When two of the industry's most dominant players get together and decide on a way to handle security, most IT managers don't ask whether they're going to do it. They just want to know how and /when.
Less than two weeks after unveiling their initiative to integrate Cisco's Network Admission Control (NAC) with Microsoft's Network Access Protection, the two vendors are still answering those questions, trying to help enterprises understand how the two companies' security plans will work together. (See Cisco, Microsoft Join Forces on Security.)
For most enterprises, the basic question is how to make NAC, a network-based capability that keeps users quarantined from the network unless they comply with security rules, work with NAP, a client-server capability that quarantines desktops and other devices that are out of compliance. NAC is a technology that's available today with many Cisco devices; NAP will be delivered along with Longhorn Server and Vista in 2007.
"What we heard from customers was 'Don't make us choose'," between the Cisco and Microsoft approaches, says Joe Sirrianni, senior solutions manager at Cisco. "So we're focusing our efforts on making them work together."
In its initial phase, the partnership will try to harmonize methods for isolating hosts and devices that don't match the security policy, develop common methods for discovering new devices on the network, and create a standard method for collecting information about a device's compliance (or non-compliance) with enterprise security policies, Sirrianni says.
"We developed two different ways of doing these things, and we saw that it was confusing for the customer," says Mark Ashida, general manager of Microsoft's Enterprise Networking group. "The way we're doing it now is much less complicated.
But even though the companies have laid out a joint roadmap, it will be a while before enterprises can get to a fully-integrated NAC/NAP environment, notes Dave Passmore, research director at Burton Group, an IT consultancy.
"NAC/NAP won't be relevant for about two years, because most enterprises don't have Vista, and they don't have the most current versions of Cisco switches and software," Passmore says. "The wait for Longhorn Server and NAP leaves a window of opportunity for the Trusted Computing Group's Trusted Network Connect, a proposed industry standard most recently championed in a joint venture between Juniper and Symantec." (See Symantec & Juniper Join Forces.)
"TNC creates an alternative infrastructure that's more useful in the near term and more open to third parties," Passmore says. Cisco and Microsoft are cool to TNC at the moment, but if it catches on, they might be forced to work the standard into their product strategies, just as Cisco was forced to adopt the industry-standard OSPF (Open Shortest Path First) technology along with its proprietary IGRP routing protocol, he says.
Cisco and Microsoft execs don't dismiss TNC, but they aren't embracing it, either. "Our first priority was to get something working with Cisco," says Mark Ashida, general manager of Microsoft's Enterprise Networking group. "That's what customers told us they wanted."
Ashida and Sirriani reject the notion that NAC/NAP won't matter for a couple of years. "As a matter of fact, what we're telling users now is that they need to jump into the water," says Ashida. Users can implement NAC under Windows XP today, and all NAC-ready environments will be able to operate in the NAC/NAP environment, Sirrianni says.
Preparing for NAC/NAP means defining policies for network and end-point compliance and prioritizing which systems are the most at risk, so they can get the NAC/NAP functionality first, the executives say.
"A first step is to do a NAC readiness analysis, to be sure you've got the right versions of IOS in place," Sirrianni advises. "Then, at the desktop, you have to define what policy compliance means, and what client health looks like. And then you have to prioritize your rollout to where the high-risk areas are, because you're not going to just flip a switch and have this implemented all across the network."
"We advise companies to spend a good couple of months planning for [NAC/NAP]," Ashida says. "This is a technology that crosses a lot of boundaries in IT."
One decision that enterprises must make is how they will enforce the NAC/NAP policies, Passmore says. A company could choose to quarantine by IP address, by VPN connection, or by encrypted tunnels, he notes. The Cisco/Microsoft partnership doesn't define a clear method for enforcement, and there's no reason why the enterprise has to use the Cisco enforcement scheme, he notes.
At a higher level, enterprises must decide whether they trust Microsoft and Cisco to work well together, Passmore says. "They have some product lines that are coming into direct competition," he notes. "This idea of 'co-opetition' can be hard to pull off."
Tim Wilson, Site Editor, Dark Reading