Cisco, Microsoft Reveal Long-Awaited Network Access Control Plans - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Cisco, Microsoft Reveal Long-Awaited Network Access Control Plans

The result should be a breakthrough in integrated IT security when the whole package arrives in the second half of next year.

Cisco and Microsoft today released closely held details about their two-year-old partnership to deliver integrated controls that prevent malware-infested computers from connecting into networks. Cisco's Network Admission Control, or NAC, technology will work with the Microsoft Network Access Protection, or NAP, capabilities available with the upcoming Windows Vista and Longhorn operating systems.

The result should be a breakthrough in integrated IT security when the whole package arrives in the second half of next year, the target date for Longhorn's release. But the need for network access control won't wait that long, so businesses will have to continue to control network access using technology already available in some of Cisco's products and through other security vendors.

By year's end, Cisco and Microsoft will offer a limited beta program--with no more than three mutual customers--to gain a more realistic understanding of how their access control technologies will work together.

As these beta testers will soon find out, combined network access protection and network access control consists of several client-side software applications that check and communicate the health of laptops, desktops, and other devices attempting to connect into a given network.

On the network side, Cisco routers and switches, Cisco Secure Access Control Server, Microsoft Network Policy Server, and policy servers from other vendors work together to give the thumbs up or thumbs down to any device seeking to connect. Access control systems must be able to detect connecting devices, authenticate the people using them, determine if a connecting device has the appropriate anti-virus protection and software patches, and quarantine and update systems that don't make the grade. Microsoft and Cisco appear to have these bases covered.

Apart from some comments at this year's RSA Security show in February, when Bill Gates broached the topic of NAP and NAC integration, Cisco and Microsoft have said very little over the past two years about how their technologies will work together. "We wanted to be sure this worked," says Mark Ashida, general manager of Microsoft Enterprise Networking.

The biggest challenges were corporate rather than technological. "We're governed by who owns what intellectual property," Ashida says. Adds Bob Gleichauf, Cisco's CTO for its Security Technology Group, "We had to get our respective legal teams together to work out the cross-licensing."

Cisco and Microsoft have cross-licensed the Cisco NAC and Microsoft NAP protocols used to communicate information between clients and networks to help ensure their products continue to work together. The companies also decided that Microsoft NAP client APIs will serve as the only client interface, which makes it easier for third-party software developers to write their own health-agent and health-enforcement software to work in integrated NAC-NAP environments.

Under the joint Cisco-Microsoft vision, the access control process begins when a client running Vista attempts to authenticate to the network by sending a "statement of health," which includes information from so-called system-health agent software, to a Cisco Secure Access Control Server, or ACS, via a switch or router. System-health agent software is available from Microsoft as well as third-party vendors including Altiris, McAfee, and Symantec.

This statement of health travels to the ACS using one of two methods, either Extensible Authentication Protocol over User Datagram Protocol or EAP Flexible Authentication via Secure Tunneling, also known as EAP-FAST. Once the ACS receives the authentication and admission request, it communicates via host credentials authorization protocol to the Microsoft Network Policy Server, or NPS. The NPS, in turn, connects to a health-registration authority server or policy server to determine whether the client should be given access, and then passes that decision back to the ACS.

A Forrester Research study of 149 technology decision makers at North American companies found that while more than one-third plan to adopt some type of network access control this year, the rest cite cost and manageability as obstacles to deployment.

Cisco and Microsoft have done solid work in making access control much easier by letting their technologies communicate with each other, but this won't be a big deal to most businesses until they have Vista on their PCs and Longhorn on their servers.

There's a real urgency for companies to better protect their networks when remote employees, contractors, and business partners connect. Don't wait for Microsoft and Cisco, says Gartner VP John Pescatore, adding, "If you're not going to Vista by 2008, you should be looking for appliances and other technologies that offer [access control] and asking those vendors how they plan to fit into Microsoft and Cisco's plans."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Gartner Forecast Sees 7.3% Shrinkage in IT Spending for 2020
Joao-Pierre S. Ruth, Senior Writer,  7/15/2020
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
White Papers
Register for InformationWeek Newsletters
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll