Microsoft, Cisco Sign Security Accord On Network Access APIs


Microsoft's NAP Delayed Until Longhorn


Microsoft and Cisco have agreed to make their respective network security architectures interoperable, but the collaboration won't matter for some time.

The release of Microsoft's Network Access Protection (NAP) technology has been pushed back two years to coincide with the Longhorn server release, said Samm DiStasio, group product manager for Microsoft's Windows server product management group.

When it unveiled plans for NAP in July, Microsoft said it would deliver the security service with the Windows Server 2003 R2 update in 2005.

At that time, more than 25 security, firewall, patch management and networking ISV partners announced support for Microsoft's planned network-access plan and APIs, but Cisco was absent from that list.

Microsoft downplayed the delay of NAP and, after months of negotiation, touted the agreement reached with Cisco as a significant breakthrough.

Microsoft plans to make Windows Server R2 available without NAP during the second half of 2005, but it will include Windows digital rights management services, Windows SharePoint Services, SAN management features and Active Directory Federation Service, DiStasio said.

As it continues work on NAP, Microsoft will make its existing VPN Quarantine feature easier to use in the Windows Server 2003 service pack 1, which is due during the first half of 2005. Network protection for wired and wireless connections, however, won't come until the NAP time frame, Microsoft said.

Network Admissions Control is Cisco's initiative to build features that combat security threats such as worms and viruses into its network infrastructure. NAC functionality gives customers the ability to restrict network access from devices such as PCs, servers and PDAs that are not compliant with their established security policies in areas such as operating-system patch level or antivirus state.

The San Jose, Calf.-based vendor unveiled the program initiative in November of 2003 and began shipping NAC-enabled routers in June. It plans to debut NAC-enabled switches in early 2005, one Cisco executive said last week.

Microsoft and Cisco said they will develop a number of joint standards and ensure that their architectures are compatible and interoperable. Compatibility ensures that if one system allows a user network access, that user will have access to all compatible networks.

Interoperability would give the Cisco router control of initial user access but would allow Windows to check user information against policies, offer remediation if needed, and then pass the message back to Cisco, DiStasio said.

"Going forward we hope to do more things together to bring these solutions together, and at that point I think it will have a bigger impact on the channel," said Richard Palmer, vice president and general manager of Cisco's security business unit.

Microsoft declined to comment on whether the long delay of NAP will essentially cede the network-access software market to Cisco and its partners, who can sell and service NAC today.

"It's a boon from the standpoint that Cisco and Microsoft will work together to make it easier for everybody," DiStasio said. "As we drive toward standards, it's good things for the ecosystem. "

In the meantime, Microsoft is pushing hard to release Windows Server 2003 Service Pack 1, which was originally due during the second half of 2004. It will feature a Security Configuration Wizard and better support for branch-office deployments.

DiStasio said Microsoft will also try to ease deployment woes for partners and customers by turning the firewall off by default. The Windows XP Service Pack 2 released in August posed significant deployment obstacles for partners and customers due to changes in the RPC and DCOM technologies and due to the fact that the firewall was turned on by default to provide built-in protection for end users.

JENNIFER HAGENDORF FOLLETT contributed to this article.