Microsoft and Cisco Play Nice on Security Interoperability

Published: September 13, 2006

by Alex Woodie

Microsoft and Cisco Systems last week published a technical white paper demonstrating how their new network security technologies will work together. The companies also announced a general roadmap for interoperability, and told users to expect the first beta of a product that will link the new computer health validation technologies, which Cisco calls Network Admission Control (NAC) and which Microsoft calls Network Access Protection (NAP), before the end of the year.

Microsoft has made no secret that it intends to improve the security of its new operating systems, including Windows Vista, which is due to ship to businesses in a couple of months, and Windows Server "Longhorn," which is still a year away. One of the key new security technologies is NAP, a new capability that will prevent PCs or servers without the latest security patches from joining an existing network, or only allow those computers to run with restricted access until they are brought up to speed. Microsoft plans to include NAP in both Vista and Longhorn, and plans to backcast to Windows XP Service Pack 2, as well.

The idea behind NAP is to nip the weakest security link in the bud. By preventing poorly protected computers from joining a trusted network and potentially infecting other computers, administrators can scratch one huge security headache off their list. After all, it is not terribly difficult to secure a PC these days--turn on Windows update to get the latest patches, install and run a firewall, and keep your antivirus definitions up-to-date--but even these basic steps have proved too much for some users, which is why even older viruses and malware are still running about the Net.

NAP is a great idea, and it's no great surprise that Microsoft wasn't the only one to come up with it. In fact, Cisco has been selling their version of NAP, which they call NAC, for some time now, and has a bevy of vendors lined up behind NAC, including CA, IBM, Intel, and Symantec. The stakes are too high for these IT giants to quibble over competing standards (this isn't the consumer high-definition DVD-player market, after all), so thankfully, Microsoft and Cisco have pledged to play nicely.

And, following last week's announcements, Windows shops can feel good about moving forward with Cisco's NAC technology today, and not worrying about interoperability once Microsoft's NAP makes its appearance later next year with the delivery of Windows Server 2008 or whatever name Longhorn will be called eventually (Windows Server Buckeye will get the Ohio vote.) This is a situation where what's good for the goose is even better for the gander.

"This is exactly what is needed," says Zeus Kerravala, vice president of security and networking research at Yankee Group, in the joint Microsoft-Cisco announcement. "Microsoft and Cisco must work together on this, and I'm pleased to see these two companies make the investment and the engineering commitment for interoperability."

Protocol-sharing between the two companies will result in the delivery of a client agent for Windows Vista, called the Microsoft NAP Agent, that will enable businesses to use either the NAC technology included today in Cisco'srouters, or the Microsoft NAP technology that Microsoft will ship next year in Longhorn.

The collaboration will also result in the delivery of a single set of APIs, delivered by Microsoft, for enabling third-party vendors to hook into both NAC and NAP Windows-based infrastructure, the two companies said. For non-Windows Vista and non-Windows Server infrastructures, users will be pointed toward Cisco's own NAC client, which it calls the Cisco Trust Agent; Windows XP SP2 users will need the Cisco Trust Agent as well as Microsoft's NAP Agent installed on their PCs. The agreement also calls for Cisco to eventually submit its Cisco NAC protocols to a standards body, and for the "customer experience" in both security technologies to be similar, according to last week's announcement.

The white paper, titled "Cisco Network Admission Control and Microsoft Network Access Protection Interoperability Architecture," can be downloaded at www.microsoft.com/nap or www.cisco.com/go/nac.