Cisco adds NAC to ISR, updates endpoint recognition

By Andrew R. Hickey, News Editor 10 Sep 2007 | SearchNetworking.com

News on networking, mobility and voice Digg This!     StumbleUpon     Del.icio.us

Cisco, however, hopes to change that. The networking giant announced today that it's releasing a Network Admission Control module for its widely popular Integrated Services Router (ISR) -- which has more than 3 million deployed to date -- in hopes of getting NAC into more locations, namely branch offices.

The Cisco NAC Network Module for ISRs is a modular security solution that is integrated into the network infrastructure. It authenticates, authorizes, evaluates and remediates remote user machines connected via wired or wireless links, prior to granting them access to corporate networks. The NAC module for the ISR, designed for branch offices, thwarts potential threats and vulnerabilities locally before they're sent over the WAN to prevent them from entering the network, said Fred Kost, director of security solutions for Cisco.

The module includes all of the features of the Cisco NAC Appliance Server and is supported by the Cisco 2800 and 3800 Series ISRs. It enforces security policy on networked devices such as Windows, Mac and Linux machines; laptops; desktops; PDAs; printers; and IP phones.

The NAC module works in concert with firewalls, intrusion-prevention systems and VPNs to round out the security offered in the ISR, giving branches a secure infrastructure.

Kost said the module is designed for branches and office locations that don't have the time or resources to manage separate security solutions in addition to the routing infrastructure.

According to Ladi Adefala, security practice manager with systems integrator and Cisco partner World Wide Technologies, adding the NAC module to the ISR has the potential to give branches more bang for their buck when they are working with limited management and financial resources.

"From the administrator standpoint, the user is empowered with that all-in-one solution for the branch office," Adefala said. "You get the same level of security on the endpoints, and you get it with something less complex."

A modular NAC approach eliminates the need to devise new solutions around how to centralize management of security at a time when a lot of enterprises are focusing on centralization, he said.

"Aside from streamlining our management, the NAC ISR module allows us to concentrate our security efforts within the network itself," Adefala said. "It gives us an opportunity to offer our customers more synergy between their network and security as well."

Moreover, he added, eliminating the complexity should make NAC as a whole more marketable and affordable.

For more on NAC Check out how NAC vendors rank for attraction vs. retention See why NAC appliances could be a good shortcut Learn what questions to ask when writing an NAC RFP

"You want to make sure whatever level of security you have at headquarters is carried over to branch offices, and this does that," he said.

Andrew Braunberg, research director with Current Analysis, agreed that putting NAC capabilities in the ISR brings more visibility to the edge, where it's needed most.

"The fact that they're going to be able to push NAC capabilities out to the branch makes sense," he said. "Logically and physically it makes sense to put them together."

Braunberg said he questions whether or not the NAC module for ISR is a step toward or away from Cisco's trying to marry both the NAC appliance and the CNAC framework, which has been rumored to be in the works for more than a year.

Along with the ISR module, Cisco enhanced its NAC Appliance Server by offering the Cisco NAC Profiler, an endpoint-recognition technology that keeps an inventory of networked devices so they can be evaluated before and during sessions on the network. The Profiler boosts the ability of networked devices that aren't associated with particular users to be identified, authenticated and then granted or denied network access. Devices that are unassociated with a particular user include printers, IP phones, wireless access points, sensors and medical devices. The Profiler also performs continuous behavioral assessments for post-admission access control.

"The Cisco NAC Profiler arrives at a time when businesses are supporting growing numbers of devices critical to operations and productivity," said a Cisco statement. "The NAC Profiler addresses the growing complexity of protecting an increasingly diverse array of networked devices by taking an in-depth and automated inventory and enabling actions to be taken based on their behavior."

NAC Profiler, which stems from an OEM agreement with Great Bay Software, consists of a software update on the NAC Appliance Server, and the NAC Profiler Server pulls information from the NAC Appliance Server and sends it to the management console, according to Brendan O'Connell, Cisco's NAC product marketing manager.

"It's about making sure a device is what it claims to be," O'Connell said, adding that in the past, devices like printers, copiers and other IP-addressed devices weren't assessed by NAC tools. "It's gathering information about the networked endpoint to ensure it's doing what it should be doing."

Braunberg agreed. "This does all of the heavy lifting of making sure there's an updated list of these non-responsive hosts," he said. "Since it can look at the behavior from a particular address, you can know what that device is supposed to be and what it's supposed to be doing. That can help considerably."

Tags: Network Access Control,  Network Security Best Practices and Products,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Access Control What are two common devices that control outbound network access? Using NAC for smartphone security on wireless LAN Network security risks multiply when enterprises begin outsourcing Dynamic policy ensures faster, safer network for school district NAC appliance vendors: Can you depend on them? NAC integration at the endpoint Extending NAC enforcement to network security devices Integrating NAC with network security tools Network access control market crushed by economy, but future is bright Joel Snyder discusses Network Access Control Day at Interop Las Vegas Network Security Best Practices and Products How do I change my security setting to allow ActiveX? What are two common devices that control outbound network access? 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Should organizations separate technical from administrative security? What network equipment is needed to secure a small business LAN? Ethical hacking and countermeasures: Network penetration testing intro

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary network access control  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary