Cisco Updates Network Security Technology

* * Beatles-Beatles writes to tell us that Cisco has announced an enhanced version of its Network Admission Control (NAC) technology. From the article: "Under its NAC initiative, Cisco is developing a range of tools that let companies permit, deny, quarantine or restrict admission to networks based on an end user's security status."

You are looking at Trusted Computing.

[tepples]

This Cisco technology is implemented in terms of Trusted Network Connect, a specification published by the Trusted Computing Group. Alsee explains how and why major residential ISPs will eventually use it to condition customers' Internet access on acceptance of Trusted Computing measures.

Cisco needs to update more than its tech

[saskboy]

""With this, we are selling NAC on switches, routers and on just about every product we sell," Gleichauf said, adding that Cisco now has over 60 vendors participating in the NAC initiative."

Now if only their Contract website was as easy to manage as their Linksys routers. I try to log in to their website to check the account status, and they make me jump through hoops and look for hidden links. It makes me wonder if any web designer works for them.

Re:Cisco needs to update more than its tech

[Vombatus]

I try to log in to their website to check the account status, and they make me jump through hoops and look for hidden links

That is classic security by obscurity. If you cannot find the links, you cannot access any information.

You can't block the CEO

[ReformedExCon]

I'm just joking, of course. CEOs are typically the most informed of all employees at any given company.

But this is pretty cool. The problem, of course, is how to decide whether someone is "secure" or not without running a scan on that computer. It isn't like infected computers are going to run around flagging routers of their infected status.

I wonder how they will manage this type of security clearance system. If it works, this is one of those technologies that is right on time. If we can stop viruses from infecting whole networks by shutting infections out of the network, then they can't propagate very far at all.

Re:You can't block the CEO

[rovingeyes]

"I'm just joking, of course. CEOs are typically the most informed of all employees at any given company."

Ahem...I take it you are a CEO of a company?

Re:You can't block the CEO

I was actually at a security conference a few weeks ago and a guy from Cisco presented some of their new stuff including this. Basically your computer will have to have some kind of antivirus software on it and communicate about it to gain access to the network. Right now its limited to about 10 vendors, and it is a closed protocol. He mentioned that eventually they would open it up and also add more vendors (missing was AVG :( ).

If you don't have proof that you ran those tools, you may not have to worry about being completely shut out of the network. You may just be admitted onto the network in a restricted way. Maybe only allowed to receive email, browse (maybe certain sites), etc.

Another cool thing is that all this will sit on the front of your network and be coupled with another product. Actually it may be all one product, I can't remember for sure. But the other part is a way to simplify managing your network in the event of an outbreak of a new worm, virus, etc. The way it worked was they were partnered with an AV company (I think Trend Micro maybe) and as soon as that company finds out about a new worm, they can send out some loose information about it. Maybe that it tries to propagate on outgoing port 666, and your router would download this information and block port 666. It would also be able to update all the routers in your network. This would be in roughly 15 minutes of learning of the new attack. Then within typically 90 minutes they will have out a way to digitally fingerprint this attack, and more specific rules are downloaded to the routers. Think something like the string codered sent out could be blocked.

This would be very fast solution to contain these things, especially when you think of large networks at say a large university or corporation with lots of routers. Way faster than what an admin could do by hand. Also it could be configured as to what ports could be blocked. Think not blocking outgoing port 80. Although I never got a clear answer about how this would work in the 15 minute part of initially just blocking a port since some worms do propagate on these commonly used ports. I'm sure they'll work all this out :)

Lets just hope they stick to opening up the protocols in this trusted networking approach so that more vendors can get involved. If so, I don't think we have to fear trusted computing as this is an example of how it could be a _good_ thing.

Re:You can't block the CEO

[Pii]

So many salient points to choose from... Where to start...

It's a good thing because:

• It can rapidly harden an enterprise to a specific attack vector, preventing countless hours of isolating infected systems, and cleaning them individually.
• Non-conforming systems can be granted access to the network in any manner that you choose: Non-conforming Windows systems can be put in a "dirty" or "quarantine" VLAN, with access just to the Internet, or to Virus Signature update servers. Other systems (Unix/Linux/etc.) can have a completely different policy, including full access.
• You don't have to use it, but it's out there, and there's a lot of clueless organizations in the world that will benefit from it, and if they deploy it, that helps you too.

I wasn't aware that Cisco was getting eaten alive by anyone. Yes, they are moe expensive than most of their competition, but if you've ever dealt with the TAC (Cisco's Technical Assistance Center), it's a premium you don't mind paying.

As for them sucking, to each his own. I'll take Cisco over you any time.

How to "trust" the computer

[tepples]

The problem, of course, is how to decide whether someone is "secure" or not without running a scan on that computer.

Easy. Just make the computer run a scan on itself (using an approved dialer program) and then prove, using Trusted Computing techniques, that it ran the scan that it says it ran. These PDFs explain the process.

Cisco moving up to the application layer

[mparaz]

It looks like Cisco branded products are moving up the application layer to enterprise products. Perhaps plain IP is now a commodity - they have retained the Linksys brand and not folded the products into "Cisco."

The PCs mentioned in the article could be clients for their application oriented networking and message queueing architecture and product line.

Clueless Analyst Syndrome

[Glamdrlng]

The fact that Cisco has finally extended NAC support to its line of switches means that users are likely to be more interested in the technology than they were when it was only available on Cisco routers, said Joel Conover, an analyst at Current Analysis Inc. in Sterling, Va.

Eh? NAC has been available on Cisco switches for a while now. Technically it's been available since they started supported 802.1x, and switches have been compatible with the Cisco Security Agent since it was developed about a year ago. In fact, I haven't heard of routers being used in conjunction with NAC, CSA, or 802.1x. The only admissions control routers have ever done is access lists, which of course are also supported on layer 3 switches.

Mr. Conover: did you actually do any research on the technology involved or did you just read through the glossies and spew out something you remembered from the CCNA class you took 5 years ago?

Re:Clueless Analyst Syndrome

[sportal]

Reply to clueless slashdotter:

NAC Phase 1 was deployed using EAPoUDP (EAP over UDP). It used routers to quarantine devices. It is a layer 3 solution. Other devices could still infect layer 2 connected devices.

NAC Phase 2 (just announced) is deployed using EAPo802.1x (EAP over 802.1x). It uses switches to quarantine devices. It is a layer 2 solution. Thus an infected device cannot infect other layer 2 devices.

http://www.acuitive.com/musings/hmv7-12.htm

http://newsroom.cisco.com/dlls/2005/prod_101805.ht ml

For the Internetworking Challenged

[Quirk]

If, like me, internetworking isn't in your bailiwick, there's a couple of resources I've found handy.

Cisco's Internetworking Technology Handbook is a bit dated but a great base resource downloadable in pdf.

Pair the above with IBM's TCP/IP Tutorial and Technical Overview, and round things off by downloading Bable: A Glossary of Computer Oriented Abbreviations and Acronyms since you'll be in acrynom hell.

Probably few /.ers need the above but they've given me a good overview and reference.

For What it's Worth :)

be wary

Be wary of anything that will lock you into other proprietary hardware. Cisco is running scared right now with Juniper and others right on their tail, so some of this is likely to further cement Cisco into client networks.

If the FCC has anything to do with it

[tepples]

The Internet will route around damage, including silliness like trusted networks.

But can a wireless mesh route around legislators and regulators who ban the transmission of electromagnetic waves for unauthorized wireless meshes? And can it choose a within-50-percent-of-optimal route that minimizes speed-of-light latency and processing latency? And can it route across large bodies of water?

Compatibility?

[fmwap]

I wonder how this will work for non-Windows machines trying to gain access?

Somebody mentioned the Cisco Clean Access Agent in a previous post, googling around a bit shows that only Windows is supported for the AV/Patch scan, and this is easily bypassed by changing the User-Agent on the HTTP login page. Details here

Cisco's canned response is to use Nessus to determine the real OS, or write your own plugin. Although windows boxen are probably the most common, and the biggest threat, non-Windows products need some sort of working by-pass that doesn't involve simply spoofing the UA.

NAC sucks

We've tried to deploy NAC locally. It's hell to configure the "CTA" (i.e. magic software that runs only on Windows). It's hell to configure the switches (docs? Like they help...) It's hell to configure Cisco ACS (does Cisco even *use* that PoS?)

NAC is great in theory, but it's Windows-only, it requires extra software on Windows boxes, it requires all of your switches to be NAC aware, and it requires a NAC aware authenticator.

Can you say "not going to happen"?

If someone else comes out with something similar that can be used in the real world, like 802.1x supplicants with a bit more smarts, it will deployed so fast that Cisco's NAC will be a sad memory.

NAC: Good in theory. Cisco "gets" routers. They don't "get" network administration.

Why is this here?

[ninja_assault_kitten]

This is nothing more than an advertisement.

Cisco Updates Network Security Technology

[Kylere]

Cisco Updates Network Security Technology is one word swap from being a great acronym.