End-point vendors gain from slow Cisco strategy

Cisco promises that its NAC strategy will soon be the best way to assess network device vulnerability, but until it's completed in 2005, other vendors are stepping up to fill the void.

To thwart LAN attacks, many companies strive to assess the vulnerability of network devices before the logon process

is completed. To that end, Cisco Systems Inc. has promised that its Network Access Control strategy, essentially the embedding of "intelligence" into routers and switches, will address that problem.

However, NAC-enabled products have so far only been released in dribs and drabs. But for those who can't wait for Cisco to finish, or are wary of a single-vendor approach to device assessment, several other vendors have stepped into the breech.

Vendors such as Sygate Technologies Inc., InfoExpress Inc., Endforce Inc. and others are helping businesses to assess the state of devices before they log on to the network, ensuring that they have adequate security safeguards before they are granted access to the LAN.

You don't want to stop devices from logging onto the network. You want to allow access under certain conditions.
Jason Wright
Frost & Sullivan
With more workers taking devices on the road and connecting to the Internet either at home or via various other networks, network security is becoming more complex, said Jason Wright, a research analyst with San Antonio-based Frost & Sullivan Inc. Businesses are no longer concerned with merely stopping threats coming form the wide area network to the LAN; they are now concerned with what may be entering the network from the inside.

The gated network

Like most end-point security systems on the market, those from Fremont, Calif.-based Sygate require a client on the device. That client communicates with an appliance on the network, which checks to see if the device meets specified criteria, such as an updated firewall or antivirus software required to log on to the LAN. If the device is deficient, it can be quarantined and the user would be directed to update the necessary software before it is allowed onto the network.

"You don't want to stop devices from logging onto the network," Wright said. "You want to allow access under certain conditions."

Sygate's approach was valuable for North Canton, Ohio-based Diebold Inc., a maker of ATMs with offices in 88 countries. While it uses up-to-date Cisco Catalyst switches in its data center, the 13,000-employee company is connected to a wide range of network devices around the globe. Some of its offices have Cisco equipment that is not 802.1x compliant, while others aren't using Cisco gear at all.

Right now using Sygate's client, Diebold can assess the status of devices as they attempt to log onto the network, guaranteeing that the most recent security features installed.

"We need to have something on the PC inspecting the PC itself to see if patches are up to date," said B. Scott Harroff, chief information security officer for Diebold.

Sygate's appliance sits on the network and communicates with a client on the end device. If a user does not meet the criteria for logging on, he can be directed to a Web server where he can download the tools necessary to upgrade to the required software.

A NAC for waiting

While Cisco's NAC strategy is appealing to some, it is still being rolled out and will not be complete until 2005, said Mark Bouchard, senior program director for Stamford, Conn.-based Meta Group Inc.

In addition, NAC not only requires 802.1x-compatible Cisco networking gear throughout the network, but it also requires a Cisco Secure Access Control Server, said Dan Golding, a senior analyst with Midvale, Utah-based Burton Group. While the 802.1x standard is meant to work with a number of standards based authentication server, those using Cisco's NAC cannot pick and chose among different vendors or approaches.

For more information

Read Cisco's defense of its NAC strategy.

Check out our exclusive: Cisco launches new security, manageability tools.

Because of these requirements, Golding said few businesses are implementing NAC today. While Golding believes that Cisco may eventually move closer to a standards-based approach and make it easier for an enterprise to implement NAC, he said that in the interim businesses should consider other means of end-point security.

Though Sygate and most other solutions require a client on the device, which can be problematic, particularly if businesses have guest users logging on to the LAN, Bouchard said some of these third-part approaches can provide a good interim solution.

Diebold is working with both Cisco and Sygate to determine how to proceed in the future. The company is planning to upgrade all of its network devices to 802.1x-compliant Cisco gear, at which point it could take advantage of Cisco's NAC approach when it is fully rolled out in 2005.

"We see [NAC] as being appealing, having switching infrastructure with the ability to determine what is valid and what isn't a valid node and to move it," Harroff said.

However, he added that he sees a continuing need for a product like that offered by Sygate, and also plans to work with Sygate in the future.

Dig deeper on Network Security Best Practices and Products

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close