Cisco Expands Security Push To LANs - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Cisco Expands Security Push To LANs

Cisco will target its NAC strategy on layer 2 of the network by offering support for its Catalyst switches as well as its wireless access points and controller platforms.

Cisco Systems is expanding its network-security efforts, which to date has focused on wide-area network access points, to the local-area network and the switches that move traffic within most businesses. Its also making it easier for businesses to include third-party devices and use non-Cisco software to implement the security policies.

The move will be welcomed by network administrators scorched by increasingly virulent malware attacks. But those companies that have already begun to introduce NAC strategies from other vendors, or who don't relish the thought of upgrading portions of their diverse Cisco networking environment to comply with that company's NAC requirements, might not be quite as happy.

Cisco in November will target its NAC strategy on layer 2 of the network, where switches pass information inside the LAN, by offering NAC support for its Catalyst switches, including the 6500, 4900, 4500, 3700, 3500, and 2900 series, as well as its wireless access points and controller platforms.

Cisco's move to direct its NAC strategy at LAN-level security has been much anticipated. "Moving NAC in from the network's edge to include switches and wireless devices lets network administrators build baseline security policies for these devices before they connect to the network," says Lawrence Orans, Gartner's research director for network security.

Cisco created its NAC strategy in 2003 to address the difficulty companies have controlling the viruses, worms, and other malware that constantly attack their networks and the systems that connect over these networks. Cisco figured the best way to do this was to get greater control over access points into the network; to make sure each device connecting in has a clean bill of health. The first fruits of Cisco's labor appeared in June 2004, when the company introduced NAC-compliant routers and firewalls to identify security threats at the wide-area network level.

To become a part of a NAC-compliance environment, devices connecting into the network until now had to run Cisco Trusted Agent software so that information about those devices could be collected and evaluated for risk assessment. Devices unable to run Cisco Trusted Agent were out of luck. Cisco will remedy this next month by letting "agentless" devices such as printers, guest laptops, and PDAs have their security risk evaluated by third-party software from Altiris, Qualys, and Symantec. This software will then share its security audit information with the Cisco network, which will make admission decision.

Cisco's support for 802.1X port-level authentication, which allows devices to authenticate to a network regardless of where they are plugged in, is a welcome sign for Aura Health Care, a not-for-profit health-care network with 14 hospitals, 150 clinics, and more than 200 pharmacies. Aurora uses Cisco routers, load balancers, and virtual-private network concentrators, but the organization's network also consists of Enterasys Networks switches and intrusion-defense systems, Juniper Networks firewalls and SSL VPNs, and IronPort Systems E-mail security. "So many networks are built over time, so there's no silver bullet," says Dan Lukas, lead security architect. Cisco's NAC strategy prior to this week's announcement hasn't been as effective for companies that use network equipment from a variety of vendors, Lukas adds, saying, "We don't have Cisco everywhere, and I can't just swap out everything."

The success of Cisco's NAC strategy depends on whether companies are willing to implement Cisco Trusted Agent or third-party assessment software, upgrade LAN equipment, and assess how they build and enforce access policies, says Forrester Research analyst Robert Whiteley. From a competitive standpoint, Cisco isn't the first vendor to offer NAC protection at the LAN level. Alcatel and Enterasys are already doing essentially the same thing, although this shouldn't affect Cisco's entry into the market because the company is such a force in the networking world, he adds. But there's still a lot of work for companies to do before NAC-compliant devices and protocols can be implemented on layer 2, including upgrading any switches that are more than three years old.

Companies with a relatively basic network layout should look at standalone access-control appliances from Caymas Systems or network-quarantine appliances from Vernier Networks, while companies with more complex networks should look to server- or switch-based solutions from vendors including Sygate, which Symantec officially acquired earlier this month, and Cisco, according to a June Forrester report Whiteley authored on network-quarantine technology.

Whiteley's report also noted that, of the 653 technology decision-makers it interviewed, 39% are implementing network-quarantine technology this year. "That's pretty good considering how many moving parts this technology has," Whiteley says. The reason for this healthy adoption stems from the need to head off security problems by ensuring infected endpoints don't connect to the network in the first place. "NAC helps you keep the bad guys off your network," he adds.

Cisco competitor 3Com Corp.'s approach to network-admission control and quarantine is a bit different from Cisco's, relying more heavily on routing network data to intrusion-prevention systems, appliances set up within the network. 3Com added this technology to its network security repertoire in January when it acquired Tipping Point. As such, 3Com's security devices could also function within a Cisco NAC environment. "IPS connects with all networking equipment, regardless of layer or vendor," say Marc Willebeek-LeMair, CTO of 3Com. The company's IPS devices don't rely exclusively on the 802.1X communication protocol to let clients and switches communicate because Willebeek-LeMair says not enough networks are ready to comply with the standard.

Juniper's approach to network-admission control and quarantine, introduced in May, includes its Infranet Controller appliance and Infranet Agent software, together designed to bring endpoint intelligence into network traffic decisions. "Our approach is to create categories of access control across the different layers of the network," as opposed to focusing on a particular network layer, says Andrew Harding, Juniper's director of product management.

None of the vendors crowding this important category of network security is likely to make really big waves this year. "It'll be the middle to the end of 2006 before companies have NAC up and running within the switch environment," Forrester's Whiteley says. "2006 will be the major year of getting your infrastructure up to date and defining your networking policies."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll