Cisco and Microsoft today released closely held details about their two-year-old partnership to deliver integrated controls that prevent malware-infested computers from connecting into networks. Cisco's Network Admission Control, or NAC, technology will work with the Microsoft Network Access Protection, or NAP, capabilities available with the upcoming Windows Vista and Longhorn operating systems.
The result should be a breakthrough in integrated IT security when the whole package arrives in the second half of next year, the target date for Longhorn's release. But the need for network access control won't wait that long, so businesses will have to continue to control network access using technology already available in some of Cisco's products and through other security vendors.
By year's end, Cisco and Microsoft will offer a limited beta program--with no more than three mutual customers--to gain a more realistic understanding of how their access control technologies will work together.
As these beta testers will soon find out, combined network access protection and network access control consists of several client-side software applications that check and communicate the health of laptops, desktops, and other devices attempting to connect into a given network.
On the network side, Cisco routers and switches, Cisco Secure Access Control Server, Microsoft Network Policy Server, and policy servers from other vendors work together to give the thumbs up or thumbs down to any device seeking to connect. Access control systems must be able to detect connecting devices, authenticate the people using them, determine if a connecting device has the appropriate anti-virus protection and software patches, and quarantine and update systems that don't make the grade. Microsoft and Cisco appear to have these bases covered.
Apart from some comments at this year's RSA Security show in February, when Bill Gates broached the topic of NAP and NAC integration, Cisco and Microsoft have said very little over the past two years about how their technologies will work together. "We wanted to be sure this worked," says Mark Ashida, general manager of Microsoft Enterprise Networking.
The biggest challenges were corporate rather than technological. "We're governed by who owns what intellectual property," Ashida says. Adds Bob Gleichauf, Cisco's CTO for its Security Technology Group, "We had to get our respective legal teams together to work out the cross-licensing."
Cisco and Microsoft have cross-licensed the Cisco NAC and Microsoft NAP protocols used to communicate information between clients and networks to help ensure their products continue to work together. The companies also decided that Microsoft NAP client APIs will serve as the only client interface, which makes it easier for third-party software developers to write their own health-agent and health-enforcement software to work in integrated NAC-NAP environments.
Under the joint Cisco-Microsoft vision, the access control process begins when a client running Vista attempts to authenticate to the network by sending a "statement of health," which includes information from so-called system-health agent software, to a Cisco Secure Access Control Server, or ACS, via a switch or router. System-health agent software is available from Microsoft as well as third-party vendors including Altiris, McAfee, and Symantec.
This statement of health travels to the ACS using one of two methods, either Extensible Authentication Protocol over User Datagram Protocol or EAP Flexible Authentication via Secure Tunneling, also known as EAP-FAST. Once the ACS receives the authentication and admission request, it communicates via host credentials authorization protocol to the Microsoft Network Policy Server, or NPS. The NPS, in turn, connects to a health-registration authority server or policy server to determine whether the client should be given access, and then passes that decision back to the ACS.
A Forrester Research study of 149 technology decision makers at North American companies found that while more than one-third plan to adopt some type of network access control this year, the rest cite cost and manageability as obstacles to deployment.
Cisco and Microsoft have done solid work in making access control much easier by letting their technologies communicate with each other, but this won't be a big deal to most businesses until they have Vista on their PCs and Longhorn on their servers.
There's a real urgency for companies to better protect their networks when remote employees, contractors, and business partners connect. Don't wait for Microsoft and Cisco, says Gartner VP John Pescatore, adding, "If you're not going to Vista by 2008, you should be looking for appliances and other technologies that offer [access control] and asking those vendors how they plan to fit into Microsoft and Cisco's plans."