Cisco backtracks on open source promise

Product integration, not CTA, focus of NAC efforts

After promising to turn the client software for its CTA (Cisco Trust Agent) into an open-source application, Bob Gleichauf, CTO of Cisco's Security Technology Group, said that the company has not made up its mind yet about the future of the software.

"Where I misspoke was speaking in terms of CTA going open source as if that's a given, and that was incorrect. That was my mistake," Gleichauf told InfoWorld last week. "It has been part of a discussion of a number of different options available to us, but it's not a viable option at this time," he said.

A more circumspect Gleichauf said that in earlier comments he was just speculating that CTA might be turned into an open-source component. "Open source was one thing that's a way of dealing with various components as work toward an integrated solution," he noted

He declined to discuss the pros and cons of going open source with the CTA client, a desktop software agent that is used to enforce security policies on machines that seek access to networks.

However, Gleichauf did say that he was concerned about the reaction of Cisco customers to comments he made to InfoWorld at the RSA Conference in early February, saying that Cisco would "open up" CTA within two months so it could devote development resources to other areas of NAC.

"We don't want partners and customers to think we're pursuing that. That was a mistake," he said. "Customers need to know how to prepare for any new initiative or technology or product. What I did a disservice to on everyone was stating something as a fact that wasn't a fact and that can affect planning, whether a funding decision or a build decision or a partner decision. "

As for the future of NAC, Gleichauf said that Cisco is looking for ways to tie Cisco's NAC appliance, formerly known as Cisco "Clean Access," with the company's NAC "framework," a larger NAC solution, which relies on Cisco routers and switches to do policy enforcement.

"Cisco's in the process of leveraging its best of breed product, which is Cisco Clean Access, and the framework product and migrating toward an integrated solution that gives customers a lot of choices. As we do that, we're going to be continually evaluating where the focus is and how we manage the investment in terms of the engineering," Gleichauf said.

Cisco's divided appliance and framework approaches are the most pressing issue for the company, not the CTA client, said Russell Rice, director of marketing in the Security Technology Unit.

"What we want to deliver to the market is the ability to have those be tied together technologically so that they use common components. That's what we don't have in the marketplace, and that's what our customers are asking us to achieve," Rice said.

Cisco is wrestling with the uncomfortable fact that adoption of the NAC framework lags far behind use of the NAC appliance, Rice said.

"We have 1,500 clients who we talk about using NAC. The majority of those have been going down the appliance route. A lot of people look at framework and say, 'There are a lot of features that are valuable, but how do you put these together?'" Rice said.

In the end, Cisco may end up throwing the CTA client open source as a way to differentiate itself from Microsoft's NAP technology, which is integrated in the Vista operating system, said Zeus Kerravala, an analyst at Yankee.

"Cisco's wondering 'how do we differentiate our own client?' Allowing application developers to experiment with it is one way, and the best way to do that is open source," Kerravala said.

The stakes for Cisco are low as only a handful of its customers have committed to the CTA, Kerravala said.

Adam Hansen, security manager at the law firm Sonnenschein, Nath & Rosenthal, LLP said that, in the scheme of things, open sourcing the CTA client  -- or not -- was of little importance. However, Cisco might derive considerable value from opening other elements of NAC framework and making it easier for third-party vendors to plug into it.

"You don't get value from NAC. You get value from systems that interoperate with NAC," Hansen said.

Thus far, however, Cisco's integration with other products -- especially those of competitors in the networking infrastructure space, is almost nonexistent, while the cost of implementing the NAC framework end to end is prohibitive, Hansen said.

Cisco's idea of enforcing policy at the infrastructure level may be superior to other solutions, such as Microsoft's NAP. However, NAP could end up winning out at companies by virtue of being less expensive and easier to deploy, Hansen said.

"Cisco's great at IOS and turning ports on an off, but they're late to the security game, and Microsoft may end up dominating it," he said.

Gleichauf acknowledged that customers want choice and that moving to an open-standards model could stimulate that, but he said that Cisco will have to work towards it incrementally.

"What we've discovered even using a lot of standards-based protocols is that you have to sort out a lot of moving parts, and that's not where you start. That may be where Cisco ends up with this technology, but in order to get something in customer hands that works, you've got to start picking pieces that you control and can shape and working towards an enterprise product," Gleichauf said.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies