15 firms added to Cisco security effort

On Monday, Cisco announced that 15 companies have signed on as partners, promising to deliver products compatible with Cisco's Network Admission Control (NAC) architecture in the first part of 2005.

NAC is a security architecture that combines virus scanning with network policing to keep attacks from entering the network. It requires software "trust agents" to be deployed on every client. Network devices then communicate with the "trust agents" via special protocols to make sure that devices connecting to the network are free of viruses and have up-to-date security software running.

Cisco's security architecture is an ambitious one, requiring every element in the network--from Ethernet switches and IP routers to application software to firewalls and other security devices--to interoperate. The company is in the first phase of rolling out its own products that support the architecture. In June, it made NAC-compatible software available on its IP routers. Phase 2, which includes adding support to Cisco's Ethernet switches, was supposed to be ready early in 2005. Now the company says it will have support ready by midyear.

With so many elements to coordinate, this sort of security architecture can be difficult to implement.

"You really need a company with a lot of muscle like Cisco to push this architecture forward," said Sanjay Uppal, vice president of marketing at Caymas Systems, which makes access control gateways. Caymas is one of Cisco's newest NAC partners and the first access control provider to join the program.

Antivirus software makers McAfee, Symantec, and Trend Micro were the first partners to sign on to the NAC architecture. These companies are already shipping NAC-compliant software. Cisco has opened the program to any company that makes end-point products, including security software makers, access control vendors, and patch management makers. So far, there are 28 companies developing NAC-compliant products.

Cisco has said repeatedly that all technology developed as part of NAC will eventually be open to all vendors. But so far, it has yet to let competitors in the switching and routing market join the program. Cisco argues that standards bodies, such as the Institute of Electrical and Electronics Engineers (IEEE) or the Internet Engineering Task Force (IETF), are more appropriate for making the technology available to a wider group of vendors.

Networking companies aren't being completely left out in the cold. Some, such as Enterasys, F5 Networks and Nortel Networks, are joining forces with Microsoft, which has also introduced a comprehensive security architecture it calls Network Access Protection or NAP. Like Cisco, Microsoft has also been signing up new members to its program. Last week it announced a slew of new virtual private networking vendors that have joined the program.

In October, Cisco and Microsoft agreed to work together to ensure their architectures are compatible.

The Trusted Computing Group, a consortium of vendors, is also working on developing an end-to-end security architecture. Cisco is not participating in this effort.

"We tend not to work in consortiums," said Russell Rice, a director of marketing at Cisco. "We prefer to work through standards organizations. The standards process can be long and arduous, but at the end of the day, everyone has had the opportunity to comment and you aren't left with a single-vendor solution."

So far, Cisco is the furthest along in its efforts. Microsoft isn't expected to have NAP support available until the 2007 release of its Longhorn server software. And the Trusted Computing Group is still in the early development phase.