CRN Interview: Cisco's Chief Security Officer Explains NAC Strategy Shift


As chief security officer for Cisco Systems, John Stewart is tasked with securing an enterprise network of more than 60,000 PCs and managing the San Jose, Calif., networking giant's security programs. At the Black Hat security conference in Las Vegas this week, Stewart talked with CRN about recent developments in Cisco's Network Admission Control (NAC) initiative as well as larger issues affecting the security industry.

CRN: Why did Cisco decide to reposition the Clean Access Appliance, now called the NAC Appliance, for enterprise NAC deployments? What does this mean for the industry framework that Cisco envisions becoming a standard for deploying NAC?

STEWART: The framework is progressing as expected. In the past year, we've moved from a purely framework approach to NAC to one that includes the framework and the NAC Appliance. That move has resonated very well with customers who are interested in bridging a multivendor network--or bridging a network that's being upgraded to make it ready for NAC--but would like some usable results immediately.

We've learned that we have enterprise customers who feel the appliance model is what they would like to do philosophically. Instead of placing NAC onto every port or every single network jack, they want to deploy the appliance. We've also learned there are customers looking for immediate, short-term results where they can deploy NAC quickly--and to a degree seamlessly--without changing their network topology.

While customers have bought into the framework vision and want to deploy network security all the way to the port, they're feeling short-term pain. As a result, we've had customers ask Cisco for an interim step they can take as we work toward the NAC framework topology, because it's going to take years for us to roll it out.

CRN: Where do things stand with the work being done to make Cisco's Network Admission Control and Microsoft's Network Access Protection interoperate?

STEWART: Same as it always has been. These two technologies will work together, and we are both committed to making that happen. Part of the reason we don't talk about it is that Cisco and Microsoft are building at exactly the same time. We're building NAC; they're building Vista. We're just making sure to constantly be in communication with Microsoft to ensure that interoperability is there.

We don't yet have the reference architecture that would allow us to point and say, 'Here's exactly how NAC and NAP are going to work together.' We know what we're both working toward, but we don't have a Vista/NAC deployable field trial yet because we're both in the midst of building it.

 

NEXT: Cisco's acquisition of Meetinghouse Data Communications