Advancement to Cisco's NAC framework boosts security in LAN, wireless space

By Andrew R. Hickey, News Writer 18 Oct 2005 | SearchNetworking.com

News on networking, mobility and voice Digg This!     StumbleUpon     Del.icio.us

Companies have been waiting with baited breath for enhancements to Cisco Systems Inc.'s Network Admission Control (NAC) framework that includes support for LAN and wireless landscapes. And today, the networking behemoth announced just that.

"This is what people have been waiting for," said Lawrence Orans, a research director with Stamford, Conn.-based Gartner Inc.

The newly updated NAC framework includes support for Cisco Catalyst switches and wireless systems, and offers beefed-up security features designed to exterminate spyware, viruses and worms before they can crawl into a network through nomadic users' mobile devices.

"The big piece of this is the integration of NAC into the routing and switching environment," said Chris Thatcher, principal consultant for Dimension Data, a provider of IT services. "Now, we can introduce NAC to the heart of the network. We can check for compliance at more physical places within the network."

Russell Rice, director of marketing for the San Jose, Calif.-based Cisco, said NAC makes a network "immune to attack" from viruses and worms by identifying endpoints that don't comply with corporate security policies before they access the LAN or wireless network. When a device tries to get on the network, a security posture, or "health assessment," is triggered and performed, Rice said. Any non-compliant systems are denied access and quarantined so they can be fixed.

"If a machine connecting to the network is either non-compliant or not recognized, they don't get access to the network," Thatcher added. Instead, the user is moved to a quarantine area where the risks are assessed and the proper remedies are pushed. Thatcher compared the quarantine to a holding cell "that takes decision making out of the individual user's hands."

This task is performed by a new version of the Cisco Trust Agent (CTA) 2.0 that collects and shares the information between framework components, Rice said.

For more information Check out our story on how Cisco targets security elusive threats Read our interview with Jayshree Ullal of Cisco's Security Technology Group

"It allows network managers to gain back control of their networks. Before this, it was like leaving the front door to the network wide open," said Orans, adding that Gartner refers to NAC as "Network Access Control."

"This represents a paradigm shift in the way people access networks," Orans continued. "We're all just used to walking into the building … and getting onto the network. This is a necessary step."

New NAC developments also include improved assessment options for unmanaged or "agentless" endpoint devices that don't support the CTA.

Cisco has also partnered with auditing companies Altiris, Qualys and Symantec to help the framework better assess risks from guest laptops, printers, PDAs and IP phones. Through those partnerships, devices attempting to get on the network are quickly audited and the results sent back to the network to enforce the proper admission rules.

Robert Whiteley, senior analyst with Cambridge, Mass.-based Forrester Research Inc., said his research has found that many businesses are looking for a way to protect their networks with one consistent security policy that covers wired, wireless and remote access. The new NAC enhancements handle all three.

"This is a huge topic of interest," he said. "There's a very huge adoption waiting out there for this to happen."

Whiteley said there are some stumbling blocks associated with upgrading a NAC framework, because of numerous moving parts, but he said many interested enterprises hope to have the advancements up and running sometime next year.

Dimension Data's Thatcher said the enhancements answer two questions enterprise IT professionals have: "How do we control who is accessing our network, and how do we ensure we're minimizing the risk exposure from both trusted and untrusted machines?"

Along with the updates, Cisco also introduced a line of "turnkey" NAC hardware appliances that scan, block, quarantine and remedy non-compliant devices and enforce security policies. Rice said the hardware gives an IT department more deployment flexibility. The appliances come with pre-configured antispyware checks and include single sign-on capabilities with both the Cisco ASA 5500 series and the Cisco VPN 3000 series remote access concentrators to extend network admission control to remote users.

NAC framework support on the Cisco Catalyst 6500, 4500, 4900, 3700, 3500 and 2900 series switching platforms will be available in late November as part of a software upgrade that costs nothing for customers with corresponding product support contracts.

NAC framework support of the Cisco wireless platforms, including Cisco Catalyst 6500 series of Wireless LAN Services Module, Cisco Aironet access points, Cisco Aironet lightweight access points and Cisco Wireless LAN Control Platforms are available now as part of Cisco IOS Software Release 1.4.1, Cisco IOS Software Release 12.3(7)JA or Cisco Unified Wireless Network Software Release 3.1 at no extra charge for customers with corresponding product support contracts.

The Cisco NAC appliance will be available in late November as a hardware bundle or software, starting at $8,995.

Other NAC components include:

• Cisco Trust Agent 2.0 will be available next month at no additional charge.
• Cisco Access Control Server 4.0 will be available next month starting at $7,995.
• Cisco Security Monitoring, Analysis and Response System 4.1 is out now and starts at $15,000.

Tags: Network Security Monitoring and Analysis,  Network Hardware,  Network Security Best Practices and Products,  Network Access Control,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Monitoring and Analysis Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation How can I calculate perimeter firewall throughput? How do I find the application on my network that's dropping packets? Integrating NAC with network security tools Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic Poor data-loss prevention practices almost cost Intel a billion How can I block my competitor's IP address range from my website? Network Hardware Unified wireless network still a work in progress for vendors 3Com acquisition confirms HP-Cisco battle for China Juniper to CIOs: Invest in internal cloud computing networks 802.11n wireless APs bring IP video to sprawling Illinois high school 802.11n upgrade: College ditches legacy network for new vendor Network device management overload: Engineers managing too many boxes What is network infrastructure and what is a hybrid network? What preventative maintenance procedures for network devices exist? Can wireless adapters operate as client access points to make SoftAPs? Is there VLAN software recommend for Realtek NICs? Network Hardware Research Network Security Best Practices and Products 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Should organizations separate technical from administrative security? What network equipment is needed to secure a small business LAN? Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary