Microsoft, Cisco: Visions Of Network Security

Microsoft's Network Access Protection (NAP) technology, targeted for 2005 release as part of the next Windows server upgrade, is designed to provide protected access to private corporate networks by enforcing policies for every laptop, PC and related device.

Cisco's Network Admission Control (NAC), viewed by some as a competitive technology, similarly ensures that all systems hooking up to a corporate network meet corporate security policies. NAC is currently integrated into Cisco's latest line of routers and soon will be incorporated into the next line of switches and remote-access VPN devices, said Russell Rice, product marketing manager for Cisco's NAC group.

The challenge for partners is deciding which architecture to back.

"They're coming at the same problem from a different layer--Cisco at the networking layer and Microsoft at the OS layer--and their overlapping is a problem," said Paul Freeman, president of Coast Solutions Group, Irvine, Calif., a distributor of technology services. "The problem comes if there's no standard. You'll have the VHS and Betamax problem."

Microsoft and Cisco hope to prevent that scenario. In deep discussions with each other, they pledge to make their two technologies interoperable--yet they acknowledge that they have yet to reach an agreement. "The nirvana has always been getting the network and OS layers to work together, so once we gain agreement on how APIs will work and pass messages back and forth, it'll be a major step forward," said Steve Anderson, director of Windows marketing at Microsoft.

In the meantime, partners are eyeing both approaches before making a decision. One solution provider familiar with both technologies said roughly 70 percent of the feature sets overlap, which negates the need for partners to support both.

Executives from the two vendors acknowledge some overlap in functionality--notably in the client inspection and enforcement arena--but said they believe each architecture is sufficiently distinct.

Trend Micro, an antivirus ISV in Cupertino, Calif., has announced support for NAC and NAP. Now it will wait for the market to dictate the winner--or winners.

But while larger ISVs might be able to support both technologies, customers might balk at paying twice for redundant products, said Robert Lehmann, solution engineer at Coast Solutions. "The worse thing you're doing is duplicating energies and costs. That's the only conflict," Lehmann said. "I'd be worried about double-dipping costs and paying twice for the same feature."

To that end, Coast Solutions advises partners to pick solutions based on their customers' current investments in those vendors' products. For instance, an enterprise customer with a mixed environment and Cisco routers might get a bigger bang for the buck with Cisco's NAC solution, while a smaller, Microsoft-only user might get more ROI from NAP.

And although Microsoft's NAP will be integrated into the Windows server, SMBs can expect significant installation and implementation costs, observers said. This will present big opportunities for partners as they tie all the pieces together.

"This is a complicated deployment because it touches so many things--you're touching the entire connected infrastructure," said Microsoft's Anderson. "Partners will play a major role in this."

One big role will be in helping customers avoid runaway costs. "These are two very different management philosophies and buying centers," said Gartner Group analyst John Pescatore. "Cisco's approach requires enterprises to upgrade their routers and switches. Microsoft's approach requires them to upgrade to Windows XP on the desktop, Windows 2003 on servers and Active Directory. Both are amazingly expensive compared to using existing approaches from companies such as Check Point or Sygate."