Cisco finally brings security push to LAN

Cisco this week is expected to announce Phase II of its Network Admission Control program, including the ability to block network access for dangerous clients at the LAN/wireless LAN device level.

The much-hyped NAC Phase II is expected to let corporate networks block access or quarantine PCs and laptops infected with viruses or lacking required anti-virus software. Cisco took its time developing the technology, and now finds itself behind many vendors already shipping similar products, some for more than a year. Cisco's 70% stake in LAN switch sales will provide ample opportunity for catching up, experts say.

Announced in 2003, NAC requires PCs to run a Cisco Trust Agent, which gathers information from local anti-virus client software and communicates with Cisco's Access Control Server and third-party anti-virus policy servers. Communication between clients and switches uses 802.1X and the Extensible Authentication Protocol riding on top of the User Datagram Protocol.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Cisco this week is expected to announce Phase II of its Network Admission Control program, including the ability to block network access for dangerous clients at the LAN/wireless LAN device level.

The much-hyped NAC Phase II is expected to let corporate networks block access or quarantine PCs and laptops infected with viruses or lacking required anti-virus software. Cisco took its time developing the technology, and now finds itself behind many vendors already shipping similar products, some for more than a year. Cisco's 70% stake in LAN switch sales will provide ample opportunity for catching up, experts say.

Announced in 2003, NAC requires PCs to run a Cisco Trust Agent, which gathers information from local anti-virus client software and communicates with Cisco's Access Control Server and third-party anti-virus policy servers. Communication between clients and switches uses 802.1X and the Extensible Authentication Protocol riding on top of the User Datagram Protocol.

In April 2004, Cisco released Phase I of NAC, which enabled Cisco routers to admit, deny or quarantine users connecting over WAN or VPN connections. Phase II provides this capability to LAN switches.

Some users who evaluated the NAC architecture opted for a competing product because the Cisco technology required client-side software, and Layer 2 switch support was not available.

"We found NAC to be too intrusive," says Mike Hawkins, director of telecommunications networking at the University of North Carolina (UNC), Chapel Hill. "We can't touch every machine in a large university."

Last year, UNC installed 4,000 Enterasys switches, along with NetSite Atlas policy management servers, which support port-level authentication based on 802.1X, and can block or quarantine PCs. The gear works with Sygate, Fortinet, and other anti-virus and security software products to scan and audit client machines.

Hawkins, who manages some Cisco as well as Alcatel switches on UNC's LAN, says NAC technology still interests him, but the delivery is probably too late for it to be installed widely at the school.

"I've been doing [NAC] for two years," he says. "Why should I switch to something that just came out?"

UPS, which has been following NAC from its announcement in 2003, recently tested the router-based Phase I of the technology, but did not deploy.

"The issues we're having are that we need all of our sites to be able to run without the WAN," says Edward Gotthelf, director of network architecture for UPS. "With NAC, you can centralize the authentication servers [that check client PC credentials]. But if your WAN goes down, the users in branch offices won't be able to get on the network."

To get around this, redundant authentication servers would have to go in every UPS building with a LAN, he says. "We don't want to deploy another 4,000 devices in our facilities. That would be a tremendous cost."

A slew of vendors have rushed to fill the void left by NAC's delay with products that claim to integrate security software with LAN switches or control access to the LAN through other means. 3Com, Alcatel, Enterasys, HP and Nortel are shipping products that use 802.1X on LAN switches and back-end authentication servers to permit or deny network access. Meanwhile, security-focused start-ups such as ConSentry, Vernier Networks and Lockdown Networks have recently launched appliances and software that provide a NAC-like overlay for installed Ethernet switches.