Cisco And Microsoft, How's The Network Access Cooperation Going?
The two vendors won't discuss plans or timetables, even as the issue grows in importance for IT security managers.
With so many devices accessing so many business networks, it's decision time about technology for controlling network access. Companies want it so they can check the security status of PCs and mobile devices--who knows where they've been?--before letting them plug into the network.
But customers can't yet count on the two vendors at the center of it all, Cisco Systems and Microsoft. More than a year after the vendors revealed with fanfare that they were working together to get their respective network access control technologies to interoperate, customers haven't gotten much. What was envisioned as a tightly woven access control fabric is beginning to resemble a drafty patchwork, and customers are starting to look elsewhere for protection as the number and types of mobile devices linking to their networks proliferate.
Like airport security patting down passengers and inspecting bags, network access control systems check to see that PCs and mobile devices have up-to-date software patches and are virus-free before granting network access, and then control what they can do once inside. Cisco has delivered important pieces of its Network Admission Control. Microsoft's Network Access Protection will show up later this year in Windows Vista and next year in Longhorn server, but customers will have to implement both before they can benefit from the NAP system.
Having the leading network and software vendors pursuing separate access control schemes makes sense only if they can communicate with each other. So in October 2004, the vendors said they would integrate NAC and NAP, with a promise of simplifying network security managers' lives. So what's the holdup? Interoperability, integration, and standardization of clients, network devices, and policy systems, says Cisco's NAC marketing director Russell Rice.
Cisco's part in ensuring interoperability will come from its work with the Internet Engineering Task Force, and a lot remains to be done. At meetings that begin March 19, the IETF will discuss creating transport protocols that let clients, network devices, and policy systems exchange information. But that process is too unpredictable for Cisco to be able to say when it will have a product ready to ship.
Microsoft also is slogging through details about how the vendors' access control products will communicate. "NAP will inform the Cisco NAC infrastructure on how to enforce security policies, and vice versa," says Mike Schutz, product manager with Microsoft's infrastructure marketing group, adding that both vendors have licensed each other's APIs to help their systems communicate.
Microsoft backs the Trusted Computing Group's Trusted Network Connect specification, which was demonstrated for the first time last month as a way hardware-based security technology can ensure that PCs comply with enterprise security policies. But those guidelines are far from widely accepted.
Although Cisco isn't part of the Trusted Computing Group, it's working with TCG member--and Cisco rival--Juniper Networks within the IETF to standardize the protocols needed to ensure interoperability in any network end-point assessment system. Juniper sells network access control technology and in December bought Funk Software, which makes an 802.1x client for connecting to wireless and wired networks and offers Radius technology for authenticating clients connecting to a network remotely.
What Cisco and Microsoft are proposing is unquestionably complex. For access control to be effective, a number of technologies--directory servers, policy engines, networking equipment, PCs, and more--will have to rely on standardized communication protocols. And it will be unquestionably more expensive for companies if Cisco and Microsoft don't get this right. "It's critical that Microsoft's and Cisco's solutions work together," Forrester Research analyst Robert Whiteley says. "The more standards you have, the more well-defined the moving parts are, the lower the cost will be."
So what would customers like? Since they're getting some network access control capabilities already, they want to coordinate network access in IT environments that include Cisco routers, Windows PCs, mobile phones, BlackBerrys, and the like. And they'd like more insight into what Microsoft and Cisco will deliver together, including a timetable for supporting common protocols in their flagship products.
The market isn't waiting around. End-point security provider Senforce Technologies this week will deliver an intelligent network access control application to check that end points are secure before they connect to a network. It's meant to work with access control technology from Cisco, Juniper, and Nortel. And Intel Capital is making an equity investment of an undisclosed amount in Lockdown Networks, which makes network appliances that check PCs and other devices for security compliance and enforce security policies.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.