Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Updates Network Security Technology

Posted by ScuttleMonkey on from the would-you-like-fries-with-that dept.

* * Beatles-Beatles writes to tell us that Cisco has announced an enhanced version of its Network Admission Control (NAC) technology. From the article: "Under its NAC initiative, Cisco is developing a range of tools that let companies permit, deny, quarantine or restrict admission to networks based on an end user's security status."

2 of 76 comments (clear)

  1. Re:You can't block the CEO by Anonymous Coward · · Score: 5, Informative

    I was actually at a security conference a few weeks ago and a guy from Cisco presented some of their new stuff including this. Basically your computer will have to have some kind of antivirus software on it and communicate about it to gain access to the network. Right now its limited to about 10 vendors, and it is a closed protocol. He mentioned that eventually they would open it up and also add more vendors (missing was AVG :( ).

    If you don't have proof that you ran those tools, you may not have to worry about being completely shut out of the network. You may just be admitted onto the network in a restricted way. Maybe only allowed to receive email, browse (maybe certain sites), etc.

    Another cool thing is that all this will sit on the front of your network and be coupled with another product. Actually it may be all one product, I can't remember for sure. But the other part is a way to simplify managing your network in the event of an outbreak of a new worm, virus, etc. The way it worked was they were partnered with an AV company (I think Trend Micro maybe) and as soon as that company finds out about a new worm, they can send out some loose information about it. Maybe that it tries to propagate on outgoing port 666, and your router would download this information and block port 666. It would also be able to update all the routers in your network. This would be in roughly 15 minutes of learning of the new attack. Then within typically 90 minutes they will have out a way to digitally fingerprint this attack, and more specific rules are downloaded to the routers. Think something like the string codered sent out could be blocked.

    This would be very fast solution to contain these things, especially when you think of large networks at say a large university or corporation with lots of routers. Way faster than what an admin could do by hand. Also it could be configured as to what ports could be blocked. Think not blocking outgoing port 80. Although I never got a clear answer about how this would work in the 15 minute part of initially just blocking a port since some worms do propagate on these commonly used ports. I'm sure they'll work all this out :)

    Lets just hope they stick to opening up the protocols in this trusted networking approach so that more vendors can get involved. If so, I don't think we have to fear trusted computing as this is an example of how it could be a _good_ thing.

  2. NAC sucks by Anonymous Coward · · Score: 5, Interesting

    We've tried to deploy NAC locally. It's hell to configure the "CTA" (i.e. magic software that runs only on Windows). It's hell to configure the switches (docs? Like they help...) It's hell to configure Cisco ACS (does Cisco even *use* that PoS?)

    NAC is great in theory, but it's Windows-only, it requires extra software on Windows boxes, it requires all of your switches to be NAC aware, and it requires a NAC aware authenticator.

    Can you say "not going to happen"?

    If someone else comes out with something similar that can be used in the real world, like 802.1x supplicants with a bit more smarts, it will deployed so fast that Cisco's NAC will be a sad memory.

    NAC: Good in theory. Cisco "gets" routers. They don't "get" network administration.