Cisco's app configures remote systems before giving access to the network
Many companies hit by the SQL Slammer and Blaster worms--and any of the year's nasty viruses--learned fast what worked when it came to security defenses. Perimeter defenses such as network firewalls, gateway antivirus devices, and patches largely held, but internal networks still got nailed. In many cases, this happened because remote workers or visiting contractors logged on to company networks without proper patches or updated antivirus software and infected any internal desktops and servers that hadn't yet been secured.
To combat this problem, Cisco Systems last week said it's developing an application to ensure that remote systems are properly configured before getting access to a network. The effort, part of Cisco's self-defending network initiative, will give Cisco routers a way to assess the security posture of computing devices. If a remote notebook user tries to log on to a company network, the Cisco Network Admission Control app validates certain security settings, such as whether the notebook's patches and antivirus signatures are up to date. If the notebook falls short, it can be denied network access, quarantined, or permitted to enter only certain segments of the network.
Next Nevel Of Security
Cisco's Network Admission Control program will include:
Trust Agent: Collects security-related information from servers, desktops, notebooks, and handheld devices
Network-Access Devices: Routers, switches, and wireless-access protocols that enforce security policy on end-point devices
Policy Server: Examines end-point security sent from network-access devices and decides what actions, if any, to take
Security Agent: Spots and stops malicious actions before they damage desktops or servers
Data: Cisco Systems
Cisco partnered with antivirus vendors Network Associates, Symantec, and Trend Micro for this initiative.
The concept of enforcing security on end-point devices, such as notebooks, desktops, PDAs, and, eventually, cell phones, isn't new. Vendors such as InfoExpress, Sygate, WholeSecurity, and Zone Labs have end-point firewalls that provide various ways for remote systems to have their security checked before getting network access. Cisco is one of the few IT vendors with the installed base to be able to provide end-point security that's also integrated into network devices, says John Pescatore, VP at research firm Gartner. "There are only two companies that can do this at this level, and that's Cisco and Microsoft. The challenge Cisco faces is convincing customers to install the Trust Agent on the notebook or desktop. Cisco has little desktop-software presence," he says.
But that might not be too challenging as Research firm Frost & Sullivan expects sales of end-point security applications to grow from $140 million last year to about $556 million by 2008.
Business security has moved from "a few big gaping holes in systems to a larger amount of tiny holes in corporate systems," says Pete Lindstrom, research director at Spire Security. Cisco's and other similar initiatives are the next logical step to fill these tiny pinholes that can create big problems on internal networks.
"It advances the cause for intranet security," says Edward Gotthelf, director of network architecture at United Parcel Service Inc. "Making sure all systems are patched and that their virus signatures are up to date is a rapidly escalating problem. You used to have days to months to patch; now it's hours." The logistics company will examine how it could use Cisco's Network Admission Control technology, Gotthelf says.
The program initially will work with Cisco routers and later be expanded to Cisco switches, wireless-access protocols, and security appliances. Cisco plans to provide Trust Agent free; pricing for Security Agent is based on volume. Network Admission Control requires the Cisco Secure Access Control Server, an authentication, authorization, and accounting server, priced at $5,995 for unlimited users with no license fee and $2,495 as an upgrade.
Customer deployments of Network Admission Control are expected by the first half of next year. Before that, Cisco will deploy the technology on its own networks to increase security and work out kinks. Says president and CEO John Chambers, "We eat our own cooking."
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.