Cisco, Microsoft effort called a small step for NAC

Last week’s long-awaited first pass at a display of interoperability between network access control components from Cisco and Microsoft only underscores the complexity of the task that remains and the need to involve more vendors, experts say.

The good news, they add, is that the cooperation building between these industry giants should benefit most those organizations that have built their infrastructures around Microsoft and Cisco products.

“The interoperability is important based on who the players are, but it is hard to get excited about two vendors patching together their proprietary hardware and software,” says Andrew Braunberg, senior analyst for information security at Current Analysis. “We are no closer to open standards for network access control.”

Openness is being pushed by the Trusted Network Connect (TNC) group, which is working on a set of open NAC specifications within the Trusted Computing Group (TCG) industry association, and by the IETF’s Network Endpoint Assessment (NEA) working group. Microsoft is a member of both groups and says it plans to focus more on those efforts after completing its initial work with Cisco. Cisco is not a member of TCG, but does work within the NEA.

At IDG’s Security Standard conference last week, the companies put on a demonstration involving integrating Cisco’s Network Admission Control (C-NAC) and Microsoft’s Network Access Protection (NAP) frameworks. They also released a white paper and announced plans for a private beta later this year.

“They have some form of interoperability, but you still end up with a proprietary architecture that is tied down to their business interests,” says Steve Hanna, co-chair of the TNC group, which in May released the final specifications for building an open standards-based NAC system. Hanna says the goals are adoption, greater functionality and compatibility, and compliance testing.

Observers say interoperability gains by Cisco and Microsoft are only small steps forward, because they center on consolidation around agent protocols used to provide data on the health of network endpoints, not around the frameworks themselves.

In fact, the two vendors specifically pointed out that customers would have to deploy the Cisco Secure Access Control Server (ACS) and the Microsoft Network Policy Server (NPS) for the initial interoperability release.

“It’s always ‘add all these things together and it will be interoperable,’ which is really just them saying ‘you must install two separate policy servers to do the job that one was able to handle previously,’“ says Joel Snyder, a senior partner with consulting firm Opus One and a member of the Network World Lab Alliance. “It just complicates things at a time when they could have gotten simpler,” he adds.

Snyder says one good outcome may be simplicity on the client side, with Microsoft taking responsibility for the client-side agent and APIs.

The two vendors say a single agent, which will ship with the Vista client operating system and Longhorn Server, will operate across the Cisco and Microsoft platforms and be used by third parties to tie their systems into the architecture. Cisco will continue to develop its Trust Agent to support non-Microsoft platforms, and Microsoft will make available APIs so third-parties can develop cross-platform agents.