In fact, some executives are happy to credit Cisco with driving customers to their door. "[Cisco] NAC has been great for us," said Khalaf. "Cisco has done a lot of education and raised awareness about the [NAC] issue, but [Cisco] NAC is a solution that requires significant infrastructure changes."Schlumberger Ltd., an oil-field services company in New York, did a four-month evaluation of Ciscos NAC technology but decided to go with Lockdown after Ciscos Security Agent software conflicted with applications Schlumberger was running internally, said Mario Chiock, a senior IT security adviser at Schlumberger. "Cisco promised a lot last year, but they havent delivered yet," Chiock said. Even when it is mature, Schlumberger would have to replace the bulk of its Cisco networking infrastructure to take advantage of the new NAC features. "We have 1,900 [Cisco] switches that will never be upgradable. Cisco will never bring NAC down to those old switches, so that makes it very expensive," he said. Ciscos NAC already does, or will, support nearly every router and switch platform the company sells, including products it no longer sells, according to Russell Rice, director of product marketing in the companys Security Technology Group. Cisco is also planning to standardize its NAC technology through an open forum, likely next year, and deliver an agentless NAC technology in NAC2, an upcoming release, Rice said. Rice countered the charges that his company is moving too slowly to make NAC a reality for companies, noting that the Cisco Clean Access product is an appliance-based network access control product that addresses "pain points" such as securing high-risk areas of a companys network, similar to products by Vernier and others. Cisco has already shipped Clean Access gear to around 400 customers since it acquired the technology with Perfigo in October 2004, Rice said. But Rice admitted that the Clean Access product is overshadowed by what Cisco calls the "NAC Framework"NAC technology running on Cisco switches and routersand that the company doesnt have easy answers to questions about cross-vendor support or the cost of upgrading switch and routing infrastructure to do NAC. "[NAC] isnt a small activity. There are fundamental things organizations have to undergo, no matter how you slice it," he said. "Youve got to get into the network design side of things to provide different levels of access and make that work. Those are really big nuts, but is [Cisco] doing things that make the burden even larger than any technology would require? I dont think so," he said. To ease deployment, Cisco is working with third-party companies to build NAC support into client software from a number of vendors, so that the separate Cisco Trust Agent software doesnt have to be installed on every system, Rice said. As for the cost of upgrading a companys networking infrastructure, Cisco is counting on organizations standardizing on Cisco NAC-compliant hardware as they refresh their networking infrastructure in the coming years. For those companies that elect to use other networking gear, the company plans to standardize its NAC communications protocol through the IETF, beginning in 2006, which will allow other vendors to support those standards as well, he said. But at Continental Airlines, which is a major Cisco customer, those are considerations that are too far out in the future, said Andre Gold, director of information security at the company. Continental is deploying ConSentrys product in a controlled environment and is keeping an eye on Cisco NAC, as well as alternatives like Microsofts Network Access Protection (NAP) program and the Trusted Computing Groups Trusted Network Connect, while the company considers changing its network architecture to support broader solutions. In the months to come, that story may become a familiar one to executives at Cisco. Check out eWEEK.coms for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.
Intel and Cisco are teaming up to help companies defend against security threats. Click here to read more.