Cisco, Microsoft in security showdown

Cisco Systems and Microsoft are headed for a collision over network security, with customers caught in the middle.

The two companies have each proposed competing "end to end" security architectures, marking the latest evolution in network defense--an approach concerned not only with scanning for viruses but also with policing networks to deny connections to machines that don't conform with security policies. But for now at least the twin offerings are not interoperable. That means customers might be forced to choose between using technology from one company or the other, unless the two tech giants can strike a deal to guarantee compatibility.

Choosing could be tough, given that both companies thoroughly dominate their respective markets: Microsoft has a monopoly in desktop operating systems, and Cisco's share of the corporate network routing market exceeds 70 percent.

Microsoft and Cisco say they are working to ensure interoperability. But at this stage, it's difficult to know how quickly the two sides will come together and what the resulting security plan will look like--or if it's even feasible to bridge the gap between their technologies at all.

"We know how important it is for us to interoperate with Cisco," said Steve Anderson, director of Microsoft's Windows server group. "But we're both big companies, and it takes a lot of time to work this stuff out. Bill Gates and John Chambers have already been talking. We expect to announce the first step in this process sometime this fall when we announce an interoperability agreement."

A decision is crucial to customers, who now face the prospect of spending their already tight security budgets on running incompatible architectures. At the heart of the debate is the Remote Authentication Dial In User Service, or Radius, the de facto standard for authenticating users accessing networks remotely. In each of the proposed architectures, the companies use their own Radius servers to centrally enforce security policy and provide administration of user profiles.

With Cisco's architecture, customers must use the Cisco Access Control Server. With Microsoft's setup, customers are forced to use the Microsoft Windows Internet Authentication Service, or IAS, Radius Server.

Currently, the two Radius servers are not interoperable. This means customers using Cisco networking gear and Microsoft operating software could be forced to install and manage separate Radius servers from each vendor. Security experts are skeptical that an interoperability agreement for the Radius servers would help much.

"The two approaches are fundamentally different," said Bill Scull, senior vice president of marketing for Sygate, a security software maker. "I'm not sure how they could interoperate."

At stake is the success of a new movement in network management that treats security more holistically. As the effects of malicious virus and worm attacks, such as those involving the Sobig and MyDoom viruses, become more costly, companies are looking for solutions that combine traditional virus scanning with network policing to keep attacks from ever entering the network in the first place.

Networking, security and software companies have joined efforts to develop more proactive solutions. Cisco and Microsoft have been at the forefront of this effort, and the success of their plans will be crucial in the fight against new attacks.

Late last year Cisco announced its Network Admission Control, or NAC, architecture. In June the company announced it had completed the first phase of the architecture by introducing NAC software on its IP routers. Support on its switches is due in the first half of 2005. In July, Microsoft announced its Network Access Protection or NAP architecture, which is scheduled to be available sometime in 2005, the company said.

The concepts behind each of the architectures are very similar. Before a user logs on to a network, his or her computer must check in to a third-party machine, controlled by the network administrator, to ensure that the machine meets policy requirements. If it does, the user is allowed access to the network. If it doesn't, the user's connection is funneled to a restricted virtual private LAN, where the user can make changes, or have changes made automatically, to ensure policy conformance before being redirected to the main network.

Differences can divide
Though the overall concepts are similar, the two companies are approaching the problem differently. With NAC, Cisco is trying to solve the entire problem itself, end to end. The company has developed its own security software agents through partnerships with three key antivirus providers--McAfee, Symantec and Trend Micro--and technology it had acquired through Okena. These "Trust Agents," as Cisco calls them, will run on clients as well as Cisco networking gear, such as Ethernet switches, IP routers, and firewall products. The agents will communicate with each other through a central policy server to ensure that endpoints are updated and following policy before they connect to the network.

"We felt it was important to deliver a solution that worked end to end," said Bob Gleichauf, chief technology officer for Cisco's security networking group. "The fact that we are building a little agent to sit on clients is because networks extend all the way to the client."

By contrast, Microsoft has opted to focus its NAP architecture on its core competencies: host and server software. Microsoft plans to incorporate security agents as part of its operating system software, so that every desktop and server running Windows XP and Windows Server 2003 will be wired for NAP. Microsoft's current architecture does not include a networking element per se, but the company has partnered with a number of networking gear vendors so that they can hook into the NAP via a central server. While Cisco has not signed up as a partner to NAP, several of its competitors already have, including Juniper Networks, Enterasys and Extreme Networks.

Open standards are key
It will likely be customers that eventually force the two sides to work together, since both companies have a vested interest in selling their own security agents and Radius servers. A consortium of vendors called the Trusted Computing Group is already working on an architecture that will use open standards, so that customers can use Radius servers, security software or networking gear from any vendor. The group, which announced its plans in June, includes companies such as McAfee, Intel, Sygate, Juniper Networks, Hewlett-Packard and Sun Microsystems. Microsoft is a member of TCG, but Cisco is not.

TCG supporters complain that though Cisco and Microsoft claim they are willing to work with partners, they seem to still be trying to keep pieces of their solutions proprietary to lock in customers to using their products.

"Clearly Microsoft and Cisco would love for their architectures to dominate," Scull said. "And by pushing their own solutions they ensure that customers continue to buy their products."

For example, Cisco announced in June that it is expanding its antivirus partnership program to include more security vendors, but it did not mention opening its NAC architecture up to other networking competitors. Even though Microsoft is creating a platform that more than 30 vendors can plug into, its NAP architecture only works in a pure Microsoft environment, which includes the client as well as a suite of back office servers.

"There's no question that the majority of desktops out there already run Microsoft Windows," Scull said. "But the Windows 2003 server software isn't that widely used, and it seems to me that Microsoft is trying to create a reason for customers to use it."

Cisco and Microsoft scoff at the idea that they are pushing proprietary implementations. They both claim they would love to see open standards. And both companies have pledged that they will work with standards groups to move the effort forward.

Gleichauf of Cisco defended the company's strategy thus far.

"We're trying to deliver an architecture as soon as possible, so that customers at least have something to work with," he said. "We announced NAC in November and delivered the first set of products in June. I think that's pretty good considering these other initiatives are still announcing participants. It takes time to get a big initiative moving with several different vendors. We are committed to opening up NAC, when the time is right."

Gleichauf added that it is important for Cisco to get the technology right before it invites other vendors into the mix. The more vendors involved, the more frustrated customers get when there is a problem. Customers want one number to call when something goes wrong, he said.

Anderson of Microsoft reiterated his company's commitment to open standards as well.

"We see a market where vendors will choose best-in-class policy engines," he said. "We hope that they choose Microsoft, but if they don't, we want to make sure that the architecture works within a mixed infrastructure."

Anderson added that it will take time before all the pieces can come together.

"Everyone is already working with the antivirus vendors," he said. "Those seem to be the easiest partnerships to pick-off at this point. The other parts, like the networking, will come later. These are all very complicated architectures. None of this can happen overnight."