Cisco defends its position with a major step towards the 'self-defending' network

Rethink IT, July, 2004

Cisco is like a giant barn owl, continually pecked at and harassed by smaller birds. One of the strongest weapons these rooks have with which to snap at the giant is security. Time and again, as Cisco has hastily issued fixes for security vulnerabilities in its systems, its rivals have announced new products or partnerships to bolster their own credentials in key areas like intrusion detection.

This became very clear in February when Juniper, Cisco's main challenger in the high end router market, targeting carriers, acquired VPN maker NetScreen, a move that put Juniper, for the first time, in contention for enterprise business. NetScreen generates 75% of its VPN and firewall sales from enterprises.

"A company that can compete with Cisco in the enterprise needs security in its products. This is a great start towards building that company," said analysts at Infonetics.

Now Cisco is fighting back. Last month it announced new features in its routers that it promised would be a major step towards the 'self-defending network'.

Key among these is the first fruits of a collaboration between Cisco and various antivirus specialists Network Associates, Trend Micro and Symantec--announced earlier this year. The first product is Network Admission Control (NAC), which allows Cisco's networking products to communicate with these antivirus products. Devices running NAC technology will allow network access only to compliant and trusted PCs or mobile devices. NAC can also restrict access of non-compliant equipment, for instance if it does not have up-to-date virus protection or patches. This technology will be embedded, initially in Cisco's edge routers, for [inking corporate networks to the internet; and will then be extended to the Catalyst 2900 to 6500 switch families, protecting in-building networks, and in the VPN 3000 product for remote access.

Extending security to these network elements helps Cisco fulfill its vision of protecting the entire network by including as much security technology as possible throughout the network, so that the network itself can detect and defend against malicious attacks.

Eventually, all Cisco routers and switches will be able to check devices connecting to them for problems.

Cisco plans to open the program to other antivirus vendors. The company is also trying to integrate more security technology into its products. Earlier this month, it extended its relationship with Trend Micro to combine that company's worm and virus signatures with its own intrusion detection system (IDS) software implemented in its routers, switches and security appliances.

However, while the roadmap is impressive--and hard for any networking rival to match, because no other has Cisco's penetration in end-to-end systems--roll-out is too slow for critics. The most critical phase of NAC is Lan switch support, and that is not due for another nine months or so. And, while Cisco is accused of not meeting users' needs in the short term, it is also criticized for moving hesitantly towards standards for securing Lans and Wans--something it is uniquely placed to influence.

For instance, parcel carrier UPS, which is testing the NAS solution, says it is "a step in the right direction", but that it would likes to see an industry standard evolving so that there is an interoperable platform that works on all networking gear. Of course, Cisco rarely puts strong support into such standards until it is forced to, preferring to make key features such as security tools a differentiator for its own products, in order to retain its hold on its core markets. But it does say it is working on interoperability.

Part of Cisco's Phase II plan for NAC will include proposing its authentication technology as a standard to the IETF (interact Engineering Taskforce) this August. Additional plans include opening the Trust Agent API to any vendor interested in writing software that works with NAC, on the client or server side. This would let vendors in the client software, server software and network equipment areas create products that work in a NAC infrastructure.

Cisco would not give a definitive timeframe as to when switches and routers from competing vendors could plug into NAC via standards-based technology.

Another NAC feature, due next year, is a client audit technology for digging into non-PC machines--such as printers, IP phones, cameras and network appliances--trying to access a network. Also, NAC now works only on Windows 2000, NT and XP clients. Support is planned for Linux and Solaris machines by the fourth quarter of this year, Cisco says. The company is working with a few network auditing vendors for this part of NAC.

Missing from Phase II of NAC is a plan for wireless. Cisco says Layer 2 NAC support for Cisco Aironet gear will be introduced in a later phase sometime next year. In the meantime, users can implement Layer 3 NAC configurations by putting NAC-enabled Cisco routers behind Aironet access points to enforce anti-virus and security polices.