Cisco going open source with NAC client

As it develops the next generation of network security infrastructure, Cisco is planning to cease development on its network admission control (NAC) client, the Cisco Trust Agent (CTA), and submit the source code for the software client to the open source community, Bob Gleichauf, CTO of Cisco's Security Technology Group, told InfoWorld.

Cisco has a goal of making the CTA open source within "a couple months," allowing the company to free up development resources for other areas of NAC, Gleichauf said. Cisco's decisionis  more evidence that Cisco will cede control of the desktop to Microsoft Vista, following a deal in September to use the Microsoft's NAP (Network Access Protection Agent) as the client for both Cisco NAC and NAP.

"CTA will be something that's open source. That's just logically where it should end up," Gleichauf told InfoWorld. "We don't want to be in the CTA business, so we're going to just open it up."

In September, Cisco and Microsoft unveiled the fruits of a long, cross-company effort to integrate their network access control architectures. The plan devised by the two companies called for computers running Windows Vista or Windows Server to include the NAP Agent component as part of the core operating system, and to use that agent for both NAP and NAC. The NAP added support Extensible Authentication Protocol over UDP and EAP-FAST support, developed by Cisco and distributed over Windows Update in addition to native EAP methods and an 802.1X supplicant to enable it to work for both NAC and NAP.

Computers running Windows XP with Service Pack 2, as well as non Windows systems, would need to run the Cisco Trust Agent for NAC and run the NAP Agent for NAP. Cisco also promised to continue developing CTA for non-Windows Vista and non-Windows Server “Longhorn” platforms.

Since then, however, Microsoft and Cisco have extended both 802.1x and EAP support to Windows XP, reducing the need for the CTA, said Mark Ashida, General Manager of Enterprise Networking Servers at Microsoft.

Open sourcing the CTA agent is just part of a much larger effort at Cisco to push beyond mere network access control to a much broader security architecture that addresses problems such as data leaks and policy enforcement -- architecture in which Cisco's Security Agent (CSA) will play a much bigger role, Gleichauf said.

"Data leakage is about things crossing boundaries from areas you control to areas where you have less control: e-mail attachments going over IM, or data going from someone in [human resources] to someone in manufacturing who shouldn't see it," he said.

"For us, it's all about modeling based on how data moves around. We recognize that data has its own identity, and we want to use the controls we've built up around where users can go -- role based access -- to figure out where data can and can't go," he said.

Components like the technology Cisco recently acquired with IronPort will provide some of the intelligence to stop messaging and Web based leaks, and Cisco will use intelligence in its routers and switches to control data flows and in the CSA agent to enforce data-level policies on the desktop, Gleichauf said.  "CSA is the next area where you're going to see us make go to market announcements that offer real value in the data leak space," he said.

For more enterprise computing news, visit InfoWorld. Story copyright InfoWorld Media Group, Inc.