After nearly two years and a lot of suspected smoke-and-mirrors, Cisco Systems and Microsoft yesterday revealed a joint architecture that pairs each of the tech giants' network access security solutions.
At yesterday's Security Standard conference in Boston, executives outlined the interoperability between Cisco's Network Admission Control (NAC) and Microsoft's Network Access Protection (NAP), making good on a partnership that was announced in October 2004.
A newly released downloadable white paper details how both NAC and NAP will work together for security policy enforcement and health assessment as part of a single architecture. The paper also details how to embed Cisco's network infrastructure with Microsoft's Windows Vista desktop operating system and future versions of the OS server called Longhorn.
The two powerhouse vendors also released a roadmap for bringing the NAC and NAP combination to market, with beta programs scheduled for later this year. Once Longhorn becomes available in late 2007, users will be able to deploy the Cisco/Microsoft solution. As part of the pairing, Cisco and Microsoft have cross-licensed their NAC and NAP protocols to ensure interoperability.
Yankee Group vice president Zeus Kerravala said the long-expected pairing gives users flexibility in their network access choices. Since Microsoft NAP will be desktop focused and Cisco NAC is network focused, there will be no need for a string of smaller in-line appliances to achieve comprehensive network access control. Users can keep their Cisco NAC infrastructure and add in Microsoft NAP later on.
"You'd be hard pressed to find an enterprise that doesn't have both Cisco and Microsoft products," Kerravala said.
The pairing also eliminates the need for a large company to select one vendor's technology over the other.
"A user shouldn't have to choose," he said. "If they want to deploy Cisco NAC now, they can [do so knowing] that when Microsoft NAP is released, they'll interoperate. Before, you might have held out and waited before deploying."
Andrew Braunberg, analyst with Current Analysis, said the interoperability, while still early in the offing, appears to be beneficial for both Cisco and Microsoft shops, and it creates a single-client architecture, making it simpler for network administrators who manage the agents.
"It eases a little anxiety for users who are trying to align their NAC strategy," he said. "Going forward, Cisco can say, 'Look, you can go ahead and deploy this stuff and NAP will be compatible.'"
Still, interoperability between two vendors is technically a proprietary environment, Braunberg said. "It's not a multivendor open standard."
Cisco has been on the forefront of network access technology and has already developed and shipped NAC products, which use a software agent to collect information in Cisco's RADIUS server and send it to Cisco's secure Access Control Server (ACS). The ACS checks with a policy server and determines whether devices comply with set security policies. If the device is not up to snuff, it can be quarantined or necessary security updates can be pushed out.
Microsoft announced its plans for NAP in mid-2004 and has yet to follow through until now. Microsoft NAP is said to work with the Windows Vista OS and the Longhorn server, set to be released in late 2007. NAP works by passing data to Microsoft's Network Policy Server, which then checks with a policy server to ensure device hygiene.
According to a joint announcement by both vendors, each will continue to deliver individual NAC and NAP solutions, while allowing users to choose the interoperable solution from both companies.