News Stay informed about the latest enterprise technology news and product updates.

Cisco's NAC play: Good for users, or just for Cisco's bottom line?

Expert opinion on how subtle moves in Cisco's NAC department suggest that the company wants to be a major security player -- selling lots and lots of equipment in the process.

Andrew Braunberg, Current Analysis
Cisco has recently made several announcements regarding its network access control (NAC) strategy, marking a significant shift in how the company is approaching this emerging market. Most recently, Cisco acquired the 802.1x client supplicant vendor Meetinghouse Data Communications Inc. With that came the announcement of a major change in direction for the evolution of its Clean Access appliance.

Both moves indicate that Cisco is looking to deliver more of the core functionality that makes up an NAC solution. This shift is not surprising, considering Cisco's growing presence in the information security market. But it is likely to drive some Cisco NAC partners away from the Cisco NAC framework and could help fill the sails of competing frameworks as NAC vendors look for alternatives to CNAC.

Cisco has always maintained a dual track for its NAC deliverables. The Cisco Network Admission Control (CNAC) framework is an overarching reference architecture for delivering a completely integrated NAC solution by leveraging Cisco network infrastructure. Cisco also markets the Clean Access appliance, which delivers a quicker, standalone solution that does not require the network upgrades of a full CNAC implementation. Cisco acquired the Clean Access technology from Perfigo in the fall of 2004. The product has been viewed largely as a stop-gap solution for customers that were not prepared to wait for the full CNAC framework infrastructure to roll out. With the new release of NAC Appliance 4.0 (Cisco has also rebranded the appliance), however, Cisco has indicated that going forward it will fully integrate the Clean Access appliance within the CNAC framework, and in fact the appliance will become an integral component of that framework.

The market impact of this announcement is large, if a bit subtle. Critics of Cisco's CNAC framework have often pointed out that the solution requires large amounts of Cisco infrastructure and that CNAC, at its core, is really about Cisco's selling more network equipment.

What is very clear from this announcement is the degree to which Cisco wants to be not just a network equipment vendor but also a security vendor.

This, in turn, is leaving precious little room for cooperation with CNAC partners that provide real NAC functionality, as opposed to tangential solutions such as patch management or client-based threat management.

Cisco's decision is likely to re-energize interest in alternative NAC frameworks, such as Microsoft NAP and Trusted Computing Group's TNC. Recent enterprise demand research on the NAC market carried out by Current Analysis demonstrates that network architects do feel that the development of standards is important to the NAC market but that no de facto standard has yet emerged. CNAC does seem to be garnering more attention than alternatives -- Cisco's mindshare is miles ahead of Microsoft Network Access Protection and Trusted Computing Group's Trusted Network Connect.

Cisco recently made another important move that demonstrates a desire to own all of the technology needed to deliver a complete NAC solution. With its acquisition of Meetinghouse Data Communications Inc., Cisco has secured ownership of important enabling technology for the CNAC framework.

Meetinghouse is a longtime provider of 802.1x client supplicant and RADIUS/AAA products. Cisco had enjoyed an OEM relationship with Meetinghouse in which Meetinghouse provided a stripped-down version of its AEGIS SecureConnect 802.1x client supplicant for use with the Cisco Trust Agent. NAC is driving many organizations to take a harder look at 802.1x, and the standard plays a prominent role in Cisco NAC. The acquisition of Meetinghouse allows Cisco to support a much broader set of endpoint devices and use cases (e.g., wireless access). SecureConnect clients support EAP-MD5, EAP-TLS, EAP-TTLS, Cisco LEAP, and EAP-PEAP on Windows XP, 2000, NT, 98, ME, PocketPC 2002,, Mac OXS, Palm Tungsten C, Solaris 8, and Red Hat Linux.

With this acquisition, Cisco is now clearly in a position to deliver a complete NAC solution as it defines one. Is that really such a good thing?

For more on NAC

Check out our news story on Cisco's NAC 4.0

Learn how Sun Microsystems is using Cisco NAC for security

Read how others are tackling security in our Network Defenders series  

Cisco's approach to NAC focuses on reducing the threat of an endpoint to the network by ensuring that the endpoint meets appropriate corporate security policy before it is granted access to the network. Cisco's capabilities therefore support the identification of each device and user, and the quarantine and remediation of a device is necessary, based on prescribed endpoint security posture policy. The creation, management, and enforcement of policy are key requirements.

Current Analysis believes that these are necessary but not sufficient capabilities for a complete NAC solution. We include two additional capabilities in our definition:

  1. identity-based and policy-driven access control of network resources
  2. post-connection posture and behavior monitoring, and policy-based enforcement

Under this scenario, NAC solutions will therefore touch a host of adjacent security, systems, and network solutions, leaving broad interoperability still as a critical concern.

Cisco's task is therefore to ensure that its view of a complete NAC solution aligns with user demands. The company needs to understand which technology is tangential and which is core and ensure that its partnership program completely supports the former and that Cisco's product suite completely supports the latter. This is a difficult task, at least in the short term, as Cisco expands its NAC offerings and creates new frictions with some existing partners.

As a Senior Analyst in the Information Security module at Current Analysis, Andrew Braunberg's main responsibility is tracking the identity management and security management market segments. Prior to joining Current Analysis, Andrew was a journalist covering information technology in the defense and telecommunications sectors. Andrew holds an M.A. from George Washington University in Science, Technology and Public Policy and a B.S. in Engineering Physics from Rensselaer Polytechnic Institute.

Dig Deeper on Network Access Control

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.