Cisco Expands NAC Profile


Network Access Control (NAC) is one of great cornerstones of Cisco’s Self
Defending Network initiative, which promises end-to-end security for
enterprise networks.

Cisco is now expanding its NAC offering with a new
module for its widely deployed Integrated Services Router (ISR), as well as a new
profiling tool that applies a behavior-based profiling approach for device
identification and enforcement.


“It’s effectively lowering the barrier to entry for NAC,” Dee Dee Pare,
marketing manager for Cisco’s Advanced Routing Technology Group, told
InternetNews.com. “With the total cost of ownership benefits, it’s an
opportunity for the branch office to go ahead and put the NAC appliance
capabilities right into the branch, and issues can be handled locally instead
of being sent across the WAN.”


Cisco users have historically had to use a separate NAC appliance to perform
NAC functions, but with the Cisco NAC Network Module for ISRs, NAC can be
integrated into the same platform that many branch offices are already using
for routing, intrusion prevention (IPS) and VPN.


The module itself runs its own Cisco enhanced, hardened Linux operating
system. It also has its own dedicated processing capabilities so NAC
enforcement can be done at the network’s speed without impacting
performance. Pare also noted that the NAC module will also consume less
power than a separate dedicated NAC appliance.


Though the NAC Network module offers cost of ownership and operational
advantages, it may not necessarily be the right fit for everyone. That’s why
Cisco will continue to develop and support its standalone NAC appliance portfolio.


“The idea is that the module helps to fill out the portfolio and lowers
the barrier of entry for small business and branches,” Pare
explained. But, she added, there are reasons to choosing an appliance and reasons why a network module would make sense.


In addition to expanding NAC deployment options, Cisco is also expanding the
discovery and enforcement options for NAC with its new NAC Profiler.


“Historically NAC has been focused on PCs — things with an operating system
and a keyboard,” Brendan
O’Connell, Cisco NAC product marketing manager, explained. “The types of checks done have been focused on the health of the operating system, making sure it has the right patches, etc.

“What we haven’t
paid attention to is non-PC devices — the printers the door readers, the IP
telephone; those have largely been handled on an exception basis.”


The exception basis means a user needs to go on a case-by-case basis to
manually create a NAC policy exception that permits access to the network.
It’s a process that is both time consuming and not entirely secure. Cisco
NAC Profiler is intended to automated the non-PC NAC admission in a secure
fashion.


O’Connell explained that the profiler does a posture assessment of the
non-PC devices and watches the device behavior, making a NAC decision based
on what the device actually does.


NAC over the last few years has become one of the most hyped and competitive
sectors of the networking industry. It’s an area that Cisco helped to create
and one in which it already has widespread deployment which has helped Cisco
to evolve the product line.


“One of the great things about having a lot of customers is we have a lot of
visibility into what their needs are and how they are using the products,”
O’Connell said.


The fact that Cisco has such a large networking portfolio also is something
that O’Connell sees as a competitive advantage for Cisco.


“This [NAC] is one of the strongest areas that Cisco can bring value to a
customer,” O’Connell said. “It’s very difficult for a smaller company to
have the type of breadth that we have and to bring a solution that
encompasses all the options.

“It is one of our clear advantages that we have
over others there they’re limited to single appliance form factor and what
types of things they can get in and out of that.”


Cisco isn’t done expanding NAC’s footprint yet, either. O’Connell noted
Cisco’s next developments in NAC will be about more flexibility in
deployment options and broadening the capabilities of NAC.


Among those new capabilities will be developments in the area of NAC guest
services. That is NAC functionality for people that enterprises know to be
transient and helping to provision for them appropriate access.


“We’re trying to kick the doors down and not make NAC so much about what
it’s been able to do, but also kicking the doors down to see what other
things we could be doing with NAC,” O’Connell said.

Previous article
Next article

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web