Cisco NAC vs. Microsoft NAP

The Promise: Host admission-control schemes aim to protect your network from your own PCs by allowing or denying network access based on the health and security status of the machines.

The Players: The big dogs are Cisco Systems' Network Admission Control (NAC) and Microsoft's Network Access Protection (NAP). Other hardware and software vendors also offer admission-control solutions.

The Prospects: Every network admission solution today is proprietary, and locks network buyers into a particular architecture. The Trusted Network Connect group hopes to organize a standard specification to promote interoperability, but de facto standards will likely be driven by Microsoft and Cisco.

It's 9 a.m. Do you know where your PCs have been? Like rock 'n roll roadies or Girls Gone Wild, your corporate laptops may have hooked up with any number of strange networks or missed a patch cycle while on an extended road trip. Even your buttoned-down desktop machines could be trouble: AV signatures may be out of date, or a Trojan or worm might lurk somewhere in the file system. Because they plug directly into the LAN, these machines do an end run around your carefully crafted perimeter screens and expose your network to danger.Cisco Systems' Network Admission Control (NAC) and Microsoft's Network Admission Protection (NAP) initiatives will frisk any PC that wants to attach to your network. NAC and NAP cooperate with third-party software to check for the presence and status of antivirus and personal firewall software, report on the configuration of the machine, and look for patches. PCs that meet your standards gain entry; others can be denied access or shunted to safe (or restricted) network segments for remediation.

Both companies have a strong claim as the architect for an admission scheme. Cisco is the dominant provider of the hardware infrastructure that can enforce network access and quarantine non-compliant machines. Microsoft owns the PC OS market and can build a policy-enforcement client directly into the operating system.

Both companies have also released APIs to integrate AV, patch management, personal firewall, and other security software into their schemes. Third-party vendors have responded with enthusiasm: Symantec, McAfee, and Trend Micro are participating in both Cisco and Microsoft's programs, and dozens of other players have signed on with one or both initiatives.

However, before you sign on with either Cisco or Microsoft, consider that both programs are still works in progress. NAC is deployable today, but only on particular router platforms; NAC-enabling upgrades for 6500 switches won't appear until this summer. As for Microsoft, the software giant won't have a working admission program until 2007, when the new Windows Server platform, code-named Longhorn, is released.

And each one requires significant effort to deploy and manage. Cisco's implementation relies heavily on 802.1x, which requires supplicants on every device that attaches to the network, including things like network printers and other peripherals. You may also have to upgrade your network infrastructure to support 802.1x. Microsoft's scheme, which is centered around controlling IP address allocation to hosts via DHCP, runs Windows software not yet available.Last but not least, both schemes are proprietary. Cisco and Microsoft have pledged to interoperate, and both say they'll present technology to a standards body, but details and timelines are vague. At this point, a buy-in to either NAC or NAP is also a lock-in.

We'll look at the components of each solution, assess the efforts of interoperability, and briefly review alternatives to the two major programs.

ADMIT ONE

NAC and NAP operate on the same principle: An agent on the host queries other software such as AV, patch management, or a personal firewall for health and security status. Then the agent communicates that information to a policy server, which compares the host's current status to a predefined policy.

While the principles are the same, the execution differs. NAC puts enforcement power in the hands of network hardware, while Microsoft relies on a DHCP server running Windows software. Let's start with NAC.NAC begins with the Cisco Trust Agent (CTA) on the client (see figure on page 66). The CTA is a software program that collects health and security information from other software on the host machine via an API. The CTA agent runs on Windows 2000, NT, and XP. Cisco has plans to make the CTA available for other OSs, such as Windows Server 2003, Red Hat Linux, and Unix.

The information collected by the CTA is passed through a switch to the Cisco Secure Access Control Server (ACS), a RADIUS server. The client and the switch use 802.1x as the transport protocol; the client data is packaged and transmitted to the ACS using the Extensible Authentication Protocol (EAP). The ACS coordinates with third-party policy servers for information about AV updates, available patches, and so on. The ACS then communicates back to the switch, which enforces the policy decision. (For more information on the underlying mechanisms of NAC, see "802.1x Enables Comply or Deny For PCs," Technology Roadmap, February 2005, page 67, or search for Doc ID# 2002tech1 at www.networkmagazine.com.)

Like NAC, NAP begins with a host client known as a Quarantine Agent (QA) that collects health and security information from third-party software. The QA will run on Windows XP SP2 (though this is likely to change as a new desktop Windows OS is due at the same time as the Longhorn server). Microsoft has also released an API for software vendors to communicate with the QA.

When a PC requests an IP address from the DHCP server, the server will ask the QA on the PC to report its system status. The DHCP server then reports this information to the Internet Authentication Service (IAS) server using RADIUS messages. (Note that the DHCP QES and the IAS servers must run the Windows Longhorn OS for NAP). The IAS compares the status information with policies stored in various System Health Validators (SHVs). SHVs are the policy servers that manage and update each third-party agent, such as an antivirus program).

Based on responses from the SHVs, the IAS server will instruct the DHCP server to provision the PC with an IP address that allows full network access or restricts the PC to a quarantine or remediation area on a network segment.PLEDGE OF INTEROPERATION

NAC and NAP are proprietary admission-control systems, but Cisco and Microsoft have publicly pledged that NAC and NAP will be compatible and interoperable.

"We've been told unilaterally by customers to make sure they work together," says Russell Rice, director of product management, security technology group at Cisco.

A joint statement made by both companies says that at some point in the future, components of NAC and NAP should be able to understand and pass enforcement decisions between them. Cisco is allowing Microsoft to evaluate the NAC communications protocol to use as part of Microsoft's quarantine system, and Microsoft has licensed its client and server APIs to Cisco. However, both companies are keeping further details under wraps.

Cisco has also said it will eventually turn to a standards body to create a common network admission platform with which other hardware and software vendors can integrate. However, says Rice, "it probably won't happen this calendar year, and we don't have a firm opinion of which standards body."Other members of the security community have launched an effort to create an interoperable standard for multivendor endpoint admission-control systems. Known as Trusted Network Connect (TNC), the effort is a sub-group of the Trusted Computing Group (TCG). The TCG is an industry standards organization promoting the Trusted Platform Module (TPM), a hardware-based security solution.

Launched in May 2004, TNC was basically formed as an alternative to Cisco hegemony in the network admission space. Members include Cisco competitors such as Juniper Networks, Extreme Networks, and Foundry Networks. It also includes vendors such as Sygate and Symantec, who are also cooperating with NAC. The group originally hoped to deliver specifications for an open framework for multivendor endpoint enforcement in 2004, but as yet nothing has been released.

At this point, neither Cisco nor Microsoft have joined TNC. Though the group's goal of creating an open standard is admirable, without the cooperation of Cisco and Microsoft, the TNC is likely to have about as much influence on the direction of network admission standards as France has with Dick Cheney and Donald Rumsfeld.

THE COMPETITION

NAC and NAP aren't the only game in town. For instance, Enterasys' Trusted End System uses Matrix switches, a NetSight policy server, and host agents from Check Point/Zone Labs or Sygate to perform the same functions as NAC. Alcatel, HP, Foundry, and Extreme also offer network admission solutions with Sygate's Host Integrity client as the desktop agent.Vernier Networks, a startup originally focused on wireless security, recently announced its EdgeWall security appliances that performs network admission without a host agent. EdgeWall appliances sit behind each switch and access point to interrogate new machines seeking access. The appliances conduct vulnerability scans and can admit or deny clients based on scan results. The appliances also continuously monitor network traffic to detect worms, viruses, and unwanted programs such as P2P applications. However, because EdgewWall doesn't use agents, it must log in to each machine to do NAC/NAP basics such as confirm the presence of an AV client or check for the latest patches. The EdgeWall devices must be given access to authentication credentials for each host to perform these checks.

THE DECIDING FACTOR

While Cisco's head start represents a clear advantage, Microsoft's ownership of PC OSs gives the software giant ample opportunity to catch up. What really matters is how agents interact with the third-party software that provides status information about the client, and with the policy servers that use that information to make access decisions. The infrastructure that enforces policy decision, be it a switch or DHCP server, is less important. This is particularly true if and when Cisco opens NAC to other hardware vendors, making the switch a commodity device in the overall scheme. Thus, Microsoft's dominance on the client OS will likely trump Cisco's dominance in network infrastructure.

Microsoft, by embedding its own Quarantine Agent into the OS, removes the need for Cisco's Trust Agent. It can also leverage its own future products; for instance, an upcoming version of the Microsoft Systems Management Server (SMS), which automates software delivery and patching, will be compatible with NAP. And by 2007 it's very likely that Microsoft will have bundled antivirus and anti-spyware technology into its desktop OS.

However, ultimately it may be that neither giant dominates. The eventual proliferation of devices that don't run Windows, such as IP phones, PDAs, and IP-enabled cell phones, will require alternatives to a Windows Quarantine Agent. In addition, Cisco and Microsoft will likely act as counterweights, each using its leverage to push the other toward a set of open standards, from which the security community as a whole can benefit.Technology Editor Andrew Conry-Murray can be reached at [email protected].