News

Second act for NAC expands security protection, partner support

20 October, 2005

Cisco Systems has significantly expanded its innovative Network Access Control (NAC) framework to include protection for all possible entry points into a network, as well as increasing the capabilities of NAC to offer more security control options. These technology advances coincide with growing industry support for NAC, most notably from Intel Corp., which is the first silicon chip manufacturer to join the program, and IBM, which is expanding support for NAC through its computing resource management technologies.

NAC is a Cisco-sponsored industry initiative that uses network infrastructure to enforce security policy compliance. With NAC, organizations can regulate network access for "endpoint" devices (desktop and laptop computers, servers, PDAs, etc.) by verifying their compliance with security policies, such as having up-to-date virus protection software. If NAC identifies non-compliant devices, it can deny them entry to the network, restrict them to limited parts of the network, or bring them back into compliance through an automated remediation process.

"The key to NAC is that it creates an ecosystem on the network for partners to add their innovative security technologies," says Bob Gleichauf, a vice president of Cisco's Security and Technologies group. "Rather than each of their products working independently and requiring their own support and management, NAC offers a consistent way to ensure endpoints comply with security policies before being admitted to a network."

The second phase of the NAC program, or NAC2, brings advanced endpoint device controls to Cisco-powered local area networks (LANs) and wireless networks. Now Cisco Catalyst switches, which commonly run office LANs, and the Cisco Aironet family of products, which run Cisco wireless networks, support NAC.

In the NAC program's initial phase, launched over one year ago, Cisco offered NAC's admission controls on its Integrated Services Routers and its remote access virtual private network (VLAN) concentrators, Cisco's primary devices for running wide area networks (WANs) to remote locations and branch offices. The second phase completes coverage of NAC throughout the network infrastructure. These new capabilities are possible through software updates for the Cisco Catalyst switches, Cisco Aironet access points and other devices for Cisco LANs and wireless networks.

Cisco has also expanded NAC's management capabilities, including support for the 802.1x protocol. The new protocol helps NAC manage finer-grained control of assessing the security threats various devices pose to the network. Cisco has also created "agentless" support for NAC. If Cisco Trust Agent does not reside on a device, NAC can quarantine the device while it is scanned by software from one of Cisco's partners, including Altiris, Qualys, and Whole Security from Symantec.

In addition, NAC2 includes new versions of NAC appliances, which offer all of NAC's security capabilities on a single device. The NAC appliances provide a convenient, self-contained installation option, while NAC software upgrades provide more deployment flexibility.

Since launching NAC in November 2003, more than 60 technology vendors have joined the program, with more than 14 vendors already shipping products. Gleichauf says that number will likely jump to more than 40 vendors by the end of the year. "The growth of our NAC partners really validates the program," Gleichauf says. "It's a long-term project so it's great to see this early momentum"

Most notably, Intel and Cisco are collaborating to deliver later this year NAC technologies integrated with Intel® Active Management Technology (Intel® AMT). Intel AMT is a comprehensive set of tools designed to help IT administrators discover, heal and protect endpoint devices. A new set of silicon-based technologies in Intel's industry-leading chipsets can maintain a connection with the network independent of a computer's operating system. This makes it possible for a network manager to remotely detect and repair a defective computer or other endpoint, even if the machine is turned off or the operating system is malfunctioning.

Combined with NAC, an IT administrator can repair or update a system that NAC has found to be out of compliance. A network manager can also use NAC to ensure that Intel AMT-enabled systems are correctly configured for optimized Intel AMT capabilities. "This is breaking new ground for us," Gleichauf says. "With Intel AMT system, we have a very reliable hardware-based alternative for collecting information on endpoint devices and bringing them up to compliance with security policies."

Pat Gelsinger, a senior vice president at Intel, says once Cisco and Intel started talking about integrating NAC with Intel AMT, they quickly realized the two technologies would be extremely complementary. "It's really a one plus one equals three scenario," Gelsinger says. "NAC helps us do much more with Intel AMT, and Intel AMT helps Cisco do much more with NAC. By harnessing the network infrastructure, both Cisco and Intel are greatly improving the ability of organizations to manage their computers, whether that's inventory tracking, troubleshooting, repair, or security protection."

IBM, one of the first and most prominent members of the NAC program, has also made advances to improve information technology security. IBM is the first NAC partner to rollout products that support NAC2 technologies. The IBM Tivoli Security Compliance Manager, for example, already supports NAC controls over Cisco-powered LANs and wireless networks. The IBM product can automatically quarantine and fix a client device that does not meet security policy for a network. IBM has also upgraded its Tivoli Security Compliance Manager to allow customers to write their own security policies, as well as supporting automated client device security compliance checking and remediation.

Arvind Krishna, vice president for security and provisioning development in IBM's software group, says Cisco and IBM have been building ways for organizations to coordinate both perimeter defenses and access controls to all parts of the network, including endpoints. Until now, he says, organizations have not had easy ways to integrate the management of these various security operations.

"You can't just build a moat around your network," Krishna says. "That approach just doesn't work anymore. You need to have more sophisticated ways to allow people into the network, as well as monitoring and regulating their activities once they are inside. Bringing this all together for our mutual customers is the beauty of our partnership with Cisco."

Charles Waltner is a freelance journalist in Oakland, Calif.

Taking the Alliance to a new level

With two new technology collaborations, Cisco and Intel are taking their strategic alliance to a new level.

Advanced NAC security

Cisco announces significant advancements to its’ Network Admission Control (NAC) framework.