Cisco Network Admission Control
CNAC, Cisco's NAC play, is differentiated from Cisco's Clean Access NAC appliance, which controls access to network devices and can be used with any vendor's infrastructure gear. CNAC, on the other hand, uses the Cisco Trust Agent or Cisco Security Agent for host assessment, Cisco's Secure Access Control Server for centralized policy development and deployment, and sundry infrastructure equipment for enforcement.
Implementing CNAC is a major undertaking, requiring substantial investment to retrofit the existing infrastructure. Cisco admits that it's having better success selling Clean Access to the enterprise than CNAC. Detractors will tell you--accurately--that for CNAC to work, all your Cisco gear must be upgraded, resulting in further lock-in.
If you're an all-Cisco shop and happy, CNAC makes sense. But if you support router and switch gear from multiple vendors, integration with CNAC will be difficult, and the non-Cisco equipment may not be able to enforce policies. Cisco, like Microsoft, has a rather aggressive partner program that includes security vendors running the gamut of host and network security products.
CNAC uses third-party vendors to provide posture information to the Cisco Security Agent; information is then sent to the Secure Access Control Server, which integrates with external assessment authorities like authentication, AV and patch management systems. Access Control Server validates posture information against company-defined policies and can use external authoritative servers to learn what policies should be applied to hosts. Enforcement is through Cisco infrastructure devices, like switches, routers and VPN concentrators.
Microsoft Network Access Protection
NAP is a software-only framework that includes Active Directory; a new server, called a Network PolicyServer; and a NAP agent that will ship with Longhorn, Vista and as an upgrade client to Windows XP SP2. Earlier Windows and non-Windows OSs will not be supported.
NAP defines SHAs (System Health Agents), including desktop firewalls, antivirus scanners and patch management systems. Status reports--called Statements of Health, or SoHs--are sent by SHAs to a server, called an HRA (Health Registration Authority).
The Network PolicyServer integrates with external authorities, like antivirus and patch-management servers, to get current configuration information. Then, hosts are issued Health Certificates by the HRA or directed to remediate if health checks fail. The Health Certificate is presented to network servers that attest to a host's condition.
Until products ship, there's no telling how well Microsoft will implement NAP. We're concerned with gaps in how guest access is supported for unmanaged PCs or computers that are not part of an Active Directory domain. In addition, some NAC must-haves are missing. For example, SHAs, the software that reports to the NAP client running on a host, aren't required to notify the NAP client of status changes. That means a host may fall out of policy compliance, and the NAP client won't know until the next assessment is run.
Like Cisco, Microsoft has a successful partner program that includes not only software vendors but network infrastructure players, including Alcatel, Enterasys Networks, Extreme Networks, Hewlett-Packard and Juniper.
Interoperability Architecture
The Cisco/Microsoft NAC/NAP Interoperability Architecture is the fruit of several years of integration work (see "Interoperability Architecture Summary" left). This alliance--if it works as planned--should fill the gaps in each program: Cisco brings hardware enforcement and support for non-Windows OSs. Microsoft brings Windows and Active Directory support. Both bring their own partner programs to bear; partners of either vendor will in theory be allowed to play in both sandboxes.
The integration point is how Cisco Access Control Server interacts with Microsoft NAP. If a client doesn't have an SoH, it will have to request one from Microsoft's HRA. If the client sends a list of SoHs, the Access Control Server will forward it to the Network Policy Server, which will validate the statements and return results to the Access Control Server, which will implement the policy.
Confused yet? The partnership does have one clear upside: non-Windows OSs and pre-Windows XP versions will be supported with free Cisco Security Agents.
What isn't clear, however, is how NAP partners like Alcatel, Extreme and HP will fit into this picture. Will Microsoft's Network Policy Server be the central point of command and control, interacting with Cisco products as well as other vendors' infrastructure gear? That's anyone's guess. What is interesting is that both vendors say they'll keep their partner programs active, for the time being at least. A smart hedge.
