Cisco, Microsoft to announce NAC progress

Cisco Systems and Microsoft will announce progress on a 2-year-old effort to link their separate technologies for network client health screening, commonly known as "network access control," according to sources familiar with the companies' plans. 

The companies will use The Security Standard conference in Boston to unveil application program interfaces (APIs) in Microsoft's upcoming Vista operating system that will allow Cisco NAC-compliant switches and routers to evaluate the security posture of Vista systems.

Network access control technology allows companies to perform health checks on endpoint devices such as PCs and mobile devices before they are granted access to company networks. For example, worker PCs might be checked to make sure they are not infected with a virus, have up-to-date antivirus definitions, and a desktop firewall enabled before being allowed onto a corporate LAN.

Cisco first unveiled products that support its NAC architecture in June 2004. Since then it has slowly expanded NAC support from routers to switches and introduced a NAC appliance, formerly known as "Clean Access." Microsoft's Network Admission Protection (NAP) client health screening architecture has always been linked to its upcoming desktop and server operating system releases Vista and Longhorn, both due in 2007.

In the face of strong customer pressure to simplify the competing architectures, the two companies said in October, 2004 that they would integrate NAC and NAP. However, the companies have been sparing with details of the collaboration during the two-year project, prompting speculation that the promised integration was more PR than reality.

On Wednesday, the companies plan to show that they have made progress, putting features into Vista that allow companies with Cisco's Secure Access Control Server (ACS), Vista desktop systems, and a Longhorn network policy server to provide security status information from the Vista Security Center directly to Cisco switches, which can then evaluate the status against network policies. Systems that violate one or more security policies can be shunted off to quarantine for remediation, according to John Pescatore, an analyst at Gartner who has seen a demonstration of the system.

The system will also allow companies to push out security updates, such as antivirus signatures, and actively monitor compliance, so users who turn off antivirus or firewall software after being granted access might have those programs automatically reactivated, Pescatore said.

Cisco NAC and Microsoft NAP integration will make it easier for companies to deploy NAC technology, because they will not need to deploy any additional software client from Cisco, as is currently required, he said.

"If you're a pure Cisco network and windows environment, and you're planning to go to Vista soon, you don't have to spend a lot of money," he said.

However, the benefits of integrated NAC and NAP are at least a year away, as companies will have to wait for the delivery of Longhorn server and widespread adoption of Vista on enterprise desktops, according to Pescatore.

"I think it's a 1990s announcement," said Jon Oltsik, an analyst at Enterprise Strategy Group.

"They're treating the symptom but not the disease. Users want open solutions that support Linux clients and wireless and any kind of switch or router," he said.

The integration between Microsoft and Cisco, while good for those companies, will hinder open standards efforts like the Trusted Computing Group's Trusted Network Connect (TNC) standard, Oltsik said.

"I wish I had the money [Cisco and Microsoft] spent on this to get nothing," he said. "This is a big step back for client security."