Getting the NAC of Network Security
Groundbreaking program coordinates defenses between the network and computers
November 18, 2003
By Charles Waltner, News@Cisco
Designed to dramatically increase the capabilities of data networks to protect themselves against viruses, worms, and other security threats, Cisco Systems recently announced the Cisco Network Admission Control (NAC) program. NAC will use Cisco routers to enforce admission privileges to "end-point" devices--personal computers, servers, or PDAs--based on the security status of those end-points and their compliance with a network's security policies.
"This is the first example of a much more dynamic network security architecture that can respond automatically to attacks and threats," says Bob Gleichauf, the chief designer of the concept. "Clearly, businesses have been significantly affected by viruses and worms, so we needed to find a better way to protect their networks, systems and applications."
Innovative technology for the NAC program includes the Cisco Trust Agent, a small piece of client-based software that resides on computers and other end-points and communicates end-point security information to the Cisco network via the Cisco Secure Access Control Server. The Access Control Server will execute admission controls to permit, deny, quarantine or restrict end-point network access. The Cisco Trust Agent will collect security state information from multiple security software clients, such as anti-virus clients or the Cisco Security Agent, Cisco's laptop/desktop and server host intrusion prevention and distributed firewall software that identifies and prevents malicious behavior before it can occur. The Cisco Security Agent has already proven its mettle by stopping Nimbda, CodeRed, Slammer and Blaster worms with out-of-the-box policies. The NAC program will initially support end-point devices running Microsoft Windows NT, XP and 2000 operating systems.
While other equipment vendors offer stand-alone appliances that check the security status of client devices, the Cisco Self-Defending Network security strategy offers such security built into the routers and switches running Cisco networks, making for a more comprehensive and effective security approach.
Cisco has created the NAC program in conjunction with leading anti-virus software companies, including Network Associates, Symantec and Trend Micro. Such industry collaboration is key to the success of the NAC program, since the network will need to know what, if any, protection end-point computers have before allowing them network access. This lets businesses leverage their existing investment in Cisco network infrastructure and anti-virus software to better protect themselves.
The NAC program is a key component of Cisco's Self-Defending Network, an innovative, multi-year security vision that takes a fundamentally new approach to network security. Until now, network security and computer security were dealt with separately. Cisco's Self-Defending Network breaks from the traditional approach of creating separate security products for networks and the computers attached to them. Instead, it treats the network and end-point devices as all part of the same "system."
The Self-Defending Network's goal is to create greater security coordination between the network and its associated computers, servers and other devices. Much in the same way the human body identifies, prevents and responds to threats, the Self-Defending Network fights against the infiltration and spread of computer viruses, worms and other deleterious programs across Cisco networks.
And that should make everyone who depends on healthy networks feel better.
Charles Waltner is a freelance journalist based in Oakland, Calif.