Cisco Expands Security Push To LANs

Cisco Systems is expanding its network-security efforts, which to date has focused on wide-area network access points, to the local-area network and the switches that move traffic within most businesses. Its also making it easier for businesses to include third-party devices and use non-Cisco software to implement the security policies.

The move will be welcomed by network administrators scorched by increasingly virulent malware attacks. But those companies that have already begun to introduce NAC strategies from other vendors, or who don't relish the thought of upgrading portions of their diverse Cisco networking environment to comply with that company's NAC requirements, might not be quite as happy.

Cisco in November will target its NAC strategy on layer 2 of the network, where switches pass information inside the LAN, by offering NAC support for its Catalyst switches, including the 6500, 4900, 4500, 3700, 3500, and 2900 series, as well as its wireless access points and controller platforms.

Cisco's move to direct its NAC strategy at LAN-level security has been much anticipated. "Moving NAC in from the network's edge to include switches and wireless devices lets network administrators build baseline security policies for these devices before they connect to the network," says Lawrence Orans, Gartner's research director for network security.

Cisco created its NAC strategy in 2003 to address the difficulty companies have controlling the viruses, worms, and other malware that constantly attack their networks and the systems that connect over these networks. Cisco figured the best way to do this was to get greater control over access points into the network; to make sure each device connecting in has a clean bill of health. The first fruits of Cisco's labor appeared in June 2004, when the company introduced NAC-compliant routers and firewalls to identify security threats at the wide-area network level.To become a part of a NAC-compliance environment, devices connecting into the network until now had to run Cisco Trusted Agent software so that information about those devices could be collected and evaluated for risk assessment. Devices unable to run Cisco Trusted Agent were out of luck. Cisco will remedy this next month by letting "agentless" devices such as printers, guest laptops, and PDAs have their security risk evaluated by third-party software from Altiris, Qualys, and Symantec. This software will then share its security audit information with the Cisco network, which will make admission decision.

Cisco's support for 802.1X port-level authentication, which allows devices to authenticate to a network regardless of where they are plugged in, is a welcome sign for Aura Health Care, a not-for-profit health-care network with 14 hospitals, 150 clinics, and more than 200 pharmacies. Aurora uses Cisco routers, load balancers, and virtual-private network concentrators, but the organization's network also consists of Enterasys Networks switches and intrusion-defense systems, Juniper Networks firewalls and SSL VPNs, and IronPort Systems E-mail security. "So many networks are built over time, so there's no silver bullet," says Dan Lukas, lead security architect. Cisco's NAC strategy prior to this week's announcement hasn't been as effective for companies that use network equipment from a variety of vendors, Lukas adds, saying, "We don't have Cisco everywhere, and I can't just swap out everything."

The success of Cisco's NAC strategy depends on whether companies are willing to implement Cisco Trusted Agent or third-party assessment software, upgrade LAN equipment, and assess how they build and enforce access policies, says Forrester Research analyst Robert Whiteley. From a competitive standpoint, Cisco isn't the first vendor to offer NAC protection at the LAN level. Alcatel and Enterasys are already doing essentially the same thing, although this shouldn't affect Cisco's entry into the market because the company is such a force in the networking world, he adds. But there's still a lot of work for companies to do before NAC-compliant devices and protocols can be implemented on layer 2, including upgrading any switches that are more than three years old.

Companies with a relatively basic network layout should look at standalone access-control appliances from Caymas Systems or network-quarantine appliances from Vernier Networks, while companies with more complex networks should look to server- or switch-based solutions from vendors including Sygate, which Symantec officially acquired earlier this month, and Cisco, according to a June Forrester report Whiteley authored on network-quarantine technology.

Whiteley's report also noted that, of the 653 technology decision-makers it interviewed, 39% are implementing network-quarantine technology this year. "That's pretty good considering how many moving parts this technology has," Whiteley says. The reason for this healthy adoption stems from the need to head off security problems by ensuring infected endpoints don't connect to the network in the first place. "NAC helps you keep the bad guys off your network," he adds.Cisco competitor 3Com Corp.'s approach to network-admission control and quarantine is a bit different from Cisco's, relying more heavily on routing network data to intrusion-prevention systems, appliances set up within the network. 3Com added this technology to its network security repertoire in January when it acquired Tipping Point. As such, 3Com's security devices could also function within a Cisco NAC environment. "IPS connects with all networking equipment, regardless of layer or vendor," say Marc Willebeek-LeMair, CTO of 3Com. The company's IPS devices don't rely exclusively on the 802.1X communication protocol to let clients and switches communicate because Willebeek-LeMair says not enough networks are ready to comply with the standard.

Juniper's approach to network-admission control and quarantine, introduced in May, includes its Infranet Controller appliance and Infranet Agent software, together designed to bring endpoint intelligence into network traffic decisions. "Our approach is to create categories of access control across the different layers of the network," as opposed to focusing on a particular network layer, says Andrew Harding, Juniper's director of product management.

None of the vendors crowding this important category of network security is likely to make really big waves this year. "It'll be the middle to the end of 2006 before companies have NAC up and running within the switch environment," Forrester's Whiteley says. "2006 will be the major year of getting your infrastructure up to date and defining your networking policies."