Cisco Adds Switch Support to Security Tools

An upgrade of Cisco Systems Inc.’s Network Admission Control (NAC)technologies, announced last week, adds wider hardware support andseveral features designed to help companies better protect theirnetworks against insecure endpoint devices.

But network managers and analysts said the fact that the NAC offeringis supported only on relatively new networking equipment from Cisco islikely to limit its appeal.

“I think they’re moving in the right direction,” said Jim Kirby, anetwork engineer at Wells’ Dairy Inc. in Le Mars, Iowa. But adoptingNAC anytime soon would be a challenge because of the upgrades that theice cream processor would have to make to its network infrastructure,he said.

As part of the NAC initiative, Cisco is selling a line of tools thatcan permit, restrict or deny admission to corporate networks based onthe security status of end-user systems. The products include agentsoftware for collecting security data from client systems, networkappliances that enforce security rules and a policy management server.

Until now, the technology has been available only on Cisco’s routers.But the company said it plans to add support for NAC to its Catalystswitches by the end of next month. And as of last week, the productscould be used with Cisco’s wireless networking devices.

Cisco is also making it possible for companies to enforce securitypolicies on systems they don’t own, such as PCs belonging tocontractors and business partners. Cisco is delivering the agentlesscapability in conjunction with security vendors Altiris Inc., QualysInc. and Symantec Corp.

Extending Its Reach

Bob Gleichauf, chief technology officer for Cisco’s Security TechnologyGroup, said that more than 60 other vendors are now participating inthe NAC program, up from the three partners Cisco had when it shippedan initial set of products in June 2004.

The fact that Cisco has finally extended NAC support to its switchesshould make the technology more interesting to IT managers, said JoelConover, an analyst at Current Analysis Inc. in Sterling, Va.

“The closer to the PC or the endpoint that you can provide enforcement,the less chance that some malicious software that is on one PC canspread to others,” he said.

Even so, the availability of NAC on only Cisco’s equipment could be ofsome concern to users who don’t want to get locked into a proprietarytechnology, Conover noted. He added that the cost of upgrading to newrouters and switches is another potential roadblock for users.

Those are some of the reasons why Tripos Inc. won’t be able to adoptNAC in the foreseeable future, said Jerry Wintrode, a senior networkarchitect at the St. Louis-based drug research company.

Tripos uses software from InfoExpress Inc. in Mountain View, Calif., toenforce security policies on the systems of remote employees. Thecompany has developed a homegrown tool for detecting and preventingunauthorized PCs from connecting to its LAN.

Both capabilities are available as part of NAC. But upgrading theswitches and network management software Tripos now uses would costUS$160,000 to $170,000. Upgrading the InfoExpress suite so it couldreplace Tripos’ homegrown tool, on the other hand, would cost less, at$60,000, said Wintrode.

By Jaikumar Vijayan – Computerworld (US)