Q&A: Cisco's Chief Security Officer Explains NAC Strategy Shift

Cisco Chief Security Officer John Stewart talks at Black Hat about recent developments in Cisco's Network Admission Control initiative, as well as larger issues affecting the security industry.
CRN: What's the strategy behind Cisco's recent acquisition of Meetinghouse?

STEWART: The Meetinghouse acquisition was very customer-driven. Our customers told us that since Cisco has worked out NAC on Layer 3 and Layer 2--as well as for routers, switches and WLAN access points--they would rather purchase the client supplicant software from us. This took us by surprise a little bit. We thought that because our traditional work is in the network area, most of our customers would prefer to buy the end-point technology on their own.

We actually heard that customers want the whole, end-to-end NAC solution, from the end point to the infrastructure to the end point. And they want to buy it from Cisco so they can be confident that it's all working correctly and that they're not trying to integrate multiple vendors.

CRN: Several Cisco products were recently found to be vulnerable to denial-of-service attacks due to a flaw in the Internet Key Exchange (IKE) Protocol, which enables remote IPsec VPN access. Although Cisco said it's a problem with the protocol itself that requires industry cooperation to fix, are you doing anything on your end to mitigate the risk?

STEWART: The issue isn't specific to one technology or vendor, and we believe it's a broader problem. Now most of the vendors that are using IPSec-based IKE are starting to look at their own products. Despite all that we've learned to date about this issue, there are no easy ways to mitigate this risk without breaking the protocol itself. The issue exists in version one of IKE, and version two doesn't have same vulnerability. But it hasn't yet been widely adopted across the industry.

We're also putting together the equivalent of an internal, customer-facing white paper explaining what it means. We're making customers aware that what we're doing is trying to stretch the bonds of imagination for ways to address the issue that don't break the protocol but still lower the risk to our customers.

CRN: Has the threat of attacks on VoIP systems been overhyped?

STEWART: I wouldn't say that the threat has been overhyped, just well-covered. However, it's important to realize that voice is one part of many pieces when it comes to securing a corporate network, and to recognize that in a converged network, voice and data are getting on par in terms of equal importance. There might be a little imbalance in terms of focusing on voice security and more than data security, when in reality, both are important to any company.

CRN: Does Cisco require its mobile workers to encrypt data on their notebook hard drives?

STEWART: Yes, and we just revised that policy and in fact are in the middle of deploying an undisclosed technology from another vendor. However, we're doing it not only for mobile PCs but also desktops, with the assumption that these could get physically stolen as well. So we're trying not to differentiate between mobile and non-mobile.

Cisco faces a slightly different issue than many companies, especially those that have been in the news of late for losing data. For the most part, we don't take credit cards, and we don't store personal information of our customers. What we do have is employee information and other customer information, and that is something we are very concerned about protecting.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing