Cisco Updates Network Security Technology

* * Beatles-Beatles writes to tell us that Cisco has announced an enhanced version of its Network Admission Control (NAC) technology. From the article: "Under its NAC initiative, Cisco is developing a range of tools that let companies permit, deny, quarantine or restrict admission to networks based on an end user's security status."

How to "trust" the computer

[tepples]

The problem, of course, is how to decide whether someone is "secure" or not without running a scan on that computer.

Easy. Just make the computer run a scan on itself (using an approved dialer program) and then prove, using Trusted Computing techniques, that it ran the scan that it says it ran. These PDFs explain the process.

Cisco moving up to the application layer

[mparaz]

It looks like Cisco branded products are moving up the application layer to enterprise products. Perhaps plain IP is now a commodity - they have retained the Linksys brand and not folded the products into "Cisco."

The PCs mentioned in the article could be clients for their application oriented networking and message queueing architecture and product line.

Clueless Analyst Syndrome

[Glamdrlng]

The fact that Cisco has finally extended NAC support to its line of switches means that users are likely to be more interested in the technology than they were when it was only available on Cisco routers, said Joel Conover, an analyst at Current Analysis Inc. in Sterling, Va.

Eh? NAC has been available on Cisco switches for a while now. Technically it's been available since they started supported 802.1x, and switches have been compatible with the Cisco Security Agent since it was developed about a year ago. In fact, I haven't heard of routers being used in conjunction with NAC, CSA, or 802.1x. The only admissions control routers have ever done is access lists, which of course are also supported on layer 3 switches.

Mr. Conover: did you actually do any research on the technology involved or did you just read through the glossies and spew out something you remembered from the CCNA class you took 5 years ago?

Re:Clueless Analyst Syndrome

[sportal]

Reply to clueless slashdotter:

NAC Phase 1 was deployed using EAPoUDP (EAP over UDP). It used routers to quarantine devices. It is a layer 3 solution. Other devices could still infect layer 2 connected devices.

NAC Phase 2 (just announced) is deployed using EAPo802.1x (EAP over 802.1x). It uses switches to quarantine devices. It is a layer 2 solution. Thus an infected device cannot infect other layer 2 devices.

http://www.acuitive.com/musings/hmv7-12.htm

http://newsroom.cisco.com/dlls/2005/prod_101805.ht ml

For the Internetworking Challenged

[Quirk]

If, like me, internetworking isn't in your bailiwick, there's a couple of resources I've found handy.

Cisco's Internetworking Technology Handbook is a bit dated but a great base resource downloadable in pdf.

Pair the above with IBM's TCP/IP Tutorial and Technical Overview, and round things off by downloading Bable: A Glossary of Computer Oriented Abbreviations and Acronyms since you'll be in acrynom hell.

Probably few /.ers need the above but they've given me a good overview and reference.

For What it's Worth :)

Re:You can't block the CEO

I was actually at a security conference a few weeks ago and a guy from Cisco presented some of their new stuff including this. Basically your computer will have to have some kind of antivirus software on it and communicate about it to gain access to the network. Right now its limited to about 10 vendors, and it is a closed protocol. He mentioned that eventually they would open it up and also add more vendors (missing was AVG :( ).

If you don't have proof that you ran those tools, you may not have to worry about being completely shut out of the network. You may just be admitted onto the network in a restricted way. Maybe only allowed to receive email, browse (maybe certain sites), etc.

Another cool thing is that all this will sit on the front of your network and be coupled with another product. Actually it may be all one product, I can't remember for sure. But the other part is a way to simplify managing your network in the event of an outbreak of a new worm, virus, etc. The way it worked was they were partnered with an AV company (I think Trend Micro maybe) and as soon as that company finds out about a new worm, they can send out some loose information about it. Maybe that it tries to propagate on outgoing port 666, and your router would download this information and block port 666. It would also be able to update all the routers in your network. This would be in roughly 15 minutes of learning of the new attack. Then within typically 90 minutes they will have out a way to digitally fingerprint this attack, and more specific rules are downloaded to the routers. Think something like the string codered sent out could be blocked.

This would be very fast solution to contain these things, especially when you think of large networks at say a large university or corporation with lots of routers. Way faster than what an admin could do by hand. Also it could be configured as to what ports could be blocked. Think not blocking outgoing port 80. Although I never got a clear answer about how this would work in the 15 minute part of initially just blocking a port since some worms do propagate on these commonly used ports. I'm sure they'll work all this out :)

Lets just hope they stick to opening up the protocols in this trusted networking approach so that more vendors can get involved. If so, I don't think we have to fear trusted computing as this is an example of how it could be a _good_ thing.

Compatibility?

[fmwap]

I wonder how this will work for non-Windows machines trying to gain access?

Somebody mentioned the Cisco Clean Access Agent in a previous post, googling around a bit shows that only Windows is supported for the AV/Patch scan, and this is easily bypassed by changing the User-Agent on the HTTP login page. Details here

Cisco's canned response is to use Nessus to determine the real OS, or write your own plugin. Although windows boxen are probably the most common, and the biggest threat, non-Windows products need some sort of working by-pass that doesn't involve simply spoofing the UA.

Re:NAC sucks

We're deploying NAC for Solaris, Linux, and OS X clients as well as Windows. Hosts which don't pass muster (can be defined by patch levels, a port scan, etc) can be placed on a fallback VLAN which of course you can apply whatever ACLs or security measures you like.

Re:You can't block the CEO

[Pii]

So many salient points to choose from... Where to start...

It's a good thing because:

• It can rapidly harden an enterprise to a specific attack vector, preventing countless hours of isolating infected systems, and cleaning them individually.
• Non-conforming systems can be granted access to the network in any manner that you choose: Non-conforming Windows systems can be put in a "dirty" or "quarantine" VLAN, with access just to the Internet, or to Virus Signature update servers. Other systems (Unix/Linux/etc.) can have a completely different policy, including full access.
• You don't have to use it, but it's out there, and there's a lot of clueless organizations in the world that will benefit from it, and if they deploy it, that helps you too.

I wasn't aware that Cisco was getting eaten alive by anyone. Yes, they are moe expensive than most of their competition, but if you've ever dealt with the TAC (Cisco's Technical Assistance Center), it's a premium you don't mind paying.

As for them sucking, to each his own. I'll take Cisco over you any time.