Cisco going open source with NAC client

As it develops the next generation of network security infrastructure, Cisco is planning to cease development on its network admission control (NAC) client, the Cisco Trust Agent (CTA), and submit the source code for the software client to the open source community, Bob Gleichauf, CTO of Cisco's Security Technology Group, told InfoWorld.

Cisco has a goal of making the CTA open source within "a couple months," allowing the company to free up development resources for other areas of NAC, Gleichauf said. Cisco's decisionis  more evidence that Cisco will cede control of the desktop to Microsoft Vista, following a deal in September to use the Microsoft's NAP (Network Access Protection Agent) as the client for both Cisco NAC and NAP.

"CTA will be something that's open source. That's just logically where it should end up," Gleichauf told InfoWorld. "We don't want to be in the CTA business, so we're going to just open it up."

In September, Cisco and Microsoft unveiled the fruits of a long, cross-company effort to integrate their network access control architectures. The plan devised by the two companies called for computers running Windows Vista or Windows Server to include the NAP Agent component as part of the core operating system, and to use that agent for both NAP and NAC. The NAP added support Extensible Authentication Protocol over UDP and EAP-FAST support, developed by Cisco and distributed over Windows Update in addition to native EAP methods and an 802.1X supplicant to enable it to work for both NAC and NAP.

Computers running Windows XP with Service Pack 2, as well as non Windows systems, would need to run the Cisco Trust Agent for NAC and run the NAP Agent for NAP. Cisco also promised to continue developing CTA for non-Windows Vista and non-Windows Server “Longhorn” platforms.

Since then, however, Microsoft and Cisco have extended both 802.1x and EAP support to Windows XP, reducing the need for the CTA, said Mark Ashida, General Manager of Enterprise Networking Servers at Microsoft.

Open sourcing the CTA agent is just part of a much larger effort at Cisco to push beyond mere network access control to a much broader security architecture that addresses problems such as data leaks and policy enforcement -- architecture in which Cisco's Security Agent (CSA) will play a much bigger role, Gleichauf said.

"Data leakage is about things crossing boundaries from areas you control to areas where you have less control: e-mail attachments going over IM, or data going from someone in [human resources] to someone in manufacturing who shouldn't see it," he said.

"For us, it's all about modeling based on how data moves around. We recognize that data has its own identity, and we want to use the controls we've built up around where users can go -- role based access -- to figure out where data can and can't go," he said.

Components like the technology Cisco recently acquired with IronPort will provide some of the intelligence to stop messaging and Web based leaks, and Cisco will use intelligence in its routers and switches to control data flows and in the CSA agent to enforce data-level policies on the desktop, Gleichauf said.  "CSA is the next area where you're going to see us make go to market announcements that offer real value in the data leak space," he said.

"Cisco's getting out of the desktop plumbing business and focusing on areas on the desktop where they can add value to what they're doing on the network," said Jon Oltsik, an analyst at Enterprise Strategy Group.

But Gleichauf's comment may also be an indication that Cisco trying to change the conversation around its NAC architecture, which has been a tough sell with enterprises largely because of the cost of upgrading Cisco and non-Cisco networking infrastructure in order to take advantage of the access control features.

While the company has found plenty of buyers for its NAC appliance, formerly known as "Clean Access," it has had far few takers for the full fledged NAC solution. In the meantime, the company has found competition from a wide range of niche NAC vendors, security mainstays like Symantec as well as Microsoft, Juniper and the Trusted Computing Group's standards based Trusted Network Connect architecture.

Gleichauf acknowledged that his company hadn't executed well in selling NAC to partners, but said the solution was for Cisco to close the loop even tighter on which firms it will tap to be a part of its solution.

"With NAC we got caught in the vendor program race with TNC and Microsoft, where you want to get as many vendors as possible. But there are only a minority of vendors who are value added. The majority of them are just looking for stickers to put on their booth," he said.

Going forward with its data leakage solution, Cisco will rely on a small number of main vendors that offer it more value with license arrangements, rather than rely on open standards, Gleichauf said.

That vision concerned Steve Hannah of the Trusted Computing Group, which promotes open standards for network access control that allow third party software to speak a common language when making access control decisions.

Releasing the NAC client as an open source application was a fine gesture, but it has little value to the community at large until Cisco agreed to submit its NAC protocols as open standards, he said.

"Ultimately, Cisco retains control, and you end up with Cisco as the center of the universe. So customers are stuck buying Cisco gear and looking for things that plug into Cisco gear, but they don't really have a choice of different vendors," said Hannah, who is a distinguished engineer at Cisco competitor Juniper Networks.

TCG is happy to talk with Cisco about moving NAC protocols to open standards, perhaps blending NAC technologies from Cisco and TCG to give software vendors and enterprises the most choice, he said.

In the end, submitting CTA as an open source application may just be a politically correct way of throwing in the towel on an application that had become irrelevant, said Oltsik.

"It's a feel-good move," Oltsik said, but one without much force as long as the NAC protocols used by CTA remain firmly in Cisco's grasp.

This story, "Cisco going open source with NAC client" was originally published by InfoWorld.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)