Cisco to Open Source CTA

VE3OGG writes "Cisco, the networking Goliath, has decided to release the source code of its NAC (network admission control) client, Cisco Trust Agent (CTA) to the open source community within 'a few months.' This comes hot on the heels of Cisco announcing its plans to redevelop a new breed of network security infrastructure. 'CTA will be something that's open source. That's just logically where it should end up,' Gleichauf told InfoWorld. 'We don't want to be in the CTA business, so we're going to just open it up.'"

ohhh yeah

[User+956]

This comes hot on the heels of Cisco announcing its plans to redevelop a new breed of network security infrastructure.

Yeah, well they've certainly got a NAC for it.

Re:ohhh yeah

[Lord+Ender]

Ow! I think I just pulled a muscle in my face rolling my eyes at that awful pun.

VPN

[LDoggg_]

Does this include the VPN client?

The last linux release from cisco's site is a year old and the kernel module doesn't compile against the 2.6.19 kernel. Just to get it to compile against 2.6.18 you had to fake a config.h in your kernel source include folder.

Re:VPN

[c0l0]

The Cisco VPN Client sucks arse. There is, however, a much more comfortable and less-sucky free as in speech userspace-implementation for that kind of VPN available at http://www.unix-ag.uni-kl.de/~massar/vpnc/

I use it to connect to customer's not having set up OpenVPN every day, and it never failed on me yet. Give it a try, you won't regret it. :-)

Re:VPN

[schwaang]

Vpnc works great but it doesn't do certificates yet like the Cisco client.

Re:VPN

[LDoggg_]

Completely agree with the suckiness of Cisco's proprietary VPN solution. Been using it for years. Not sure why I never came across vpnc.

Thanks for the link. Turns out it's even in the fedora-extras repository. Learn something new everyday :)

Re:VPN

[PCM2]

Wow, you have made my day. Downloaded it and got it working in about one minute flat. Bye-bye, Cisco.

Re:VPN

vpnc kicks ass, been using it for about 2 years now and has not let me down (well except for rekeying not being supported), but still way better than cisco's garbage linux client.

Re:VPN

[IdleTime]

Doesn''t work against my company who uses Cisco VPN.

I'm more interested in getting Cisco IP-Communicator under Linux since it is the last program I need Windows to run and it doesn't run under any form of emulation.

Re:VPN

Howdy,

Try this

# wget http://www.tuxx-home.at/projects/cisco-vpnclient/v pnclient-linux-2.6.19.diff
# patch -p1 -b -z .dist vpnclient-linux-2.6.19.diff

Works, but you I also wish Cisco would either put more effort on Linux client
or releases it too (so that someone else will be able to fix the problems and
write a decent frontend for it).

ok so where is it?

[sproketboy]

So where is it? The article is light on details. I'd like to see the code.

Re:ok so where is it?

Learn to read, buddy. It said the code would be released in a few months.

You can't say the article is light on details, when you haven't even read the summary.

Re:ok so where is it?

[Sinryc]

Even the summary says it will be in a few months. Learn to read. Oh wait, this is slashdot, never mind.

And we care because

[Watson+Ladd]

The thing about NAC's is they don't offer any real security. You can't tell the difference between a corrupted host emulating a good one and a good one. All open sourcing is is just a way to avoid leaving foo^W customers in the lurch.

Re:And we care because

[Kizeh]

That's not exactly true. First, typically NAC requires the user to have valid credentials and provides some accountability -- if a PC turns out to have a virus, at least a person responsible for it can be found and contacted.
NAC can, pretty reliably if done right, confirm that the machine in question has update services running, has an active antivirus (as opposed to just a process with the same name) and is running proper patch levels and virus definitions. This alone fixes the vast majority of security breaches at most institutions.
If all machines are authenticated via 802.1x, and must be added to a domain by an admin and have pushed policies enabled, NAC doesn't buy you a ton. But in a university environment, for example, where the managers don't control the machines, a way to enforce a minimum compliance is very, very attractive.

Re:And we care because

[gclef]

NAC isn't really about preventive security, no matter how it's billed...it's sold as a security tool because that's the only way to get the bosses to understand that real security comes from being *organized* and consistent all the way down to the patch levels on *every* *host*. NAC doesn't fix broken machines...it does help you keep organized about what your non-broken machines look like, so that you minimize the number of broken ones.

Re:And we care because

[Stinking+Pig]

You can also use external providers for SecureACS to do some very deep scanning and remediation of the system. The stock Cisco NAC solution does rather suck, but as a framework it could work.

Problem one is that unfinished frameworks are a dime a dozen -- figuring out which ones are going to get finished is a job for Nostradamus.

Problem two is that most IT organizations don't have the chutzpah to actually implement trusted access. The coordination requirements between different departments are a killer, and the security trade off is too high.

Re:And we care because

[jhfry]

We care because instead of taking a once useful and arguably well made software product and tossing it in the trash... they are instead opening it up for those who are interested.

We care because they are helping to set a precedent, one that I hope becomes the norm for tech and software companies, at end of life... open source!

We care because one of the benefits of open source, is that a particularly well written piece of code can be adapted for a different function while retaining most of what makes it 'good'. So NAC's are worthless to you... but what about that one really powerful function Cisco wrote that finds it's way into 3 other open source products that are NOT worthless to you.

Finally, were NAC's so bad that you would rather they just tossed the code in their recycle bin?

Re:And we care because

[Lord+Ender]

You got that backward. NAC offers real security. It does not offer theoretical security.

theoretical security: there is now known way to circumvent this (think one-time-pad)

real security: it's possible to circumvent this, but for 99.9% of potential attackers out there, it would take more effort than its worth.

Re:And we care because

[Kpt+Kill]

oh you mean, boot with knoppix cd, authenticate, reboot into windows?

Re:And we care because

[Alsee]

You can't tell the difference between a corrupted host emulating a good one and a good one.

Which is exactly why Cisco's Network Access control (NAC) and Microsoft's Network Access Protection (NAP) and the Trusted Computing Group's Trusted Network Connect (TNC) are all actually about cramming Trusted Computing down our throats. All of them do the same thing, and all of them are pretty well pointless without Trusted Computing. If your network connection uses NAC/NAP/TNC, it pretty much requires Trusted Computing in order for the NAC/NAP/TNC "health" report to actually work. If you can't pass the "health check"... if you aren't Trusted Computing compliant... then the result is that you get "quarantined" until you resolve the "problem" and can pass the "health" check. Which means that you get denied a network connection.

There is a very deliberate strategy to attempt to sell Trusted Computing to the open source community. A suicide pill. Oh look! The Trusted Computing enforcement software is open source! The standards are open! And while the source may be available, Trusted Computing makes source code USELESS. If you try to alter the source, it doesn't work any more. With Trusted Network Connect it scans the operating system and key applications. If you have modified the operating system or the apllications, or if your operating system or key applications do not happen to be on the certified approved list, then you automatically fail the "health" check. The Trusted Network Connect system cannot spot viruses and malware... all it can do is check if your exact software is on the recognized and approved list. If it's not on the approved list, then as far as Trusted Network Connect can tell you may be virus infected. The most you can hope for is that IBM or someone gets a specific exact Linux binary certified, and hope that your network administrator or ISP adds that exact Linux binary signature to the Trusted Network Connect approved list. And then you could get online with that exact Linux binary. But if your network administrator or ISP has not bothered to add that signature to the approved list, or if you try to.... you know... actually USE the Linux source and compile it... then you get DENIED INTERNET ACCESS. And if you are running an opensource firewall, or if you are running an opensource browser like Firefox... same problem. Trusted Network Connect will almost certainly deny you any network connection because the signature for that software wasn't added to the approved list. And even if IBM or someone did step in and certify come exact binary for that software and your network administrator or ISP did bother to add that signature to the approved list, again it is effectively no longer open source software. If you attempt to actually USE and DEVELOP the source and compile it, you again have a new binary with a new unrecognized unapproved signature. And you are again denied network access. You have the source, but THE SOURCE NO LONGER WORKS. New software compiled from the source no longer works. Modified software may be denied network access at all, or you may get internet access but browsing website or otherwise using the software on the internet can be rejected, and even modifying non-network open source applications won't be able to work because they cannot reading that application's existing data files.

-

Re:And we care because

[meridian]

Its true that it doesn't ensure that the machine is not compromised and therefore the NAC framework can not ensure a host is not spoofing its nac posture, although they would require to have a valid certificate on the machine for the NAC/802.1x authentication to occur in the first place. However what it does do is ensure that when a new machine does enter the network it is not allowed onto the network in a vulnerable state and ensures that hosts already using the network stay updated quite effectively or do not gain network access outside a secured vlan.
In general it raises the bar significantly but is not an intrusion detection system. If you need something like that you would be using Cisco Secure Agent or similar as a host IDS or some form of network IDS.

Re:And we care because

Well said...for someone who doesn't really understand the products.

Take the Nac Appliance for example. It has a dumb agent just for that case. the CAS tells the agent to retrieve specific values, files dates, file info, etc and send me the results. If you think you can correctly tell it what it wants to know, for potentially hundreds of questions (mind you its not a yes no answer, but rather a file date, or version, or registry entry or size, or...etc) then you are really proud of yourself. Turn off the agent and it doesnt return anything, sending you to quarantine jail.

And for the record, its Network ADMISSION Control, not Network Access Control. HUGH difference...

Cisco's table scrap

[Lead+Butthead]

We don't want to be in the CTA business, so we're going to just open it up.

Translation :- "Here's something we either can't milk money out of or we're planning to discard altogether, knock yourselves out."

Re:Cisco's table scrap

[jcgf]

You see the same thing over and over, "toss the free software dogs a bone and buy some publicity" the suits think. The only company actually open sourcing anything worth while is Sun and maybe IBM to some extent.

Re:Cisco's table scrap

[cfvgcfvg]

Yes, but the table scraps from such a huge organization is pretty big. Can you imagine if all the companies in the world gave back to the people all the technology they never intended to sell again. We'd all eat like kings.

Re:Cisco's table scrap

[Lord+Ender]

and Linden Labs (Second Life), and MySQL AB, and AOL (Mozilla), and, well, a lot of companies.

Re:Cisco's table scrap

[just_another_sean]

Really? I get the impression they are more concerned with ensuring people connect to/through their routing and server products. If the client is free and every OS on the planet implements it then Cisco edge products continue to look attractive to companies and give them reasons to upgrade those old, dusty routers.

I wouldn't knock NAC just yet, it's rough still, but it has a lot of potential to help people that are not so talented at security keep themselves a bit safer on the 'net (which is good for everyone IMHO). And, as long as it *does* take off, open source clients practically guarantee server side improvements based on user and developer feedback.

Eh, so it's more OSS then FLOSS, I'll still reserve judgment for a later day...

Re:Cisco's table scrap

[meridian]

Sorry but I beg to differ. Firstly NAC is a framework not just the CTA agent. It is now part of Vista. Do you think MS would add a competing companies product/framwork client into their own OS if it was not already leading the way in its field. It is implemented in numerous Cisco products and has been integrated in to nearly every Antivirus product on the market, Kav and Nod32 being the only noteable exceptions at the moment that I'm aware of (and funnily enough probably the two best antivirus products at least in some peoples opinions).
The CTA agent for pre-vista windows is fully functional, free and has no issues other than configuration issues that I am aware of.
The idea of open sourcing would most likely be to allow the client support of other operating systems that currently have no support. There is currently a supported client for linux which as far as I am aware will continue to be supported.
Perhaps someone wants to write a client for less popular operating systems?

Re:Cisco's table scrap

[BACbKA]

If a company open sources even out of date code it deems useless and announces as such, this is better than code bases going into oblivion when companies change/go out of business.

Cisco Security Agent

[c0d3r]

Cisco Security Agent (which installs trust agent) is one of my favorite programs. It pops up messages when programs attempt to record keystrokes (game emulators do this), access the registry and other suspicious activities. It also tells me that the latest ie is apparently injecting code.

Re:Cisco Security Agent

[AgentPhunk]

CSA and CTA (the subject of TFA) are two different products.

CSA is the Host-based Intrustion Prevention software. It stops any anomolous behavior.

CTA is their 'NAC supplicant' that reports back to the querying endpoint (NAC enabled switch, router, etc) about the status of the system (a/v version, is it running?, signature version, etc.)

CSA has CTA built into it, but not vice versa.

It makes sense that Cisco is open-sourcing this - the don't make money on agents, they make money on selling more hardware (NAC enabled switches), software (the Cisco Access Control Server, MARS reporting, not to mention just plain old IOS software support.)

Actually the program is pretty cool...

[Ho+Kooshy+Fly]

It shows you all the insane registry hacking programs do, overriding or overwriting of DLLs, in general just a lot of bad behavior you see in Windoze. It runs on every desktop where I work and will stop most trojans from installing due to stupid "Oh, lets click on virus.exe" and run it.

Even if they're not making money off it (no clue tbqh), it probably has some cool tidbits of code...

-Ho

Re:Actually the program is pretty cool...

[Bubba]

You're thinking of Cisco Security Agent, not Cisco Trust Agent. They are not the same, though CSA comes bundled with CTA. CTA is just the network access piece, it doesn't shim the OS to prevent infections like CSA.

And a good thing, too

[Scareduck]

The Chicago Transit Authority needs all the help it can get.

Re:And a good thing, too

[chicago_scott]

And if this doesn't help then the Chicago Transit Authority will file a lawsuit against Cisco: While the band toured the album, legal action was threatened by the actual Chicago Transit Authority, forcing the group to reduce their name to, simply, Chicago.

P.S. - CTA President Frank Kruesi deserves to be fired.

Gift horse

[forand]

Do you really think that they should be giving you their hard work for free? I would love to have companies which abandon or otherwise stop supporting a product give it to the open source community instead of having it lost forever. Just because you find the product they are going to release beyond use does not mean that it is useless to us all.

Clever.

[Ant+P.]

They're going to force all the dumbass PHBs that think obscurity=security to upgrade to whatever they replace it with.

Re:Clever.

[cafucu]

They're going to force all the dumbass PHBs that think obscurity=security to upgrade to whatever they replace it with. Which is their NAC appliance == Cisco Clean Access == Perfigo. NAC infrastructure hasn't caught on like they hoped it would, so they bought up the most attractive NAC vendor and called it Cisco. Business as usual for them...

Can't get partners, so go open source

[netnull]

What a scam! Cisco has a NAC partnership program that allows partners to either incorporate CTA technology into their client software, or allow them to build third-party security servers that operate behind their CiscoSecure ACS product. But you are not allowed to build a NAD (network access device, i.e. a switch or AP that interrogates CTA) or a replacement for ACS as the authentication server.

So now that Cisco has failed to get the community to play in their proprietary communications sandbox (remember these are the guys who bring us EIGRP and Skinny), they are hoping the open source community will come to their rescue as leverage in the forming IETF standards.

Want open source NAC? ... look at PacketFence (www.packetfence.org)

CSA is a rootkit

[Myria]

Cisco Security Agent takes over half of Windows XP's system calls. It's a rootkit.

CSA is fairly worthless against an expert who designs their programs to get around it.

Good for Users

[RAMMS+EIN]

This is good news for the users of the software. Instead of being stuck with a product that won't see any update or improvement anymore once Cisco stops supporting it, they will be able to make their own updates and improvements (or get them from other customers in the same situation, or ...).

It is even possible that CTA would be developed into a strong player in the market, in which case not only the current users, but the whole world benefits.

I applaud this move, and wish more companies would open source their software when they are no longer interested in maintaining it.

And wait for the untrusted agent...

[ladybugfi]

I'm not totally convinced this is a good idea. I'm only superficially knowledgeable about NAC and CTA, but we are talking about a trusted agent here. Open sourcing may cause malware versions of that agent being manufactured and distributed. This can cause problems not only to the host with the agent, but also to the infrastructure protected by NAC.

But maybe Cisco has taken this into account in their risk analysis and NAC features.

GPL as a hostility tool

[mapkinase]

Seems like common practice now. Company wants to diminish advantage of functionality competetitors have, so it releases an OS/GPL'ed tool that provides the very basics of that functionality.

Lawyers, check your briefs!

We don't want to be in the CTA business, so we're going to just open it up.

... and sit back and wait for the unfair competition lawsuit from some company that does want to be in the CTA business.

Retracted?

[kylearin]

So what are others finding? Our Cisco rep sent us this clarification:

Response to Infoworld article about CTA Open Source

Q. What is this document?

A. This document is a response to the Network World article dated Feb 8, 2007 regarding CTA Open Source

Q. What is the article about? Where is it available?

A. Article is available at

http://www.infoworld.com/article/07/02/07/HNciscot ca_1.html

http://www.computerworld.com/action/article.do?com mand=viewArticleBasic&taxonomyName=network_securit y&articleId=9010881&taxonomyId=142&intsrc=kc_top

Q. Is Network World article correct that Cisco will open source CTA in 2 months?

A. No, statements in the article are incorrect and Cisco does not have plans to open source CTA. We apologize for any confusion resulting from the interview and article and any inconvenience it caused.

Q. What are Cisco's plans for open source of CTA?

A. Cisco currently has no plans or dates for open-sourcing CTA.