Cisco\u00a0next week will announce availability of its Network Admission Control security technology for Cisco routers, and lay out a road map for adding NAC capabilities to its lines of LAN switches.Cisco\u00a0next week will\u00a0announce availability of its Network Admission Control security technology for Cisco routers, and lay out a road map for adding NAC capabilities to its lines of LAN switches.These technologies coupled with the fact that later this year the company plans to offer NAC to standards bodies and other vendors could lead to automated network security on every desktop, preventing PCs from spreading harmful traffic.But with the most critical phase of NAC \u2014 LAN switch support \u2014 and standardization plans not due out unitl early 2005,\u00a0some observers say Cisco is not meeting users\u2019 immediate security needs. Also, enterprise users say a standards-based technology is needed sooner for securing LANs and WANs.First announced last November, NAC is supposed to make every piece of Cisco gear a security enforcement point, where client machines must meet security and policy criteria to access a router or switch port. Cisco partnered with Trend Micro, Symantec and Network Associates to make client-side anti-virus software work with Cisco\u2019s Trust Agent software, a PC-based agent that communicates client security status to Cisco network equipment and security servers. In November 2003, Cisco aimed to deliver router support for NAC by the middle of this year, but future support on other equipment was uncertain. Now Cisco says its entire Catalyst switch line and VPN 3000 series products will be NAC-capable by the first quarter of next year.NAC is being tested at United Parcel Services (UPS) as a potential security measure.\u201c[NAC] could be another level of defense, but it can\u2019t be the only defense,\u201d says Ed Gotthelf, director of network architecture for UPS in Atlanta. Gotthelf says NAC \u201cis a step in the right direction,\u201d but he says he would like to see a more industry-wide approach to LAN\/WAN security.\u201cWhat the industry should do is rally around one solution that\u2019s fully interoperable,\u201d he says. UPS has an installed base of Cisco routers and switches, along with equipment from other vendors. \u201cOne solution [is needed] that works with all software platforms and all networking platforms, so it can run on your Nortel and Cisco and other products,\u201d he says.Cisco is working on this, according to Russell Rice, product marketing manager at the company.\u201cWhen we first announced [NAC], we said upfront that a goal was to provide an open framework on how network security gets done,\u201d Rice says.Part of Cisco\u2019s Phase II plan for NAC will include proposing NAC\u2019s authentication technology as a standard to the IETF this August. Additional plans include opening\u00a0 the Trust Agent API to any vendor interested in writing software that works with NAC, on the client or server side. This would let vendors in the client software, server software and network equipment areas create products that work in a NAC infrastructure.Cisco would not give a definitive time frame as to when switches and routers from competing vendors could plug into NAC via standards-based technology.Another NAC feature, due next year, is a client audit technology for digging into non-PC machines \u2014 such as printers, IP phones, cameras and network appliances \u2014 trying to access a network. Also, NAC now works only on Windows 2000, NT and XP clients. Support is planned for Linux and Solaris machines by the fourth quarter of this year, Cisco says. The company is working with a few network auditing vendors for this part of NAC.Missing from Phase II of NAC is a plan for wireless. Cisco\u2019s Rice says Layer 2 NAC support for Cisco Aironet gear will be introduced in a later phase sometime next year. In the meantime, users can implement Layer 3 NAC configurations by putting NAC-enabled Cisco routers behind Aironet access points to enforce anti-virus and security polices.NAC works by having Trust Agents \u2014 available for free from Cisco\u00a0\u2014 check the status of virus software on client machines when a PC or laptop attempts to access a Cisco-based network. The NAC authentication process begins with a message based on Extensible Authentication Protocol (EAP), running over User Datagram Protocol (UDP). Access control lists (ACL) on routers are set to block all traffic except EAP over UDP. The routers then send the connection attempt to a back-end Cisco Access Control Server, which verifies end-user credentials and forwards network policies, to be applied to the client via the router.Depending on the configuration, clients can be permitted access, blocked or quarantined, in which case they would have limited network access. (This EAP\/UPD-based scheme will be proposed as an RFC to the IETF.) Cisco plans to move this authentication scheme to EAP over 802.1X when it adds NAC support for Layer 2 switches next year.Some observers say Cisco\u2019s NAC blueprint will be a good additional security layer in a Cisco-based infrastructure. But the capabilities offered now are not unique, and the timeframe for release might be too drawn out for some customers who face new security threats on a weekly or daily basis.\u201cSome enterprises are suffering badly right now from infections of mobile laptops,\u201d says Mark Bouchard, an analyst with Meta Group. He says individual and joint product offerings from vendors such as Network Associates, Check Point, Nortel and Sygate already deliver what Cisco is making available next week.Also, the road map for including LAN switch support in NAC, \u201cis not a lot different than what Enterasys talks about right now,\u201d says Zeus Kerravala, an analyst with The Yankee Group.\u201cWhat Cisco has going for it is the lion\u2019s share of the enterprise switch market,\u201d Kerravala says.