Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Getting Ready For NAC/NAP

Wait or act now? Here's how to prepare for and address issues arising from the Cisco/Microsoft joint initiative

When two of the industry's most dominant players get together and decide on a way to handle security, most IT managers don't ask whether they're going to do it. They just want to know how and /when.

Less than two weeks after unveiling their initiative to integrate Cisco's Network Admission Control (NAC) with Microsoft's Network Access Protection, the two vendors are still answering those questions, trying to help enterprises understand how the two companies' security plans will work together. (See Cisco, Microsoft Join Forces on Security.)

For most enterprises, the basic question is how to make NAC, a network-based capability that keeps users quarantined from the network unless they comply with security rules, work with NAP, a client-server capability that quarantines desktops and other devices that are out of compliance. NAC is a technology that's available today with many Cisco devices; NAP will be delivered along with Longhorn Server and Vista in 2007.

"What we heard from customers was 'Don't make us choose'," between the Cisco and Microsoft approaches, says Joe Sirrianni, senior solutions manager at Cisco. "So we're focusing our efforts on making them work together."

In its initial phase, the partnership will try to harmonize methods for isolating hosts and devices that don't match the security policy, develop common methods for discovering new devices on the network, and create a standard method for collecting information about a device's compliance (or non-compliance) with enterprise security policies, Sirrianni says.

"We developed two different ways of doing these things, and we saw that it was confusing for the customer," says Mark Ashida, general manager of Microsoft's Enterprise Networking group. "The way we're doing it now is much less complicated.

But even though the companies have laid out a joint roadmap, it will be a while before enterprises can get to a fully-integrated NAC/NAP environment, notes Dave Passmore, research director at Burton Group, an IT consultancy.

"NAC/NAP won't be relevant for about two years, because most enterprises don't have Vista, and they don't have the most current versions of Cisco switches and software," Passmore says. "The wait for Longhorn Server and NAP leaves a window of opportunity for the Trusted Computing Group's Trusted Network Connect, a proposed industry standard most recently championed in a joint venture between Juniper and Symantec." (See Symantec & Juniper Join Forces.)

"TNC creates an alternative infrastructure that's more useful in the near term and more open to third parties," Passmore says. Cisco and Microsoft are cool to TNC at the moment, but if it catches on, they might be forced to work the standard into their product strategies, just as Cisco was forced to adopt the industry-standard OSPF (Open Shortest Path First) technology along with its proprietary IGRP routing protocol, he says.

Cisco and Microsoft execs don't dismiss TNC, but they aren't embracing it, either. "Our first priority was to get something working with Cisco," says Mark Ashida, general manager of Microsoft's Enterprise Networking group. "That's what customers told us they wanted."

Ashida and Sirriani reject the notion that NAC/NAP won't matter for a couple of years. "As a matter of fact, what we're telling users now is that they need to jump into the water," says Ashida. Users can implement NAC under Windows XP today, and all NAC-ready environments will be able to operate in the NAC/NAP environment, Sirrianni says.

Preparing for NAC/NAP means defining policies for network and end-point compliance and prioritizing which systems are the most at risk, so they can get the NAC/NAP functionality first, the executives say.

"A first step is to do a NAC readiness analysis, to be sure you've got the right versions of IOS in place," Sirrianni advises. "Then, at the desktop, you have to define what policy compliance means, and what client health looks like. And then you have to prioritize your rollout to where the high-risk areas are, because you're not going to just flip a switch and have this implemented all across the network."

"We advise companies to spend a good couple of months planning for [NAC/NAP]," Ashida says. "This is a technology that crosses a lot of boundaries in IT."

One decision that enterprises must make is how they will enforce the NAC/NAP policies, Passmore says. A company could choose to quarantine by IP address, by VPN connection, or by encrypted tunnels, he notes. The Cisco/Microsoft partnership doesn't define a clear method for enforcement, and there's no reason why the enterprise has to use the Cisco enforcement scheme, he notes.

At a higher level, enterprises must decide whether they trust Microsoft and Cisco to work well together, Passmore says. "They have some product lines that are coming into direct competition," he notes. "This idea of 'co-opetition' can be hard to pull off."

— Tim Wilson, Site Editor, Dark Reading

  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Juniper Networks Inc. (Nasdaq: JNPR)
  • Microsoft Corp. (Nasdaq: MSFT)
  • Symantec Corp. (Nasdaq: SYMC)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: "The security team seem to be taking SiegeWare seriously" 
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-05
    A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
    PUBLISHED: 2019-12-05
    The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
    PUBLISHED: 2019-12-05
    Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation m...
    PUBLISHED: 2019-12-05
    An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
    PUBLISHED: 2019-12-05
    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash...