In the relatively short history of Internet Security it has been a long time since Cisco proposed their solution to the host security problem. It was July-August of 2003 that MSBlaster, a worm that infected most enterprises because laptops brought it in with them, highlighted yet another problem with enterprise security. I was on the road as usual in that time frame and I talked to one manager of an IT department for a large Credit Union in DC. He said that security guards were stopping all visitors and employees in the lobby and checking their laptops for infection before they were allowed into the building. This made scheduling meetings difficult because no one planned for the extra 45 minutes it took to do the scan of their laptop.
So, the logical solution to the problem of infected laptops is to have the network act as a security guard, right? Any computer trying to connect will first have to be frisked for compliance with a long list of requirements that could include:
Up to date AV signatures (from any provider) AV engine turned on Presence of a firewall Presence of Cisco’s Security Agent Up to date security patches
This concept is called Admission Control. It is interesting that Microsoft has a competing technology, Network Access Protection, vs Cisco’s Network Admission Control. Interesting in that Cisco is using the concept to leverage themselves into the host space and Microsoft is using it to enter the network space; a strong violation of Stiennon’s First Law. (See yesterday’s post)
So here are the problems with CNAC and NAP.
First, Cisco and Microsoft do not make up the entire Universe. Dozens of other systems exist and will not play nice with these giants.
Second, the concept requires the AV vendors to play nice with Cisco who is looming as a major competitor ever since Cisco purchased Okena and introduced the Cisco Security Agent. Cisco also announced a partnership with Trend. How is that going to motivate Symantec and McAfee?
And finally, according to IDC, networking is driven first and foremost by the need for uptime and throughput. Security is still a secondary concern to network administrators. Anything that prevents access will be shunned by these decision makers. Anyone who has been in networking shudders at the thought of the first call from the VP of whatsit who cannot get access because of some little mis-configuration. And CNAC/NAP are going to be rife with such problems.
Network Admission control is a broken concept. It won’t work.
Originally published at www.threatchaos.com