Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Getting Ready For NAC/NAP

Wait or act now? Here's how to prepare for and address issues arising from the Cisco/Microsoft joint initiative

When two of the industry's most dominant players get together and decide on a way to handle security, most IT managers don't ask whether they're going to do it. They just want to know how and /when.

Less than two weeks after unveiling their initiative to integrate Cisco's Network Admission Control (NAC) with Microsoft's Network Access Protection, the two vendors are still answering those questions, trying to help enterprises understand how the two companies' security plans will work together. (See Cisco, Microsoft Join Forces on Security.)

For most enterprises, the basic question is how to make NAC, a network-based capability that keeps users quarantined from the network unless they comply with security rules, work with NAP, a client-server capability that quarantines desktops and other devices that are out of compliance. NAC is a technology that's available today with many Cisco devices; NAP will be delivered along with Longhorn Server and Vista in 2007.

"What we heard from customers was 'Don't make us choose'," between the Cisco and Microsoft approaches, says Joe Sirrianni, senior solutions manager at Cisco. "So we're focusing our efforts on making them work together."

In its initial phase, the partnership will try to harmonize methods for isolating hosts and devices that don't match the security policy, develop common methods for discovering new devices on the network, and create a standard method for collecting information about a device's compliance (or non-compliance) with enterprise security policies, Sirrianni says.

"We developed two different ways of doing these things, and we saw that it was confusing for the customer," says Mark Ashida, general manager of Microsoft's Enterprise Networking group. "The way we're doing it now is much less complicated.

But even though the companies have laid out a joint roadmap, it will be a while before enterprises can get to a fully-integrated NAC/NAP environment, notes Dave Passmore, research director at Burton Group, an IT consultancy.

"NAC/NAP won't be relevant for about two years, because most enterprises don't have Vista, and they don't have the most current versions of Cisco switches and software," Passmore says. "The wait for Longhorn Server and NAP leaves a window of opportunity for the Trusted Computing Group's Trusted Network Connect, a proposed industry standard most recently championed in a joint venture between Juniper and Symantec." (See Symantec & Juniper Join Forces.)

"TNC creates an alternative infrastructure that's more useful in the near term and more open to third parties," Passmore says. Cisco and Microsoft are cool to TNC at the moment, but if it catches on, they might be forced to work the standard into their product strategies, just as Cisco was forced to adopt the industry-standard OSPF (Open Shortest Path First) technology along with its proprietary IGRP routing protocol, he says.

Cisco and Microsoft execs don't dismiss TNC, but they aren't embracing it, either. "Our first priority was to get something working with Cisco," says Mark Ashida, general manager of Microsoft's Enterprise Networking group. "That's what customers told us they wanted."

Ashida and Sirriani reject the notion that NAC/NAP won't matter for a couple of years. "As a matter of fact, what we're telling users now is that they need to jump into the water," says Ashida. Users can implement NAC under Windows XP today, and all NAC-ready environments will be able to operate in the NAC/NAP environment, Sirrianni says.

Preparing for NAC/NAP means defining policies for network and end-point compliance and prioritizing which systems are the most at risk, so they can get the NAC/NAP functionality first, the executives say.

"A first step is to do a NAC readiness analysis, to be sure you've got the right versions of IOS in place," Sirrianni advises. "Then, at the desktop, you have to define what policy compliance means, and what client health looks like. And then you have to prioritize your rollout to where the high-risk areas are, because you're not going to just flip a switch and have this implemented all across the network."

"We advise companies to spend a good couple of months planning for [NAC/NAP]," Ashida says. "This is a technology that crosses a lot of boundaries in IT."

One decision that enterprises must make is how they will enforce the NAC/NAP policies, Passmore says. A company could choose to quarantine by IP address, by VPN connection, or by encrypted tunnels, he notes. The Cisco/Microsoft partnership doesn't define a clear method for enforcement, and there's no reason why the enterprise has to use the Cisco enforcement scheme, he notes.

At a higher level, enterprises must decide whether they trust Microsoft and Cisco to work well together, Passmore says. "They have some product lines that are coming into direct competition," he notes. "This idea of 'co-opetition' can be hard to pull off."

— Tim Wilson, Site Editor, Dark Reading

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Juniper Networks Inc. (Nasdaq: JNPR)
  • Microsoft Corp. (Nasdaq: MSFT)
  • Symantec Corp. (Nasdaq: SYMC)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio


    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/2/2020
    Ripple20 Threatens Increasingly Connected Medical Devices
    Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
    DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
    Dark Reading Staff 6/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-02
    Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
    PUBLISHED: 2020-07-02
    A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.