Cisco's NAC play: Good for users, or just for Cisco's bottom line?

By Andrew Braunberg, Current Analysis 20 Jul 2006 | SearchNetworking.com

News on networking, mobility and voice Digg This!     StumbleUpon     Del.icio.us

Both moves indicate that Cisco is looking to deliver more of the core functionality that makes up an NAC solution. This shift is not surprising, considering Cisco's growing presence in the information security market. But it is likely to drive some Cisco NAC partners away from the Cisco NAC framework and could help fill the sails of competing frameworks as NAC vendors look for alternatives to CNAC.

Cisco has always maintained a dual track for its NAC deliverables. The Cisco Network Admission Control (CNAC) framework is an overarching reference architecture for delivering a completely integrated NAC solution by leveraging Cisco network infrastructure. Cisco also markets the Clean Access appliance, which delivers a quicker, standalone solution that does not require the network upgrades of a full CNAC implementation. Cisco acquired the Clean Access technology from Perfigo in the fall of 2004. The product has been viewed largely as a stop-gap solution for customers that were not prepared to wait for the full CNAC framework infrastructure to roll out. With the new release of NAC Appliance 4.0 (Cisco has also rebranded the appliance), however, Cisco has indicated that going forward it will fully integrate the Clean Access appliance within the CNAC framework, and in fact the appliance will become an integral component of that framework.

The market impact of this announcement is large, if a bit subtle. Critics of Cisco's CNAC framework have often pointed out that the solution requires large amounts of Cisco infrastructure and that CNAC, at its core, is really about Cisco's selling more network equipment.

What is very clear from this announcement is the degree to which Cisco wants to be not just a network equipment vendor but also a security vendor.

This, in turn, is leaving precious little room for cooperation with CNAC partners that provide real NAC functionality, as opposed to tangential solutions such as patch management or client-based threat management.

Cisco's decision is likely to re-energize interest in alternative NAC frameworks, such as Microsoft NAP and Trusted Computing Group's TNC. Recent enterprise demand research on the NAC market carried out by Current Analysis demonstrates that network architects do feel that the development of standards is important to the NAC market but that no de facto standard has yet emerged. CNAC does seem to be garnering more attention than alternatives -- Cisco's mindshare is miles ahead of Microsoft Network Access Protection and Trusted Computing Group's Trusted Network Connect.

Cisco recently made another important move that demonstrates a desire to own all of the technology needed to deliver a complete NAC solution. With its acquisition of Meetinghouse Data Communications Inc., Cisco has secured ownership of important enabling technology for the CNAC framework.

Meetinghouse is a longtime provider of 802.1x client supplicant and RADIUS/AAA products. Cisco had enjoyed an OEM relationship with Meetinghouse in which Meetinghouse provided a stripped-down version of its AEGIS SecureConnect 802.1x client supplicant for use with the Cisco Trust Agent. NAC is driving many organizations to take a harder look at 802.1x, and the standard plays a prominent role in Cisco NAC. The acquisition of Meetinghouse allows Cisco to support a much broader set of endpoint devices and use cases (e.g., wireless access). SecureConnect clients support EAP-MD5, EAP-TLS, EAP-TTLS, Cisco LEAP, and EAP-PEAP on Windows XP, 2000, NT, 98, ME, PocketPC 2002, CE.net, Mac OXS, Palm Tungsten C, Solaris 8, and Red Hat Linux.

With this acquisition, Cisco is now clearly in a position to deliver a complete NAC solution as it defines one. Is that really such a good thing?

For more on NAC Check out our news story on Cisco's NAC 4.0 Learn how Sun Microsystems is using Cisco NAC for security Read how others are tackling security in our Network Defenders series

Cisco's approach to NAC focuses on reducing the threat of an endpoint to the network by ensuring that the endpoint meets appropriate corporate security policy before it is granted access to the network. Cisco's capabilities therefore support the identification of each device and user, and the quarantine and remediation of a device is necessary, based on prescribed endpoint security posture policy. The creation, management, and enforcement of policy are key requirements.

Current Analysis believes that these are necessary but not sufficient capabilities for a complete NAC solution. We include two additional capabilities in our definition:

1. identity-based and policy-driven access control of network resources
2. post-connection posture and behavior monitoring, and policy-based enforcement

Under this scenario, NAC solutions will therefore touch a host of adjacent security, systems, and network solutions, leaving broad interoperability still as a critical concern.

Cisco's task is therefore to ensure that its view of a complete NAC solution aligns with user demands. The company needs to understand which technology is tangential and which is core and ensure that its partnership program completely supports the former and that Cisco's product suite completely supports the latter. This is a difficult task, at least in the short term, as Cisco expands its NAC offerings and creates new frictions with some existing partners.

As a Senior Analyst in the Information Security module at Current Analysis, Andrew Braunberg's main responsibility is tracking the identity management and security management market segments. Prior to joining Current Analysis, Andrew was a journalist covering information technology in the defense and telecommunications sectors. Andrew holds an M.A. from George Washington University in Science, Technology and Public Policy and a B.S. in Engineering Physics from Rensselaer Polytechnic Institute.

Tags: Network Access Control,  Network Security Best Practices and Products,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Access Control Using NAC for smartphone security on wireless LAN Network security risks multiply when enterprises begin outsourcing Dynamic policy ensures faster, safer network for school district NAC appliance vendors: Can you depend on them? NAC integration at the endpoint Extending NAC enforcement to network security devices Integrating NAC with network security tools Network access control market crushed by economy, but future is bright Joel Snyder discusses Network Access Control Day at Interop Las Vegas Maturing NAC market gets its first Gartner Magic Quadrant Network Security Best Practices and Products 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Should organizations separate technical from administrative security? What network equipment is needed to secure a small business LAN? Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary network access control  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary