Companies have been waiting with baited breath for enhancements to Cisco Systems Inc.'s Network Admission Control (NAC) framework that includes support for LAN and wireless landscapes. And today, the networking behemoth announced just that.
"This is what people have been waiting for," said Lawrence Orans, a research director with Stamford, Conn.-based Gartner Inc.
The newly updated NAC framework includes support for Cisco Catalyst switches and wireless systems, and offers beefed-up security features designed to exterminate spyware, viruses and worms before they can crawl into a network through nomadic users' mobile devices.
"The big piece of this is the integration of NAC into the routing and switching environment," said Chris Thatcher, principal consultant for Dimension Data, a provider of IT services. "Now, we can introduce NAC to the heart of the network. We can check for compliance at more physical places within the network."
Russell Rice, director of marketing for the San Jose, Calif.-based Cisco, said NAC makes a network "immune to attack" from viruses and worms by identifying endpoints that don't comply with corporate security policies before they access the LAN or wireless network. When a device tries to get on the network, a security posture, or "health assessment," is triggered and performed, Rice said. Any non-compliant systems are denied access and quarantined so they can be fixed.
"If a machine connecting to the network is either non-compliant or not recognized, they don't get access to the network," Thatcher added. Instead, the user is moved to a quarantine area where the risks are assessed and the proper remedies are pushed. Thatcher compared the quarantine to a holding cell "that takes decision making out of the individual user's hands."
This task is performed by a new version of the Cisco Trust Agent (CTA) 2.0 that collects and shares the information between framework components, Rice said.
"This represents a paradigm shift in the way people access networks," Orans continued. "We're all just used to walking into the building … and getting onto the network. This is a necessary step."
New NAC developments also include improved assessment options for unmanaged or "agentless" endpoint devices that don't support the CTA.
Cisco has also partnered with auditing companies Altiris, Qualys and Symantec to help the framework better assess risks from guest laptops, printers, PDAs and IP phones. Through those partnerships, devices attempting to get on the network are quickly audited and the results sent back to the network to enforce the proper admission rules.
Robert Whiteley, senior analyst with Cambridge, Mass.-based Forrester Research Inc., said his research has found that many businesses are looking for a way to protect their networks with one consistent security policy that covers wired, wireless and remote access. The new NAC enhancements handle all three.
"This is a huge topic of interest," he said. "There's a very huge adoption waiting out there for this to happen."
Whiteley said there are some stumbling blocks associated with upgrading a NAC framework, because of numerous moving parts, but he said many interested enterprises hope to have the advancements up and running sometime next year.
Dimension Data's Thatcher said the enhancements answer two questions enterprise IT professionals have: "How do we control who is accessing our network, and how do we ensure we're minimizing the risk exposure from both trusted and untrusted machines?"
Along with the updates, Cisco also introduced a line of "turnkey" NAC hardware appliances that scan, block, quarantine and remedy non-compliant devices and enforce security policies. Rice said the hardware gives an IT department more deployment flexibility. The appliances come with pre-configured antispyware checks and include single sign-on capabilities with both the Cisco ASA 5500 series and the Cisco VPN 3000 series remote access concentrators to extend network admission control to remote users.
NAC framework support on the Cisco Catalyst 6500, 4500, 4900, 3700, 3500 and 2900 series switching platforms will be available in late November as part of a software upgrade that costs nothing for customers with corresponding product support contracts.
NAC framework support of the Cisco wireless platforms, including Cisco Catalyst 6500 series of Wireless LAN Services Module, Cisco Aironet access points, Cisco Aironet lightweight access points and Cisco Wireless LAN Control Platforms are available now as part of Cisco IOS Software Release 1.4.1, Cisco IOS Software Release 12.3(7)JA or Cisco Unified Wireless Network Software Release 3.1 at no extra charge for customers with corresponding product support contracts.
The Cisco NAC appliance will be available in late November as a hardware bundle or software, starting at $8,995.
Other NAC components include:
- Cisco Trust Agent 2.0 will be available next month at no additional charge.
- Cisco Access Control Server 4.0 will be available next month starting at $7,995.
- Cisco Security Monitoring, Analysis and Response System 4.1 is out now and starts at $15,000.