Cisco extends NAC product lineup

Cisco adds new tools that promise to push network authentication to a broader array of devices and office settings

Cisco announced a pair of additions to its Network Admission Control (NAC) product line on Monday, launching new tools that promise to extend the authentication system to a greater variety of devices and office environments.

The introductions were timed to coincide with the start of the Security Standard Conference in Chicago, which is owned and operated by InfoWorld's parent company, IDG. They come hot on the heels of Cisco's late-August announcement that Intel will arm computers using its vPro and Centrino microprocessors with the ability to communicate their security posture to corporate networks, even before they have been booted up.  

Cisco unveiled its Network Module for NAC, which will give customers the ability to implant the authentication system into the vendor's Integrated Services Router (ISR) hardware, along with its NAC Profiler, which is meant to allow users to monitor a greater number of non-PC devices using the security tools.

Executives with the San Jose, Calif.-based company said the latest products evidence the company's ongoing work to mature NAC aggressively.

"This is an announcement where you see things continue to develop, not only in terms of the types of things that NAC technologies can do, as was the case with the chipset interaction, but also in terms of addressing problems that everyone has, such as getting posture assessments for devices that don't run on Windows," said Brendan O'Connell, senior product manager for Cisco's Security Technology Group.

"With the ISR module, we're giving customers the option to push NAC into the branch-office setting, which is something else customers have been asking us for," O'Connell said. "It's all about increasing NAC's ease-of-use and operability."

While Cisco is widely credited with inventing NAC technology -- which is identified by other vendors by the more generic term "network access control," and is used to verify a device's identity and security standing as it attempts to connect to a network -- some industry watchers have criticized the manufacturer for not moving faster to introduce products such as its new releases.

In addition to expanding the potential footprint of its NAC systems by driving the technology into its ISR hardware, which it has been selling to customers for over three years, Profiler addresses one of the primary security concerns raised with the authentication systems, namely, their ability to identify and monitor IP-connected devices other than desktop and laptop computers.

Based on NAC's complexity, some companies have chosen to use branch offices or remote locations to test its impact and efficacy in the field before blending the tools into their central IT networks, Cisco officials said -- exactly the type of scenario the ISR module will seek to facilitate.

The ability to add NAC via a blade in the ISR devices will also appeal to small and medium-size businesses (SMBs), the networking giant contends, as will the ability to license the technology for office settings with 50 to 100 users -- the smallest deployment alternative for the tools the vendor has offered to date.

Cisco maintains that by offering NAC monitoring for IP-connected machines such as Voice-over-Internet-Protocol (VoIP) phones and networked printers, companies will no longer be forced to formulate complicated exceptions to test the devices.

In adding direct hooks for such equipment into NAC, Cisco claims it has also addressed the perceived security loophole created by the need to create such exemptions, which some have said made it easier for attackers to defeat the authentication systems by spoofing such devices.

"It's not just PCs that are connecting to the perimeter of a network where customers need to make these types of decisions, which has been sort of a hole for a while as it was cumbersome to do NAC securely for some of these other devices, and users didn't have much information at their fingertips when they could do it," O'Connell said. "In some customer deployments, over half of the devices on the network are IP phones today, so, Profiler is an important step forward in improving NAC's abilities to that end."

Ladi Adefala, security practice manager for World Wide Technology, a St. Louis-based systems integrator that both uses and re-sells Cisco's NAC products, said the new products should help expand the technology's uptake in both larger and smaller customers.

Many companies have been looking for ways to test NAC in smaller settings and then extend the tools to a wider set of users, making the Network Module product launch particularly important, he said. The Profiler will eliminate the need for IT shops and service providers like World Wide Technology to port NAC to phones and other devices, a time-consuming process, according to Adefala.

Cisco has been actively marketing two approaches to NAC -- using its appliances to provide local protection on networks and also utilizing its top-down network-wide "framework" strategy. This has caused some customers to spend a long time deciding which route to go down, the expert say. However, Adefala contends that more companies are jumping further into NAC as Cisco's products become more mature.

"There was some initial confusion with which way to go, but Cisco has been able to get most customers to begin considering it more closely, particularly by marketing the appliance as a one-stop shop for NAC," he said. "I think that will continue to be the case over the next year because of the type of announcements we're seeing here, and more integration with third-party products."

One industry analyst echoed those comments, saying Cisco's is making "incremental improvements" with each NAC product release and likely growing its overall customer base for the tools.

Cisco's move to launch the NAC Profiler directly addresses a "perceived shortcoming" of the systems in allowing more devices to be tested, while the Network Module will encourage broader deployment among large multinationals and among smaller firms, said Phil Hochmuth, analyst with Boston-based Yankee Group.

"They're trying to fit in more places with both the switches and the framework. Obviously a lot more customers are using the [appliances] today because they are easier to deploy, but I think the framework will eventually appeal to some people," Hochmuth said. "They also have all these switches in place, and if they can harness that to sell NAC, that could be pretty powerful.

"NAC remains complicated and Cisco has been guilty of playing both sides a bit with the two different approaches, but they know that if they can get customers to adopt it today with the appliances, the eventually might go for the network-wide approach," the analyst said.