Cisco, Microsoft NAC plans leave many questions

Companies still face third-party support, timeline issues

Building a bridge is rarely a quiet affair. Just ask John Augustus Roebling and his son, Washington, whose Brooklyn Bridge took 13 years to complete and cost 27 people their lives.

Nevertheless, for the past two years, IT titans Cisco and Microsoft have been engaged in a monumental and more-or-less silent bridge-building effort, as teams of engineers at both companies have worked to join two very different technologies that do the same thing: screen computers for security threats before allowing them to access a corporate network. Last Wednesday, the time had finally come to pull the covers off that integration, which one Cisco executive acknowledged took longer than expected.

At The Security Standard conference in Boston, the two companies demonstrated interactions between Vista systems using Microsoft’s NAP (Network Access Protection) and network hardware using Cisco’s NAC (Network Admission Control) architecture. They also released a white paper describing how the two network access control systems can interoperate and presented a road map for delivering interoperable NAC and NAP products to market. Still, serious questions remain about when interoperable NAC and NAP systems will be available and whether the solution will fit the needs of most enterprise networks.

The announcement capped off a two-year integration effort that has been shrouded in mystery.

Since saying in October 2004 that they would integrate NAC and NAP, the companies have been sparing with details, prompting speculation that the integration was more PR than reality.

Bob Gleichauf, CTO of Cisco’s security technology group, acknowledged that NAC-NAP integration took longer than the companies planned. However, the official silence about the integration project had more to do with the effort of harnessing resources at two notoriously bottom-line-focused companies than with the technical hurdles of integrating NAC and NAP, he said.

Customers who use both Cisco and Microsoft products, and upgrade to both Vista on the desktop and Longhorn Server, will be able to use NAP, NAC, or an integrated NAP-NAC solution for client health screening, Microsoft said.

Vista’s NAP System Health Agent will send system health status reports to Microsoft NPS (Network Policy Server) running on Longhorn. A Cisco Secure ACS (Access Control Server) will instruct the NAP agent on the client system about how to access the network after the health check is complete, according to Gleichauf and Mark Ashida of Microsoft.

However, Cisco and Microsoft face tough questioning about how their system will support third-party operating systems, network gear, and point security products.

Ashida said Microsoft was focusing on NAC NAP for now but fully intends to support other 802.1x-compliant NAC infrastructure vendors.

The benefits of integrated NAC and NAP are at least a year away for enterprises, with Longhorn server months away from availability and widespread adoption of Vista on enterprise desktops also well off in the future, said John Pescatore, an analyst at Gartner.

Jon Oltsik, an analyst at Enterprise Strategy Group, said the Cisco-Microsoft partnership was creating uncertainty in an area that cries out for open standards and multivendor support.

“They’re treating the symptom but not the disease,” Oltsik said. “Users want open solutions that support Linux clients and wireless and any kind of switch or router.”

The integration between Microsoft and Cisco, while good for those companies, will hinder open standards efforts such as the Trusted Computing Group’s Trusted Network Connect standard, Oltsik said. “This is a 1990s solution. It’s a big step back for client security.”