Microsoft, Cisco not in sync on security

SAN JOSE – While Microsoft and Cisco continue the hard sell on their respective visions for quarantine-based endpoint security, customers and industry experts are asking hard questions about cost, complexity and the willingness of these industry giants to work together.

The dual dynamics were on display at last week’s RSA Conference 2006 (see our complete coverage), where Microsoft Chief Software Architect Bill Gates and Cisco CEO John Chambers each used the term “ecosphere” in describing the need to have a broad swath of security vendors in the anti-virus, patch management and endpoint security arenas cooperating to support a common framework that recognizes violations of security policy and restricts access until remediation takes place.

That Gates and Chambers were talking about separate frameworks was not lost on the audience. Microsoft and Cisco are fostering individual technology alliances to back their visions – with many vendors playing in both. Despite assurances to customers more than a year ago that they would merge their efforts, that issue remains unresolved.

This uncertainty has contributed to widespread skepticism about both initiatives, known as Microsoft’s Network Access Protection (NAP) – expected out with the Vista operating system later this year – and Cisco’s Network Admission Control (NAC), currently in its first release of client software and support on Cisco gear.

“Conceptually, this is a fantastic idea,” said conference attendee Keith Weisman, senior security engineer for OfficeMax in Itasca, Ill. “But I’m still generally skeptical. And we’re also wondering what this is going to cost.”

OfficeMax has turned to other approaches, including Lancope’s StealthWatch appliance, to internally monitor for worm infections, spyware and intrusions.

In a conference session on network-access control, Gartner analyst Lawrence Orans alluded to the angst caused by the lack of news from Cisco and Microsoft as to how they will merge their technologies. The companies pledged in October 2004 that they would cooperate to ensure that NAP and NAC worked together. Orans invited panelists Khaja Ahmed, Microsoft software architect, and Russell Rice, Cisco’s director of marketing, to clarify how far any joint effort has progressed.

Ahmed said NAP “will cause you to re-architect your network” and will “bind together two distinct groups,” that today are largely separate – network and applications security. He also said “we don’t have a committed road map” for any joint technology with Cisco and that the NAP effort was turning out to be more complex than once thought.

Rice said the work with Microsoft is ongoing.

NAC works for user

The enterprise customer on the panel, Frank Watts, senior architect in the IT risk-management division at JP Morgan Chase & Co., said he tested the Cisco NAC-based Trust software with LANs in a lab, and it did work to determine the need for Symantec anti-virus on desktops.

“It worked pretty much as advertised,” said Watts, who added that JP Morgan Chase sees huge potential in using this type of endpoint security to identify risky or infected computers, quarantine them and get them up to speed quickly in terms of safety.

But Watts said the firm decided to wait for Cisco’s Phase II NAC and is looking at a few alternatives, including software developed by Sygate, which was acquired late last year by Symantec. He said Sygate had been seen as a start-up that was more risky, but after Symantec bought Sygate its software (now called Symantec Policy Enforcer) was considered a viable possibility.

“I’m waiting for the market to mature,” said another RSA attendee, Mark Butler, security services manager at H&R Block in Kansas City, Mo. He said taking a quarantine action against a desktop would be a significant step with management implications that needed to be better understood.

Vendors seem to be making network-access control announcements every day. 3Com Chief Technology and Strategy Officer Marc Willebeek-LeMair, in his keynote address at RSA, outlined how 3Com’s intrusion-prevention system, TippingPoint, is undergoing changes over the next few months so it will restrict access control and perform quarantine functions using Microsoft’s upcoming NAP client, and perhaps other methods as well.

Willebeek-Lemair said there should be an “open ecosystem” and a “framework” so “best-of-breed” technologies can work together.

Irrespective of what happens between Microsoft and Cisco, some security managers argue that quarantine of a desktop is radical and disruptive.

They say such a move will require a tough review by IT departments and business management before going forward with policy-based network-access control.

“You have to talk about what effects you have on the business,” said Patricia Myers, chair of the ISC2, the IT security professionals membership organization.

Quarantining endpoint devices “is going to have a considerable impact on end users, and you have to ask about the cost,” she said.