RealTime IT News

Cisco Expands NAC Profile

Network Access Control (NAC) is one of great cornerstones of Cisco's Self Defending Network initiative, which promises end-to-end security for enterprise networks.

Cisco is now expanding its NAC offering with a new module for its widely deployed Integrated Services Router (ISR), as well as a new profiling tool that applies a behavior-based profiling approach for device identification and enforcement.

"It's effectively lowering the barrier to entry for NAC," Dee Dee Pare, marketing manager for Cisco's Advanced Routing Technology Group, told InternetNews.com. "With the total cost of ownership benefits, it's an opportunity for the branch office to go ahead and put the NAC appliance capabilities right into the branch, and issues can be handled locally instead of being sent across the WAN."

Cisco users have historically had to use a separate NAC appliance to perform NAC functions, but with the Cisco NAC Network Module for ISRs, NAC can be integrated into the same platform that many branch offices are already using for routing, intrusion prevention (IPS) and VPN.

The module itself runs its own Cisco enhanced, hardened Linux operating system. It also has its own dedicated processing capabilities so NAC enforcement can be done at the network's speed without impacting performance. Pare also noted that the NAC module will also consume less power than a separate dedicated NAC appliance.

Though the NAC Network module offers cost of ownership and operational advantages, it may not necessarily be the right fit for everyone. That's why Cisco will continue to develop and support its standalone NAC appliance portfolio.

"The idea is that the module helps to fill out the portfolio and lowers the barrier of entry for small business and branches," Pare explained. But, she added, there are reasons to choosing an appliance and reasons why a network module would make sense.

In addition to expanding NAC deployment options, Cisco is also expanding the discovery and enforcement options for NAC with its new NAC Profiler.

"Historically NAC has been focused on PCs -- things with an operating system and a keyboard," Brendan O'Connell, Cisco NAC product marketing manager, explained. "The types of checks done have been focused on the health of the operating system, making sure it has the right patches, etc.

"What we haven't paid attention to is non-PC devices -- the printers the door readers, the IP telephone; those have largely been handled on an exception basis."

The exception basis means a user needs to go on a case-by-case basis to manually create a NAC policy exception that permits access to the network. It's a process that is both time consuming and not entirely secure. Cisco NAC Profiler is intended to automated the non-PC NAC admission in a secure fashion.

O'Connell explained that the profiler does a posture assessment of the non-PC devices and watches the device behavior, making a NAC decision based on what the device actually does.

NAC over the last few years has become one of the most hyped and competitive sectors of the networking industry. It's an area that Cisco helped to create and one in which it already has widespread deployment which has helped Cisco to evolve the product line.

"One of the great things about having a lot of customers is we have a lot of visibility into what their needs are and how they are using the products," O'Connell said.

The fact that Cisco has such a large networking portfolio also is something that O'Connell sees as a competitive advantage for Cisco.

"This [NAC] is one of the strongest areas that Cisco can bring value to a customer," O'Connell said. "It's very difficult for a smaller company to have the type of breadth that we have and to bring a solution that encompasses all the options.

"It is one of our clear advantages that we have over others there they're limited to single appliance form factor and what types of things they can get in and out of that."

Cisco isn't done expanding NAC's footprint yet, either. O'Connell noted Cisco's next developments in NAC will be about more flexibility in deployment options and broadening the capabilities of NAC.

Among those new capabilities will be developments in the area of NAC guest services. That is NAC functionality for people that enterprises know to be transient and helping to provision for them appropriate access.

"We're trying to kick the doors down and not make NAC so much about what it's been able to do, but also kicking the doors down to see what other things we could be doing with NAC," O'Connell said.