Cisco to unleash security plan

Cisco next week will announce availability of its Network Admission Control security technology for Cisco routers, and lay out a road map for adding NAC capabilities to its lines of LAN switches.

These technologies coupled with the fact that in 2005 the company plans to offer NAC to standards bodies and other vendors could lead to automated network security on every desktop, preventing PCs from spreading harmful traffic.

But with the most critical phase of NAC — LAN switch support — and standardization plans not due for at least six months, some observers say Cisco is not meeting users’ immediate security needs. Also, enterprise users say a standards-based technology is needed sooner for securing LANs and WANs.

First announced last November, NAC is supposed to make every piece of Cisco gear a security enforcement point, where client machines must meet security and policy criteria to access a router or switch port. Cisco partnered with Trend Micro, Symantec and Network Associates to make client-side anti-virus software work with Cisco’s Trust Agent software, a PC-based agent that communicates client security status to Cisco network equipment and security servers. In November 2003, Cisco aimed to deliver router support for NAC by the middle of this year, but future support on other equipment was uncertain. Now Cisco says its entire Catalyst switch line and VPN 3000 series products will be NAC-capable by the first quarter of next year.

NAC is being tested at United Parcel Services (UPS) as a potential security measure.

“[NAC] could be another level of defense, but it can’t be the only defense,” says Ed Gotthelf, director of network architecture for UPS in Atlanta. Gotthelf says NAC “is a step in the right direction,” but he says he would like to see a more industry-wide approach to LAN/WAN security.

“What the industry should do is rally around one solution that’s fully interoperable,” he says. UPS has an installed base of Cisco routers and switches, along with equipment from other vendors. “One solution [is needed] that works with all software platforms and all networking platforms, so it can run on your Nortel and Cisco and other products,” he says.

Cisco is working on this, according to Russell Rice, product marketing manager at the company.

“When we first announced [NAC], we said upfront that a goal was to provide an open framework on how network security gets done,” Rice says.

Part of Cisco’s Phase II plan for NAC will include proposing NAC’s authentication technology as a standard to the IETF this August. Additional plans include opening  the Trust Agent API to any vendor interested in writing software that works with NAC, on the client or server side. This would let vendors in the client software, server software and network equipment areas create products that work in a NAC infrastructure.

Cisco would not give a definitive time frame as to when switches and routers from competing vendors could plug into NAC via standards-based technology.

Another NAC feature, due next year, is a client audit technology for digging into non-PC machines — such as printers, IP phones, cameras and network appliances — trying to access a network. Also, NAC now works only on Windows 2000, NT and XP clients. Support is planned for Linux and Solaris machines by the fourth quarter of this year, Cisco says. The company is working with a few network auditing vendors for this part of NAC.