Executives from Microsoft and Cisco will demonstrate at a security conference in Boston next month how Microsoft's Network Access Protection (NAP) policy enforcement and Cisco's Network Admission Control (NAC) will work together to protect networks from unauthorized or infected users, said those familiar with each company's plan.
This is a big step forward for a partnership struck between Cisco and Microsoft in October 2004. Cisco had already developed products based on NAC. Microsoft said in July 2004 it was developing NAP. Cisco is already shipping its products. NAP requires Microsoft's next-generation desktop OS Vista and server OS code-named Longhorn to work.
"We have clients who are begging to get NAC in place, but they stumble around issues involving [vendor] roadmaps," said Robert Whiteley, an analyst at Forrester Research Inc. in Cambridge, Mass. "Who will be the main policy server? Who will be the main enforcement mechanism? Will the vendors play nicely together?"
Now, IT managers can make local decisions. "You may choose to go with all Microsoft because [a particular installation] doesn't warrant a Cisco investment," Whiteley said.
As it turns out, there will be a single agent in Vista that can be a NAP or NAC client, according to one expert who asked not to be identified. Microsoft
NAC products use a software agent that gathers information in Cisco's RADIUS server and sends it to Cisco's Secure Access Control Server, or ACS. The Cisco Secure ACS checks with third-party policy servers to see if the devices comply with security parameters and enforces network security policies when necessary.
Microsoft's NAP technology works through software agents as well, but the data is passed to Microsoft's Network Policy Server, which checks with a third-party server to ensure policy compliance.
Microsoft has said that NAP could be used only with its Longhorn server, which won't ship until late 2007. It can also run on Microsoft's XP SP2 as long as each device in the network receives a NAP update.
There is also a third technology being developed by a nonprofit industry group called the Trusted Computing Group. The group's proposed technology supports both Microsoft's and Cisco's technology but is based on more open standards.
Cisco and Microsoft have been running tests of the combined technology, said John Pescatore, a security analyst with the Gartner Inc., based in Stamford, Conn.
"They have made a lot of progress in a fairly short amount of time," Pescatore said. "After almost two years of badgering them, they have convinced me that the difficulties that lie ahead are mostly technical in nature, not political."
Pescatore said he has seen a beta of the combined technology operating on a live network, and it did what officials said it would do -- protect the network from unauthorized or potentially insecure or infected access from client machines. "It is simplistic, but it answers a lot of the questions about how the technologies will work together," he said.