Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security IT

Cisco Updates Network Security Technology 76

* * Beatles-Beatles writes to tell us that Cisco has announced an enhanced version of its Network Admission Control (NAC) technology. From the article: "Under its NAC initiative, Cisco is developing a range of tools that let companies permit, deny, quarantine or restrict admission to networks based on an end user's security status."
This discussion has been archived. No new comments can be posted.

Cisco Updates Network Security Technology

Comments Filter:
  • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Tuesday October 18, 2005 @11:29PM (#13824095) Homepage Journal

    This Cisco technology is implemented in terms of Trusted Network Connect, a specification published by the Trusted Computing Group. Alsee explains how and why major residential ISPs will eventually use it [slashdot.org] to condition customers' Internet access on acceptance of Trusted Computing measures.

  • ""With this, we are selling NAC on switches, routers and on just about every product we sell," Gleichauf said, adding that Cisco now has over 60 vendors participating in the NAC initiative."

    Now if only their Contract website was as easy to manage as their Linksys routers. I try to log in to their website to check the account status, and they make me jump through hoops and look for hidden links. It makes me wonder if any web designer works for them.
  • by ReformedExCon ( 897248 ) <reformed.excon@gmail.com> on Tuesday October 18, 2005 @11:31PM (#13824102)
    I'm just joking, of course. CEOs are typically the most informed of all employees at any given company.

    But this is pretty cool. The problem, of course, is how to decide whether someone is "secure" or not without running a scan on that computer. It isn't like infected computers are going to run around flagging routers of their infected status.

    I wonder how they will manage this type of security clearance system. If it works, this is one of those technologies that is right on time. If we can stop viruses from infecting whole networks by shutting infections out of the network, then they can't propagate very far at all.
    • The problem, of course, is how to decide whether someone is "secure" or not without running a scan on that computer.

      Easy. Just make the computer run a scan on itself (using an approved dialer program) and then prove, using Trusted Computing techniques, that it ran the scan that it says it ran. These PDFs [trustedcom...ggroup.org] explain the process.

    • by rovingeyes ( 575063 ) on Tuesday October 18, 2005 @11:35PM (#13824123)
      "I'm just joking, of course. CEOs are typically the most informed of all employees at any given company."

      Ahem...I take it you are a CEO of a company?

    • by Anonymous Coward on Wednesday October 19, 2005 @12:12AM (#13824252)
      I was actually at a security conference a few weeks ago and a guy from Cisco presented some of their new stuff including this. Basically your computer will have to have some kind of antivirus software on it and communicate about it to gain access to the network. Right now its limited to about 10 vendors, and it is a closed protocol. He mentioned that eventually they would open it up and also add more vendors (missing was AVG :( ).

      If you don't have proof that you ran those tools, you may not have to worry about being completely shut out of the network. You may just be admitted onto the network in a restricted way. Maybe only allowed to receive email, browse (maybe certain sites), etc.

      Another cool thing is that all this will sit on the front of your network and be coupled with another product. Actually it may be all one product, I can't remember for sure. But the other part is a way to simplify managing your network in the event of an outbreak of a new worm, virus, etc. The way it worked was they were partnered with an AV company (I think Trend Micro maybe) and as soon as that company finds out about a new worm, they can send out some loose information about it. Maybe that it tries to propagate on outgoing port 666, and your router would download this information and block port 666. It would also be able to update all the routers in your network. This would be in roughly 15 minutes of learning of the new attack. Then within typically 90 minutes they will have out a way to digitally fingerprint this attack, and more specific rules are downloaded to the routers. Think something like the string codered sent out could be blocked.

      This would be very fast solution to contain these things, especially when you think of large networks at say a large university or corporation with lots of routers. Way faster than what an admin could do by hand. Also it could be configured as to what ports could be blocked. Think not blocking outgoing port 80. Although I never got a clear answer about how this would work in the 15 minute part of initially just blocking a port since some worms do propagate on these commonly used ports. I'm sure they'll work all this out :)

      Lets just hope they stick to opening up the protocols in this trusted networking approach so that more vendors can get involved. If so, I don't think we have to fear trusted computing as this is an example of how it could be a _good_ thing.
      • If you don't have proof that you ran those tools, you may not have to worry about being completely shut out of the network. You may just be admitted onto the network in a restricted way.

        What garbage. First, their are already products that run scans on an entire network and base access upon those results. They work well and do not require a client-side component. Second, if Cisco requires third parties to register/license with them it will eventually become a tax on connecting to the network, paid to C

      • And frankly, I was more appalled than impressed. Way to cobble up the "mission critical" network system in a byzantine system involving PCs, centralized servers, and other cruft. An order of magnitude more of a hackjob than server-mode VLAN configuration. Bloatware for networks.

        If they want to enhance security, they should be paring down their codebase for simplicity's sake and extensively testing it under hostile and high-stress traffic loads. Which I can say quite unequivocally, they don't do much. I
      • Maybe that it tries to propagate on outgoing port 666, and your router would download this information and block port 666. It would also be able to update all the routers in your network.

        Wee! Now we can shutdown the internet with a well placed virus. If you can talk with your router, certainly I can as well. All I need to do is pretend I'm the authorative router (DNS poisoning maybe?) or hack the authoritive router and suddenly I get control of your entire network next time your routers update with m

    • CEO's are typically the most dense person in the company, their days comprise of meeting other dense CEO's and thinking up clever schemes like trusted computing, and help boost their self denial about the world at large.
    • The problem, of course, is how to decide whether someone is "secure" or not without running a scan on that computer.

      Just run a scan on them. Either a) they're your (IT's) computers, or (b) they signed an acceptable use policy, which says you might scan for vulnerabilities.
    • Note: I work for a company which develops software for this solution, but I do not speak for them in any official way. I'm also not going to plug my product by name, because that's not the point of this article. There aren't that many people doing this kind of work, and if you're really interested, you'll find us easily enough.

      But this is pretty cool. The problem, of course, is how to decide whether someone is "secure" or not without running a scan on that computer. It isn't like infected computers ar

  • patches smaches (Score:1, Offtopic)

    by scenestar ( 828656 )
    they've lost alot of my respect after they confiscated those books and ripped out "certain" pages.
  • by mparaz ( 31980 ) on Tuesday October 18, 2005 @11:36PM (#13824128) Homepage
    It looks like Cisco branded products are moving up the application layer to enterprise products. Perhaps plain IP is now a commodity - they have retained the Linksys brand and not folded the products into "Cisco."

    The PCs mentioned in the article could be clients for their application oriented networking and message queueing [paraz.com] architecture and product line.
    • Two different markets. Linksys targets the home and the SOHO market. Cisco targets... everything else... The name of the game is avoiding brand dilution.

      Statement of bias: I'm an employee of Cisco. Not anywhere near Layers 2 or 3, but an employee nonetheless.

      --
      lds
  • by Glamdrlng ( 654792 ) on Tuesday October 18, 2005 @11:36PM (#13824130)
    The fact that Cisco has finally extended NAC support to its line of switches means that users are likely to be more interested in the technology than they were when it was only available on Cisco routers, said Joel Conover, an analyst at Current Analysis Inc. in Sterling, Va.


    Eh? NAC has been available on Cisco switches for a while now. Technically it's been available since they started supported 802.1x, and switches have been compatible with the Cisco Security Agent since it was developed about a year ago. In fact, I haven't heard of routers being used in conjunction with NAC, CSA, or 802.1x. The only admissions control routers have ever done is access lists, which of course are also supported on layer 3 switches.

    Mr. Conover: did you actually do any research on the technology involved or did you just read through the glossies and spew out something you remembered from the CCNA class you took 5 years ago?
    • by sportal ( 145003 ) on Wednesday October 19, 2005 @12:31AM (#13824306)
      Reply to clueless slashdotter:

      NAC Phase 1 was deployed using EAPoUDP (EAP over UDP). It used routers to quarantine devices. It is a layer 3 solution. Other devices could still infect layer 2 connected devices.

      NAC Phase 2 (just announced) is deployed using EAPo802.1x (EAP over 802.1x). It uses switches to quarantine devices. It is a layer 2 solution. Thus an infected device cannot infect other layer 2 devices.

      http://www.acuitive.com/musings/hmv7-12.htm [acuitive.com]

      http://newsroom.cisco.com/dlls/2005/prod_101805.ht ml [cisco.com]
      • Thanks for correcting me. I didn't do all my fact checking so I'll take the clueless label in the chest. I do question the usefulness of using a router or layer 3 switch to do your quarantining though, because from a defense in depth point of view the devices you want to protect with NAC are the ones on the same broadcast domain. As far as phase II being just deployed, I met with Cisco SE's about deploying NAC with layer 2 switches as the quarantine point in November 2004. I declined to test it because I'm
      • Vith a view to that 802.1x has been broken (http://blogs.technet.com/steriley/archive/2005/08 /11/409021.aspx [technet.com]) and requires a cryptography layer to prevent rogue hosts from connecting to the network, I'd consider NAC breakable for now.
    • Actually, I did do my research. And you're not completetly off about your Cisco SE asking you to test NAC with L2 switches back in 2004 -- This phase of NAC has been in "testing" for some time, and was originally promised by Cisco several months sooner - not that you should ever trust the promises of a vendor. It doesn't surprise me that SE's were out talking to you about it a year ago - Cisco made its roadmap very public when it first announced the NAC program. I'm disappointed that you fired a shot acr
      • I already put my foot in my mouth responding to a previous comment but I'll gladly do so again. Mmm, yummy. Could use a little ketchup though.

        I was in a pissy mood but I had no right to fire a shot in your direction because of it. If I had mod points and could mod my own post down I'd gladly do so. Please accept my humblest apologies sir.

        On a related note, I'm instituting a self-enforced ban on posting in tech forums right after getting out of a change control meeting.

  • by Quirk ( 36086 ) on Wednesday October 19, 2005 @12:00AM (#13824221) Homepage Journal
    If, like me, internetworking isn't in your bailiwick, there's a couple of resources I've found handy.

    Cisco's Internetworking Technology Handbook [cisco.com] is a bit dated but a great base resource downloadable in pdf.

    Pair the above with IBM's TCP/IP Tutorial and Technical Overview [ibm.com], and round things off by downloading Bable: A Glossary of Computer Oriented Abbreviations and Acronyms [geocities.com] since you'll be in acrynom hell.

    Probably few /.ers need the above but they've given me a good overview and reference.

    For What it's Worth :)

  • be wary (Score:2, Interesting)

    by Anonymous Coward
    Be wary of anything that will lock you into other proprietary hardware. Cisco is running scared right now with Juniper and others right on their tail, so some of this is likely to further cement Cisco into client networks.
  • Yup, this will work awesome! Until virus creators / spyware creators / worms / trojans (blah blah) read this on slashdot, and reverse engineer it until they figure out how to distribute their viruses without being caught by the router... I'm sure it's not far off, mainly since cisco is so large, so everyone will be implementing this soon
    • Or at least until they figure out a way to use the Cisco Trust Agent agent to distribute the virus/worm/trojan or any other kind of malicious code.
      • Cisco devices lend towards reboot when attacked with a buffer overflow so why not create a Slammer like worm with a quick infection vector and then at X time infected PCs send out a reboot sequence across the WAN, which in theory would cause Cisco devices to go into a reboot. If enough devices rebooted at the same time how badly would that affect the Internet? Not sure if this is plausible but if Cisco devices are vulnerable to traffic passing through them in this manner it would seem like an attack like th
  • This isn't a complaint about NAC, I actually like the idea.

    But I bet the way it integrates with the OS is a bit of a kludge (I haven't played with it, just guessing). Most network OSs have methods to integrate with host based auth systems - kerberos, LDAP or some such. Adding a secondary auth to the switch (which from what I hear of these technologies, they do) seems a bit hacky.

    It'd be great if the switch only let the client send auth packets to the kerberos / LDAP server, only enabling them to do anything
    • EAP [tldp.org], used in 802.1X, is pretty much exactly what you're talking about:

      " [EAP is] an authentication framework which supports multiple authentication methods. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees. Fragmentation is not supported within EAP itself; however, individual EAP methods may support this." -

  • Compatibility? (Score:3, Informative)

    by fmwap ( 686598 ) on Wednesday October 19, 2005 @12:42AM (#13824345) Journal
    I wonder how this will work for non-Windows machines trying to gain access?

    Somebody mentioned the Cisco Clean Access Agent in a previous post, googling around a bit shows that only Windows is supported for the AV/Patch scan, and this is easily bypassed by changing the User-Agent on the HTTP login page. Details here [securityfocus.com]

    Cisco's canned response [cisco.com] is to use Nessus to determine the real OS, or write your own plugin. Although windows boxen are probably the most common, and the biggest threat, non-Windows products need some sort of working by-pass that doesn't involve simply spoofing the UA.
    • If you actually read the docs, you'll see that CSA runs on Solaris and Linux as well, and the TrustAgent used for NAC is now available for Linux as well. Only redhat is officially supported, but I guess it should be possible to adapt it. I guess Mac OS X will come next.
  • NAC sucks (Score:5, Interesting)

    by Anonymous Coward on Wednesday October 19, 2005 @01:00AM (#13824394)
    We've tried to deploy NAC locally. It's hell to configure the "CTA" (i.e. magic software that runs only on Windows). It's hell to configure the switches (docs? Like they help...) It's hell to configure Cisco ACS (does Cisco even *use* that PoS?)

    NAC is great in theory, but it's Windows-only, it requires extra software on Windows boxes, it requires all of your switches to be NAC aware, and it requires a NAC aware authenticator.

    Can you say "not going to happen"?

    If someone else comes out with something similar that can be used in the real world, like 802.1x supplicants with a bit more smarts, it will deployed so fast that Cisco's NAC will be a sad memory.

    NAC: Good in theory. Cisco "gets" routers. They don't "get" network administration.
    • And I assume Cisco wants some $ per seat, as well--that may be the biggest barrier of all in most places against this next step (client attestation) towards a locked-down Trusted Computing environment.
    • Re:NAC sucks (Score:1, Informative)

      by Anonymous Coward
      We're deploying NAC for Solaris, Linux, and OS X clients as well as Windows. Hosts which don't pass muster (can be defined by patch levels, a port scan, etc) can be placed on a fallback VLAN which of course you can apply whatever ACLs or security measures you like.
    • Re:NAC sucks (Score:1, Insightful)

      by Anonymous Coward
      Imagine the fun when NAC flips out and decides to stop talking to the ACS servers. Everyone on a network is suddenly running in virus-mitigation mode (no network access in our configuration). The fix: reboot the router.

      Cisco hasn't made a good product since the Cisco 2500 router running IOS 11.

      I like to remind my PHB when he says "Nobody ever got fired for buying Cisco" that people have gotten fired for wasting money on lousy hardware with 20% failure rates and software the requires more reboots than a Wind
  • end user authentication with a side-order of bloat - supersized with a vendor lockin feature. I wonder how well non-cisco devices will work with the new NAC overlords?
  • This is nothing more than an advertisement.
  • Cisco is a late player to this game, and they're still catching up. They bought a company to bring this technology into the Cisco brand, and they're still working on "cisco-izing" the product.

    Last time I checked this only works with Cisco hardware in the wiring closets.

    Other than that, does it yet come close to the capabilities of Bradford's Campus Manager [bradfordnetworks.com]? Any college trying to lock down their resnet probably used Campus Manager.
  • Because you can trust Cisco with your security [evilscientists.de].
  • Cisco Updates Network Security Technology is one word swap from being a great acronym.
  • Came from the New York City Launch( 4 hour Seminar )- a pre-filtered event for established Security Pros It got very good feedback from this learned bunch - Trend Micro is also one of their partners for this package. It seems very promising and effective
    • On a completely off-topic note, can I just mention that your website is one of the worst things I've ever seen on the Internet?

      Most websites require the use of garish colours and Flash to achieve the level of horror that you have managed with just black and white.

      I would prefer to spend a week looking at Goatse than experience that again.

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...