Corporate security executives should be wary of network-access control schemes that don't embrace open standards that encourage multi-vendor security, says one of the founders of Extreme Networks.
In particular, they should consider whether they want to be locked into Cisco's Network Admission Control (NAC) scheme because it relies on Cisco hardware and software to work, says Herb Schneider, Extreme's vice president of research and development during an interview with Network World at RSA Conference 2006 Wednesday.
His comment was aimed directly at Cisco CEO John Chambers' keynote address earlier in the morning during which he touted NAC. "The word 'open' never appeared," Schneider says. "There is no open architecture."
Network-based access control architectures based on open standards are still evolving, he says, and are a year to two years from being ready for full deployment.
In the meantime, businesses that need to shore up their access defenses should consider devices that impose access control on existing networks without requiring upgrades.
Extreme is working toward access control via 802.1x authentication capabilities in switches, a range of access policy servers and client software that allows scanning computers for policy compliance before they gain network access. The company is closely aligned with Microsoft and its Network Access Protection (NAP) program that provides endpoint and policy components but not network enforcement.
At RSA Conference 2006, Extreme demonstrated its switches allowing or denying access to a Microsoft Vista host based on virtual LAN assignment.
Extreme is also a member of the Trusted Computing Group, an alliance of vendors dedicated to creating open standards for secure computing.
While he expects Microsoft to eventually include firewall and anti-virus support in its clients to protect endpoints, networking companies have to embrace other computer operating systems including Apple Macintosh and Linux, he says.
Over time, network security will evolve into sets of access policies that allow certain behaviors rather than simply deny bad traffic. "The world today is a large set of rules for anti-virus signatures and things you're not allowed to do," he says. "Instead, we need behavioral rules of how things should work." Traffic would be monitored all the time and patterns of traffic that fall outside what is allowed would be flagged, diverted or cut off, he says.
Meannwhile, Extreme has developed programming interfaces to its operating system to enable third parties to write applications to them. For instance, Avaya and Extreme have collaborated on a switch application that constantly monitors latency and jitter on network connections and can redirect voice traffic real-time to keep voice on paths with good quality of service.
He says he expects other partners to expand Extreme's security stance. "I only have 250 engineers," he says. "I want to leverage the innovation available in the industry."