programme, which was first announced in November 2003, now supports Cisco 830 series and 7200 series routers as well as Cisco network security management and access products. NAC is network resident security technology that is designed to ensure endpoint (servers, notebook, PC) compliance with corporate security policies. When new machines are added to the network, they must satisfy corporate policy before obtaining local area network (LAN) access. A key component of NAC technology is Cisco Trust Agent software, which is installed on desktop and server endpoints and collects security state information from multiple third-party security software clients such as antivirus software. The Cisco Trust Agent software communicates this information to the Cisco network where access decisions are made and enforced. Cisco Trust Agent software is available pre-integrated with Cisco Security Agent. Cisco Systems has defined the architecture and specifications of the NAC programme in collaboration with antivirus software companies including Network Associates, Symantec and Trend Micro, as well as leading network and system management vendors such as IBM. As well as strengthening the network, the solution is designed to make life easier for network managers. “They [network managers] know corporate policy will be respected,” says Tarek Houballah, network security specialist, Cisco. “It will make sure that all users have the latest antivirus signatures and Windows patches loaded on their machines,” he adds. Once a device has been checked the corporate policy dictates how the network should react. For example, if a VIP logs on with a notebook that has antivirus software that is not updated, then the system can still allow access but alert them to an upgrade. “If the user is a visitor, you might not want to take a chance so you can direct them to a quarantined virtual LAN,” explains Houballah. Cisco plans to extend NAC support to additional Cisco platforms including its remote access virtual private network (VPN) solutions. “VPN and NAC do different jobs but can work well together,” says Houballah. “VPN allows you to encrypt information but it has limitations. If there is a virus in the traffic it will also encrypt this and send it. A good example of how NAC can work with VPN is in commercial websites. A customer with a PC using NAC will provide extra protection for the website when the customer shops online,” he explains. Microsoft is also developing perimeter security technology. The software giant recently outlined plans to build Network Access Protection (NAP) into Windows Server. Like Cisco’s NAC solution this checks the health of PCs as they enter a network. NAP will appear as part of Windows Server 2003 R2, which is due out in 2005. The company has signed up 25 partners to support NAP including Juniper Networks, Symantec, McAfee, HP and Computer Associates. Not all commentators have been impressed by the efforts of Cisco and Microsoft, however. “This [Cisco NAC] is not that significant from an end user perspective. Numerous solutions from vendors such as Sygate and Checkpoint already exist for checking the security status of a VPN client and most go further in functionality,” says Peter Firstbrook, programme director, Meta Group. “What is significant is that it will eventually lead to layer 2 (workgroup switch) NAC,” he adds. Cisco and Microsoft have started on the journey to a self-defending network but it is still early days for the technology. Until the workgroup switch becomes the first line of defence against intrusion the system will still be open to attacks from viruses, although it will be able to contain them more effectively than before. “We would like to see Microsoft and Cisco work together more on this kind of initiative,” says Firstbrook.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code