The good news is that Microsoft and Cisco Systems are working on a plan to make VPN use safer by making their respective standards compatible, and eventually interoperable. Thats also the bad news.
As the companies present the plan, they would make it so that Microsofts NAP (Network Access Protection) would work with Ciscos NAC (Network Admission Control), which Cisco started incorporating into its remote-access products this year.
Intended to enforce security policies on endpoints attempting to connect to the network from outside, NAC is designed to be installed on a switch or remote-access server. To date, NAC is available only for some Cisco routers.
While Cisco presents NAC as an industry-standard approach, at this point, its a Cisco approach, which apparently Cisco is hoping will become a de facto standard.
Elsewhere, theres the Trusted Network Connect standard thats being put together under the auspices of the TCG (Trusted Computing Group), which is intended to accomplish the same thing. But this group has a membership that reads like a whos who of the infrastructure business—with the notable exception of Cisco.
Of course, theres a lot that can be said for having the weight of a giant such as Cisco behind a standard. If you put something like NAC into your routers, or eventually your access devices and switches, you will in effect have created a standard. But the problem is that youll also have left behind so much else. Right now, for example, Ciscos client for supporting NAC works only with Windows.
While its true that most personal computers are covered that way, there are still important gaps, both in terms of other operating systems and in terms of what NAC actually does, which is to check for compliance with security policies under Windows and a few third-party security applications.
But what about the rest of the world? Microsoft, for example, has said its NAP isnt ready and wont be for more than a year. And a full implementation that supports everything NAC eventually will support wont be out for three more years. What are you supposed to do about your infrastructure in the meantime? Buy only Cisco and hope for the best? Im sure Cisco would like that answer, but its unlikely to meet all of your needs.
Worse, when giants such as Cisco and Microsoft try working together, the outcome is rarely a pretty sight. More likely, both sides will give it lip service until some solution or another comes to the fore.
But there is one positive benefit, and that is that every other company will be focused on the issue of ensuring that remote users are required to meet all corporate security standards. The thing is, that can be accomplished now, with software thats already available. Sygate, one of the members of TNC and TCG, already sells a product that delivers now what Microsoft and Cisco say theyll have in a few years.
For its part, Sygate seems to be moving ahead. Sygate vice president Jon Brody said his company is pleased that the issue of client security and standards compliance is being discussed. But he noted pointedly that it will be years before Microsoft, at least, can do anything about it.
Actually, theres another positive benefit to enforcing your policies with remote users. You have to have a policy. Maybe, at the least, Ciscos NAC or the industrys TNC will help to make sure the policies are at least thought about.