Network Access Control (NAC) is one of great cornerstones of Cisco’s Self
Defending Network initiative, which promises end-to-end security for
Cisco (Quote) is now expanding its NAC offering with a new
module for its widely deployed Integrated Services Router (ISR), as well as a new
profiling tool that applies a behavior-based profiling approach for device
identification and enforcement.
“It’s effectively lowering the barrier to entry for NAC,” Dee Dee Pare,
marketing manager for Cisco’s Advanced Routing Technology Group, told
InternetNews.com. “With the total cost of ownership benefits, it’s an
opportunity for the branch office to go ahead and put the NAC appliance
capabilities right into the branch, and issues can be handled locally instead
of being sent across the WAN.”
Cisco users have historically had to use a separate NAC appliance to perform
NAC functions, but with the Cisco NAC Network Module for ISRs, NAC can be
integrated into the same platform that many branch offices are already using
for routing, intrusion prevention (IPS) and VPN.
The module itself runs its own Cisco enhanced, hardened Linux operating
system. It also has its own dedicated processing capabilities so NAC
enforcement can be done at the network’s speed without impacting
performance. Pare also noted that the NAC module will also consume less
power than a separate dedicated NAC appliance.
Though the NAC Network module offers cost of ownership and operational
advantages, it may not necessarily be the right fit for everyone. That’s why
Cisco will continue to develop and support its standalone NAC appliance portfolio.
“The idea is that the module helps to fill out the portfolio and lowers
the barrier of entry for small business and branches,” Pare
explained. But, she added, there are reasons to choosing an appliance and reasons why a network module would make sense.
In addition to expanding NAC deployment options, Cisco is also expanding the
discovery and enforcement options for NAC with its new NAC Profiler.
“Historically NAC has been focused on PCs — things with an operating system
and a keyboard,” Brendan
O’Connell, Cisco NAC product marketing manager, explained. “The types of checks done have been focused on the health of the operating system, making sure it has the right patches, etc.
“What we haven’t
paid attention to is non-PC devices — the printers the door readers, the IP
telephone; those have largely been handled on an exception basis.”
The exception basis means a user needs to go on a case-by-case basis to
manually create a NAC policy exception that permits access to the network.
It’s a process that is both time consuming and not entirely secure. Cisco
NAC Profiler is intended to automated the non-PC NAC admission in a secure
O’Connell explained that the profiler does a posture assessment of the
non-PC devices and watches the device behavior, making a NAC decision based
on what the device actually does.
NAC over the last few years has become one of the most hyped and competitive
sectors of the networking industry. It’s an area that Cisco helped to create
and one in which it already has widespread deployment which has helped Cisco
to evolve the product line.