Cisco and Microsoft released closely held details about their twoyearold partnership to deliver integrated controls that prevent malwareinfested computers from connecting into networks. Cisco's Network Admission Control or NAC technology will work with the Microsoft Network Access Protection or NAP capabilities available with the upcoming Windows Vista and Longhorn operating systems.
The result should be a breakthrough in integrated IT security when the whole package arrives in the second half of next year the target date for Longhorn's release. But the need for network access control won't wait that long so businesses will have to continue to control network access using technology already available in some of Cisco's products and through other security vendors.
By year's end Cisco and Microsoft will offer a limited beta programwith no more than three mutual customersto gain a more realistic understanding of how their access control technologies will work together.
As these beta testers will soon find out combined network access protection and network access control consists of several clientside software applications that check and communicate the health of laptops desktops and other devices attempting to connect into a given network.
On the network side Cisco routers and switches Cisco Secure Access Control Server Microsoft Network Policy Server and policy servers from other vendors work together to give the thumbs up or thumbs down to any device seeking to connect. Access control systems must be able to detect connecting devices authenticate the people using them determine if a connecting device has the appropriate antivirus protection and software patches and quarantine and update systems that don't make the grade. Microsoft and Cisco appear to have these bases covered.
Apart from some comments at this year's RSA Security show in February when Bill Gates broached the topic of NAP and NAC integration Cisco and Microsoft have said very little over the past two years about how their technologies will work together. "We wanted to be sure this worked" says Mark Ashida general manager of Microsoft Enterprise Networking.
The biggest challenges were corporate rather than technological. "We're governed by who owns what intellectual property" Ashida says. Adds Bob Gleichauf Cisco's CTO for its Security Technology Group "We had to get our respective legal teams together to work out the crosslicensing."
Cisco and Microsoft have crosslicensed the Cisco NAC and Microsoft NAP protocols used to communicate information between clients and networks to help ensure their products continue to work together. The companies also decided that Microsoft NAP client APIs will serve as the only client interface which makes it easier for thirdparty software developers to write their own healthagent and healthenforcement software to work in integrated NACNAP environments.
Under the joint CiscoMicrosoft vision the access control process begins when a client running Vista attempts to authenticate to the network by sending a "statement of health" which includes information from socalled systemhealth agent software to a Cisco Secure Access Control Server or ACS via a switch or router. Systemhealth agent software is available from Microsoft as well as thirdparty vendors including Altiris McAfee and Symantec.
This statement of health travels to the ACS using one of two methods either Extensible Authentication Protocol over User Datagram Protocol or EAP Flexible Authentication via Secure Tunneling also known as EAPFAST. Once the ACS receives the authentication and admission request it communicates via host credentials authorization protocol to the Microsoft Network Policy Server or NPS. The NPS in turn connects to a healthregistration authority server or policy server to determine whether the client should be given access and then passes that decision back to the ACS.
A Forrester Research study of technology decision makers at North American companies found that while more than onethird plan to adopt some type of network access control this year the rest cite cost and manageability as obstacles to deployment.
Cisco and Microsoft have done solid work in making access control much easier by letting their technologies communicate with each other but this won't be a big deal to most businesses until they have Vista on their PCs and Longhorn on their servers.
There's a real urgency for companies to better protect their networks when remote employees contractors and business partners connect. Don't wait for Microsoft and Cisco says Gartner VP John Pescatore adding "If you're not going to Vista by you should be looking for appliances and other technologies that offer access control and asking those vendors how they plan to fit into Microsoft and Cisco's plans."