Network access control (NAC) has been hyped as the network-based security to end 'em all, but NAC adoption has
been somewhat stagnant because, many experts claim, it is quite complex or just too immature.
Cisco, however, hopes to change that. The networking giant announced today that it's releasing a Network Admission Control module for its widely popular Integrated Services Router (ISR) -- which has more than 3 million deployed to date -- in hopes of getting NAC into more locations, namely branch offices.
The Cisco NAC Network Module for ISRs is a modular security solution that is integrated into the network infrastructure. It authenticates, authorizes, evaluates and remediates remote user machines connected via wired or wireless links, prior to granting them access to corporate networks. The NAC module for the ISR, designed for branch offices, thwarts potential threats and vulnerabilities locally before they're sent over the WAN to prevent them from entering the network, said Fred Kost, director of security solutions for Cisco.
The module includes all of the features of the Cisco NAC Appliance Server and is supported by the Cisco 2800 and 3800 Series ISRs. It enforces security policy on networked devices such as Windows, Mac and Linux machines; laptops; desktops; PDAs; printers; and IP phones.
The NAC module works in concert with firewalls, intrusion-prevention systems and VPNs to round out the security offered in the ISR, giving branches a secure infrastructure.
Kost said the module is designed for branches and office locations that don't have the time or resources to manage separate security solutions in addition to the routing infrastructure.
According to Ladi Adefala, security practice manager with systems integrator and Cisco partner World Wide Technologies, adding the NAC module to the ISR has the potential to give branches more bang for their buck when they are working with limited management and financial resources.
"From the administrator standpoint, the user is empowered with that all-in-one solution for the branch office," Adefala said. "You get the same level of security on the endpoints, and you get it with something less complex."
A modular NAC approach eliminates the need to devise new solutions around how to centralize management of security at a time when a lot of enterprises are focusing on centralization, he said.
"Aside from streamlining our management, the NAC ISR module allows us to concentrate our security efforts within the network itself," Adefala said. "It gives us an opportunity to offer our customers more synergy between their network and security as well."
Moreover, he added, eliminating the complexity should make NAC as a whole more marketable and affordable.
Andrew Braunberg, research director with Current Analysis, agreed that putting NAC capabilities in the ISR brings more visibility to the edge, where it's needed most.
"The fact that they're going to be able to push NAC capabilities out to the branch makes sense," he said. "Logically and physically it makes sense to put them together."
Braunberg said he questions whether or not the NAC module for ISR is a step toward or away from Cisco's trying to marry both the NAC appliance and the CNAC framework, which has been rumored to be in the works for more than a year.
Along with the ISR module, Cisco enhanced its NAC Appliance Server by offering the Cisco NAC Profiler, an endpoint-recognition technology that keeps an inventory of networked devices so they can be evaluated before and during sessions on the network. The Profiler boosts the ability of networked devices that aren't associated with particular users to be identified, authenticated and then granted or denied network access. Devices that are unassociated with a particular user include printers, IP phones, wireless access points, sensors and medical devices. The Profiler also performs continuous behavioral assessments for post-admission access control.
"The Cisco NAC Profiler arrives at a time when businesses are supporting growing numbers of devices critical to operations and productivity," said a Cisco statement. "The NAC Profiler addresses the growing complexity of protecting an increasingly diverse array of networked devices by taking an in-depth and automated inventory and enabling actions to be taken based on their behavior."
NAC Profiler, which stems from an OEM agreement with Great Bay Software, consists of a software update on the NAC Appliance Server, and the NAC Profiler Server pulls information from the NAC Appliance Server and sends it to the management console, according to Brendan O'Connell, Cisco's NAC product marketing manager.
"It's about making sure a device is what it claims to be," O'Connell said, adding that in the past, devices like printers, copiers and other IP-addressed devices weren't assessed by NAC tools. "It's gathering information about the networked endpoint to ensure it's doing what it should be doing."
Braunberg agreed. "This does all of the heavy lifting of making sure there's an updated list of these non-responsive hosts," he said. "Since it can look at the behavior from a particular address, you can know what that device is supposed to be and what it's supposed to be doing. That can help considerably."