Ciscos Network Admission Control Strategy Attacks Malicious Code at the Network Edge

Cisco Systems has announced the Cisco Network Admission Control program to address the increased threat and impact of worms and viruses on networked businesses. The Cisco Network Admission Control program was developed in conjunction with Network Associates, Symantec, and Trend Micro. The Cisco Network Admission Control functionality enables Cisco routers to enforce access privileges when an endpoint attempts to connect to a network. This decision can be based on information about the endpoint device such as its current anti-virus state and operating system patch level. Network admission control systems allow non-compliant devices to be denied access, placed in a quarantined area, or given restricted access to computing resources. Cisco Network Admission Control functionality is scheduled to be supported on Cisco’s access and mid-range routers in mid-2004.

Analytical Summary

Current Perspective: Neutral on Cisco’s Network Admission Control program, because while the solution is a respectable effort on Cisco’s part to solve the problems of network infections and intrusions, it relies on desktop technology from third parties to provide the necessary information to make a valid network policy decision. The current strategy has multiple pinholes that can compromise the solution, reducing its effectiveness, and greatly complicating the ability to provide convenient network access to guests and mobile workers.

Vendor Importance: High to Cisco, because of Cisco’s huge installed base of customers, and the impact that Network Admission Control will have on those customers, and because of the potential problems and complications that could arise as the result of such an aggressive program.

Market Impact: Moderate to high on the Enterprise Infrastructure market, because this program firmly entrenches Cisco with leading vendors in the desktop security space, and makes it difficult for other vendors to provide similar functionality due to Cisco’s prior relationships with the key vendors in the market.

Current Perspective: Neutral

We are taking a neutral stance on Cisco’s Network Admission Control strategy and partnerships, because while the strategy looks good on paper, the solution is laden with dependencies at the desktop, dependencies which create undue complications at the desktop. Furthermore, Cisco’s approach to the problem of Network Admission Control is completely proprietary, and will have a greatly diminished impact in a homogeneous network environment.

Cisco announced that it is licensing its Cisco Trust Agent technology to the top three anti-virus solutions providers, Network Associates, Symantec, and Trend Micro, at no cost. When integrated, the Cisco Trust Agent enables Cisco to control network access via application level parameters at the desktop, including such attributes as Windows Update status, anti-virus software and definition status, and running processes. This strategy is designed to prevent foreign users from accidentally infecting an otherwise clean and secure network. The solution works by enforcing access policy, initially via Cisco routers, and eventually by other Cisco infrastructure, such as Cisco switches and access points.

Pushing intelligence and control towards the end of the network is not a new concept, but Cisco’s approach – utilizing Cisco Trust technology inside the leading antivirus solutions – is. For Cisco, Network Admission Control is highly beneficial. The technology helps customers to deal with the problematic hostile code, and compels them to build an end-to-end Cisco infrastructure to deploy support for Network Admission Control.

However, while Network Admission Control is an admirable concept, it is plagued with roadblocks along the way. Clients connecting to the network must have the Cisco Trust Agent installed in order to gain access to the network. The entire network needs to be capable of enforcing the Network Admission Control policies, or there will be weak spots in the network. Cisco plans on initially deploying the technology in its routers – most likely to address hotspot and guest access environments inside the enterprise. However, if the router is connected to one or more switches, Network Access Control does not prevent the client from infecting other hosts on the local segment unless it is combined with a strict 802.1X policy for network access control. Homogeneous multi-vendor environments, quite common in universities and institutions, may not be able to effectively enforce policy beyond the last Cisco device in the network. And most daunting of all, if the client isn’t running the latest definitions, latest anti- virus, or latest windows updates, the enterprise portal must be configured to enable the client to get those updates to enable access to the network. In addition to concerns over administrative rights on the client PC, there are licensing concerns and versioning control concerns with the desktop agents in question. Furthermore, many of the issues surrounding network admission control and network poisoning can be solved through intelligent network design and the use of “safe portals” prior to granting full access to the network in question.

Pushing Network Admission Control technology down to the network level can only succeed if the technology is open to the vendor community at large, and will only work if the technology is pervasive at the desktop. Rather than embedding this technology in multiple anti-virus solutions, which will create challenges and strife between the end user and his or her IT department, Cisco should be focusing this technology at the desktop itself, via Microsoft. And, as much as the technology benefits Cisco and its ability to sell an end-to-end solution, it will never be fully effective unless standards-based methods can be used to include non-Cisco devices in the policy decision.

Cisco and its partners have a respectable intention and plan for enhancing network security by integrating at the desktop. However, the plan largely overlooks the logistical issues involved in ensuring that a specific network and client policy is enforced. The solution ultimately moves the burden of access and control management to the IT administrator, and that task is complicated by the fact that guest PCs may not match the internal IT configuration. Ultimately, Network Access Control is best deployed on internal resources, while guest access is better handled through intelligent firewalls, ActiveX driven scanning engines, and other safe-zone technologies that permit network access without the danger of compromising the host network.

Market Impact: Moderate/High

The presence of Cisco’s trust agent in desktop antivirus solutions will give customers one more compelling reason to consider Cisco infrastructure when purchasing and deploying new networks and upgrades, due to the added value the customer can derive from the integrated Cisco technology at the desktop.

Unlike its competitors, Cisco is pushing further and further towards the desktop with its technology, with solutions such as the Cisco Trust Agent, Cisco Compatible Extensions, and more overt efforts such as the Cisco Security Agent (from its Okena acquisition).

Vendor Importance: High

Cisco is making aggressive moves integrating its technology at the enterprise desktop, giving itself a preferential position in the mind of the Enterprise IT buyer due to its pervasive presence in the industry.

Cisco’s Network Admission Control strategy further strengthens the company’s presence on the desktop, and in many respects parallels its efforts to put Cisco technology in the wireless space through Cisco Compatible extensions.

Recommended End User / Customer Actions

Customers should ask Cisco for details on how its solution interoperates with third party networking equipment, and what compromises are made when Cisco does not control the end-to-end infrastructure.

Customers should press Cisco for information on how Network Admission Control can work effectively if it is only enforced at the router level.

Customers should be wary of buying into Network Admission Control, as it locks them into a proprietary scheme of protecting their enterprise assets, one which places the burden of client repair on the IT department, rather than on an automated solution.