Cisco Defends NAC Territory

By Matt Hines  |  Posted 2006-12-05

Cisco Defends NAC Territory

Largely credited for creating the burgeoning market for network access control technologies, used primarily for protecting IT operations from external threats, Cisco now finds itself in the familiar position of defending its home turf.

Much as the San Jose, Calif.-based company has spent years warding off criticism and competition from those that wish to wrestle away Ciscos top spot in the massive networking sector, the market leader is currently engaged in heavy battle with a long list of vendors gunning to carve out their own piece of the emerging NAC security landscape.

NAC technology, offered up in both software and hardware products, is used to protect organizations by scanning machines that attempt to log onto their networks and testing the devices to ensure they have all the appropriate permissions and security protections in place required by a company to access to its IT systems.

Rivals have begun actively using the cost and complexity, as well as some perceived security loopholes of Ciscos network admission control products to begin marketing their own network-based IT defense systems.

But rather than worrying about the exaggeration and misinformation they believe those vendors espouse about their NAC technologies, Cisco executives say the interest created by those claims will only help to drive its own business.

The most common refrain among the companys NAC rivals is that in order to adopt its tools, customers must rip out their existing networking gear and replace it with all new Cisco hardware and software.

Click here to read more about Ciscos NAC effort.

The other popular cut on Cisco NAC is that it falls prey to several major security issues that could allow hackers to infiltrate the system by disguising themselves as legitimate users.

In both cases the claims are untrue, said Brendan OConnell, senior product manager for Ciscos NAC appliances business. However, if the company is to succeed in its goal of becoming the leading network security technology provider, Cisco cant worry about the noise and must instead concentrate on building new products that enhance the role of NAC even further, he said.

"These are simply the things we have to deal with along the way, a dilution of the NAC market, comparisons that only refer to pieces of the big picture of what we can do, but generally speaking were making a lot of progress as everyone learns, and things are only getting better as we go along," OConnell said.

"Weve put a lot of development effort into being able to control the network in the way administrators truly need, and were getting the best feedback because we have the most widely deployed NAC technology today; its not surprising that others are coming after us, but at the end of the day were very confident that we can lead this market for a long time."

While companies adopting Ciscos entire NAC framework must indeed move almost completely to the companys own networking hardware and software to support the system, the firms NAC appliance lineup was specifically tailored to work in multi-vendor environments. And many of the security flaws highlighted by researchers at Ciscos rivals, such as those detailed by Insightix Chief Technology Officer Ofir Arkin, have already been closed off, or never existed in Ciscos products, OConnell said.

Next Page: A war of words.

A War of Words

Rather than focusing on the war of words over its capabilities spurred on by those competitors, the company is focused on adding to the reach of its products, making NAC a pivotal technology for controlling access to network resources both inside and outside the walls of enterprise businesses.

While many products that claim to offer the same benefits of Cisco NAC only cover one type of technology, such as systems that merely validate PCs but that may not support wireless devices, the networking giant is hoping to expand on four functional areas to make its technologies even more powerful.

Those tenets of pure NAC, as Cisco defines it, demand products that securely identify all types of devices, enforce consistent security policies, offer the ability to quarantine and remediate machines that are legitimate but lack some level of protection, and allow for central configuration and management to let administrators tailor their systems to their companys preferences.

By requiring all this of NAC systems, customers will then be able to use the network-based security technologies to do things such as authenticate users for access to enterprise applications inside of their operations. Adding new layers of functionality on top of NAC is one of Ciscos major initiatives for the products in the future.

"With the mature deployments we already see, people arent just using NAC to verify users anti-virus status, theyre looking at where people are logging in from to see if theres misuse of sensitive data; they dont want workers looking at customer records logged on at the local Starbucks, so in that sense NAC wont just be about software on the machine, but also looking at behaviors," OConnell said.

Other future NAC product features will seek to help administrators get a better grasp on their entire network security standing by pulling in information from anti-virus programs, intrusion detection systems and other stand-alone security technologies.

Industry watchers observed that Cisco may have damaged some perceptions of its security efforts by appearing to use the market to increase demand for its traditional networking products, but said the firm is making headway in carving out a wider role in the market.

Rivals may be using Ciscos product features to market their own technologies, but they are likely helping the company as much as taking business away, said Andrew Jaquith, analyst with Boston-based Yankee Group.

"Cisco initially hurt themselves by positioning NAC as rip and replace, so people saw it as an effort to get more gear into peoples hands, but they have changed their approach significantly and are offering alternatives to people who dont want to do it that way," Jaquith said.

"Smaller NAC specialists have tried to make hay of the previous strategy, but the reality is that NAC is about more than perimeter security; the battleground over hearts and minds will actually be won over the ability of vendors to provide both network admission and post admission behavior."

Other analysts said that many customers are looking to adopt NAC today, and also keeping a close eye on the launch of Microsofts rival Network Access Protection technologies, expected to arrive in 2007.

Cisco and Redmond, Wash.-based Microsoft have already announced a major project aimed at lending interoperability to their respective products.

"We see the demand for NAC is real, but mostly in an overlay sense today," said Jon Oltsik, analyst at Enterprise Strategy Group, Milford, Mass. "After Microsoft ships NAP, and when people get serious about rolling out around the [Internet Protocol version 6] standard, there will be a lot of network upgrades, and that will be the time when Cisco really takes advantage of all of its different network capabilities."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.

Rocket Fuel