Network Access Control (NAC) is one of great cornerstones of Cisco's Self Defending Network initiative, which promises end-to-end security for enterprise networks.
Cisco (Quote) is now expanding its NAC offering with a new module for its widely deployed Integrated Services Router (ISR), as well as a new profiling tool that applies a behavior-based profiling approach for device identification and enforcement.
"It's effectively lowering the barrier to entry for NAC," Dee Dee Pare, marketing manager for Cisco's Advanced Routing Technology Group, told InternetNews.com. "With the total cost of ownership benefits, it's an opportunity for the branch office to go ahead and put the NAC appliance capabilities right into the branch, and issues can be handled locally instead of being sent across the WAN."
Cisco users have historically had to use a separate NAC appliance to perform NAC functions, but with the Cisco NAC Network Module for ISRs, NAC can be integrated into the same platform that many branch offices are already using for routing, intrusion prevention (IPS) and VPN.
The module itself runs its own Cisco enhanced, hardened Linux operating system. It also has its own dedicated processing capabilities so NAC enforcement can be done at the network's speed without impacting performance. Pare also noted that the NAC module will also consume less power than a separate dedicated NAC appliance.
Though the NAC Network module offers cost of ownership and operational advantages, it may not necessarily be the right fit for everyone. That's why Cisco will continue to develop and support its standalone NAC appliance portfolio.
"The idea is that the module helps to fill out the portfolio and lowers the barrier of entry for small business and branches," Pare explained. But, she added, there are reasons to choosing an appliance and reasons why a network module would make sense.
In addition to expanding NAC deployment options, Cisco is also expanding the discovery and enforcement options for NAC with its new NAC Profiler.
"Historically NAC has been focused on PCs -- things with an operating system and a keyboard," Brendan O'Connell, Cisco NAC product marketing manager, explained. "The types of checks done have been focused on the health of the operating system, making sure it has the right patches, etc.
"What we haven't paid attention to is non-PC devices -- the printers the door readers, the IP telephone; those have largely been handled on an exception basis."
The exception basis means a user needs to go on a case-by-case basis to manually create a NAC policy exception that permits access to the network. It's a process that is both time consuming and not entirely secure. Cisco NAC Profiler is intended to automated the non-PC NAC admission in a secure fashion.
O'Connell explained that the profiler does a posture assessment of the non-PC devices and watches the device behavior, making a NAC decision based on what the device actually does.
NAC over the last few years has become one of the most hyped and competitive sectors of the networking industry. It's an area that Cisco helped to create and one in which it already has widespread deployment which has helped Cisco to evolve the product line.