Cisco Adds Switch Support To Endpoint Security Tools

Computerworld - An upgrade of Cisco Systems Inc.'s Network Admission Control (NAC) technologies, announced last week, adds wider hardware support and several features designed to help companies better protect their networks against insecure endpoint devices.

But network managers and analysts said the fact that the NAC offering is supported only on relatively new networking equipment from Cisco is likely to limit its appeal.

"I think they're moving in the right direction," said Jim Kirby, a network engineer at Wells' Dairy Inc. in Le Mars, Iowa. But adopting NAC anytime soon would be a challenge because of the upgrades that the ice cream processor would have to make to its network infrastructure, he said.

As part of the NAC initiative, Cisco is selling a line of tools that can permit, restrict or deny admission to corporate networks based on the security status of end-user systems. The products include agent software for collecting security data from client systems, network appliances that enforce security rules and a policy management server.

Until now, the technology has been available only on Cisco's routers. But the company said it plans to add support for NAC to its Catalyst switches by the end of next month. And as of last week, the products could be used with Cisco's wireless networking devices.

Cisco is also making it possible for companies to enforce security policies on systems they don't own, such as PCs belonging to contractors and business partners. Cisco is delivering the agentless capability in conjunction with security vendors Altiris Inc., Qualys Inc. and Symantec Corp.

Extending Its Reach

Bob Gleichauf, chief technology officer for Cisco's Security Technology Group, said that more than 60 other vendors are now participating in the NAC program, up from the three partners Cisco had when it shipped an initial set of products in June 2004.

The fact that Cisco has finally extended NAC support to its switches should make the technology more interesting to IT managers, said Joel Conover, an analyst at Current Analysis Inc. in Sterling, Va.

"The closer to the PC or the endpoint that you can provide enforcement, the less chance that some malicious software that is on one PC can spread to others," he said.

Even so, the availability of NAC on only Cisco's equipment could be of some concern to users who don't want to get locked into a proprietary technology, Conover noted. He added that the cost of upgrading to new routers and switches is another potential roadblock for users.

Those are some of the reasons why Tripos Inc. won't be able to adopt NAC in the foreseeable future, said Jerry Wintrode, a senior network architect at the St. Louis-based drug research company.