Microsoft and Cisco Systems have agreed to combine their respective endpoint security policy enforcement technologies, but Microsoft is going to delay its delivery of the technology by two years until 2007. As Kevin Murphy explains, the moves will either simplify or complicate the move towards an endpoint security standard, depending who you are.
Under the agreement, Microsoft’s fetal Network Access Protection (NAP) and Cisco’s Network Admission Control (NAC) programs will merge. Cisco director of business development Dave King said Cisco and Microsoft will share APIs and protocols to make their respective systems compatible, and to mutually develop standards in access control, that we think that will drive adoption.
NAC and NAP both had a similar premise create technology that helps organizations set security policies that enable the network to automatically block, quarantine and remediate incompliant networked devices.
The two main components of Cisco NAC, other than compliant routers and switches, are Trust Agent, which sits on endpoints and gathers security state information from other software, and Access Control Server, which makes enforcement decisions.
Mr King said that under the deal, the two companies will make it so that customers will be able to select Microsoft software instead of Cisco’s client and/or server pieces, and that the Cisco kit in between will support that.
Microsoft has ditched its plan to put NAP in Windows Server 2003 R2, due 2005, in favor of putting it in Longhorn, the next version of Windows, due 2007. This could have led to competing Microsoft and Cisco specs, one tied to switches, one to the OS.
Microsoft was not available for comment on the delay, which appears to be coming as merely the latest in a series of development reprioritizations from the company, which is said to be facing a resource crunch.
Standards peace has not broken out just yet, however. Cisco, which looks like it will be driving the partnership for the new few years, has put no timeline on opening the specs to others, and some Microsoft and Cisco competitors are still out in the cold.
For companies providing client security software, the standards mean supporting the plumbing for endpoint compliance will be easier and cheaper, said Rees Johnson, director of product management at McAfee.
McAfee, and competitors including Symantec and Trend Micro, are all relatively platform neutral when it comes to server operating systems and network infrastructure. All three companies already had their eggs in both the NAP and NAC baskets.
But there is a third movement underway, formed at the initiation of competitors of both Microsoft and Cisco, to provide a standards-based approach to the same endpoint security problem, and at the moment Cisco is not playing ball.
Within the Trusted Computing Group, the Trusted Network Connect initiative is a consortium of vendors looking to create specs that do the same and NAP and NAC, but do not specify the OS or router/switch infrastructure.
It’s something where pretty much the entire industry with the exception of Cisco is working on an open standard, said Matt Palmer, senior manager of strategy at Juniper Networks, a key Cisco competitor.
Cisco’s Mr King said that the company has no plans to take its work with Microsoft to the TCG group. Cisco’s approach is to work with the standards groups, not with consortia, he said. The IETF and IEEE are preferred, he said
If you draw a Venn diagram of the three initiatives, you can now cluster Microsoft and the major client antivirus/firewall vendors Symantec and McAfee for example – in the intersection overlap of all three areas.
In the diagram, Cisco straddles the NAC and NAP circles, while its rivals such as Juniper, Extreme and Foundry, sit in the intersection of TNC and NAP. Some of Microsoft’s operating system rivals sit in the TNC areas.
One Microsoft partner, working with Microsoft of some of its NAP development ideas, said he believes the deal means Microsoft will end up using code based on the Cisco Trust Agent code in Longhorn.
It’s not currently clear how this would affect NAP, given that the Microsoft-led program, announced in July, is stuffed with network device makers that compete with Cisco and with which Cisco has made no attempt at working with yet.
It appears that the industry is down to two competing standards movements now: one Cisco-Microsoft led with some hardware already on the market, and one with broader industry support that does not yet have specs or products available.
Cisco NAC is currently supported in some of its routers. Support in switches, VPNs and wireless access points is planned for next year. Last week, IBM Tivoli announced forthcoming support for it.