CRN Interview: Cisco's Chief Security Officer Explains NAC Strategy Shift

As chief security officer for Cisco Systems, John Stewart is tasked with securing an enterprise network of more than 60,000 PCs and managing the San Jose, Calif., networking giant's security programs. At the Black Hat security conference in Las Vegas this week, Stewart talked with CRN about recent developments in Cisco's Network Admission Control (NAC) initiative as well as larger issues affecting the security industry.

CRN: Why did Cisco decide to reposition the Clean Access Appliance, now called the NAC Appliance, for enterprise NAC deployments? What does this mean for the industry framework that Cisco envisions becoming a standard for deploying NAC?

STEWART: The framework is progressing as expected. In the past year, we've moved from a purely framework approach to NAC to one that includes the framework and the NAC Appliance. That move has resonated very well with customers who are interested in bridging a multivendor network--or bridging a network that's being upgraded to make it ready for NAC--but would like some usable results immediately.

We've learned that we have enterprise customers who feel the appliance model is what they would like to do philosophically. Instead of placing NAC onto every port or every single network jack, they want to deploy the appliance. We've also learned there are customers looking for immediate, short-term results where they can deploy NAC quickly--and to a degree seamlessly--without changing their network topology.

While customers have bought into the framework vision and want to deploy network security all the way to the port, they're feeling short-term pain. As a result, we've had customers ask Cisco for an interim step they can take as we work toward the NAC framework topology, because it's going to take years for us to roll it out.

CRN: Where do things stand with the work being done to make Cisco's Network Admission Control and Microsoft's Network Access Protection interoperate?

STEWART: Same as it always has been. These two technologies will work together, and we are both committed to making that happen. Part of the reason we don't talk about it is that Cisco and Microsoft are building at exactly the same time. We're building NAC; they're building Vista. We're just making sure to constantly be in communication with Microsoft to ensure that interoperability is there.

We don't yet have the reference architecture that would allow us to point and say, 'Here's exactly how NAC and NAP are going to work together.' We know what we're both working toward, but we don't have a Vista/NAC deployable field trial yet because we're both in the midst of building it.

NEXT: Cisco's acquisition of Meetinghouse Data Communications

CRN: What's the strategy behind Cisco's recent acquisition of Meetinghouse?

STEWART: The Meetinghouse acquisition was very customer-driven. Our customers told us that since Cisco has worked out NAC on Layer 3 and Layer 2--as well as for routers, switches and WLAN access points--they would rather purchase the client supplicant software from us. This took us by surprise a little bit. We thought that because our traditional work is in the network area, most of our customers would prefer to buy the end-point technology on their own.

We actually heard that customers want the whole, end-to-end NAC solution, from the end point to the infrastructure to the end point. And they want to buy it from Cisco so they can be confident that it's all working correctly and that they're not trying to integrate multiple vendors.

CRN: Several Cisco products were recently found to be vulnerable to denial-of-service attacks due to a flaw in the Internet Key Exchange (IKE) Protocol, which enables remote IPsec VPN access. Although Cisco said it's a problem with the protocol itself that requires industry cooperation to fix, are you doing anything on your end to mitigate the risk?

STEWART: The issue isn't specific to one technology or vendor, and we believe it's a broader problem. Now most of the vendors that are using IPSec-based IKE are starting to look at their own products. Despite all that we've learned to date about this issue, there are no easy ways to mitigate this risk without breaking the protocol itself. The issue exists in version one of IKE, and version two doesn't have same vulnerability. But it hasn't yet been widely adopted across the industry.

We're also putting together the equivalent of an internal, customer-facing white paper explaining what it means. We're making customers aware that what we're doing is trying to stretch the bonds of imagination for ways to address the issue that don't break the protocol but still lower the risk to our customers.

CRN: Has the threat of attacks on VoIP systems been overhyped?

STEWART: I wouldn't say that the threat has been overhyped, just well-covered. However, it's important to realize that voice is one part of many pieces when it comes to securing a corporate network, and to recognize that in a converged network, voice and data are getting on par in terms of equal importance. There might be a little imbalance in terms of focusing on voice security and more than data security, when in reality, both are important to any company.

CRN: Does Cisco require its mobile workers to encrypt data on their notebook hard drives?

STEWART: Yes, and we just revised that policy and in fact are in the middle of deploying an undisclosed technology from another vendor. However, we're doing it not only for mobile PCs but also desktops, with the assumption that these could get physically stolen as well. So we're trying not to differentiate between mobile and non-mobile.

Cisco faces a slightly different issue than many companies, especially those that have been in the news of late for losing data. For the most part, we don't take credit cards, and we don't store personal information of our customers. What we do have is employee information and other customer information, and that is something we are very concerned about protecting.