Cisco Rolls Out New Access Control Tools

[Sunite]

Cisco Rolls Out New Access Control Tools
By Mark Long
September 10, 2007 11:37AM

   Digg It!   Bookmark to You are not allowed to view links. Register or Login
In addition to introducing the new NAC module, Cisco is rolling out a new NAC endpoint profiler that will enable I.T. shops to monitor devices beyond the standard PC deployments they have managed in the past. When the NAC profiler detects machine activity that does not match an expected profile, a manager is automatically notified.

Related Topics
   Cisco
   Data Center
   Routers
   Switches
   Access Control

Latest News
   AMD Intros Quad-Core Spider Platform
   Google Mulls Bid for Wireless Spectrum
   Amazon Unveils Kindle E-Book Reader
   Dell Launches Iconic All-in-One PC
   Recycling Electronics Boosts Pollution
Advertisement

Advertisement

   Cisco has announced two new products that promise to reduce the complexity of authenticating the plethora of electronic devices that need to connect to today's enterprise networks over wireless Relevant Products/Services and wired links.

The new offerings deal primarily with the network access control (NAC) level to determine who gets access to the enterprise network and what they have access to, said Cisco's director of security Relevant Products/Services solutions Fred Kost. "The threat is from devices allowed onto the network that might gain access to things they shouldn't, or from devices that are not equipped with the latest antivirus or antispyware software," Kost noted.

Cisco's new NAC module, which attaches to the company's existing lineup of integrated services routers (ISRs) for branch offices, is designed to resolve potential threats and vulnerabilities locally before they are transferred over the company's wide area network.

Single-Box Format

The NAC module also is designed to reduce the complexity of dealing with these potential threats, because the architecture has the NAC options built in the routing and switching layer of the network, said Cisco's NAC product marketing manager Brendan O'Connell.

The technology is deployed in "a single-box form factor with a simpler architecture that is also easier to troubleshoot," O'Connell explained. "And because it's all in one physical device, the ongoing costs associated with power, management, and maintenance are lower."

The equivalent stand-alone appliance for 100 users has a list price of $9,000, while the 100-user NAC module has a list cost of $5,000, O'Connell noted. Moreover, the NAC module's maintenance cost is covered under the annual agreement covering Cisco's Integrated Services Routers (ISRs), whereas the standalone appliance commands a separate annual maintenance fee.

Cisco is also rolling out a new NAC endpoint profiler that will enable I.T. shops to control other devices beyond the standard PC deployments they have managed in the past. "Printers and other devices with IP addresses are not managed in the same way that PCs are," Kost explained. "So these devices could pose a threat if they were allowed to connect to the network.

Spoof Spoiler

The NAC profiler compares network devices to a detailed inventory both before and during their connection to corporate networks, "because potentially you could have someone posing as an authorized device in order to gain unauthorized access to the network," O'Connell noted.

For example, someone could spoof the IP address of a printer in order to gain access to restricted resources, or download malicious code onto the network. "The NAC profiler brings in the IP address and periodically polls the device to look at its network traffic to make sure it still is functioning as a printer," O'Connell explained.

When the profiler detects that machine activity does not match the device's expected profile, the I.T. manager is automatically notified. "It can also automatically put the device into a quarantine area network or restrict access," O'Connell said.

In addition, Cisco's NAC profiler eliminates all the time that I.T. shops formerly had to devote to compiling exception lists for devices such as printers and VoIP Relevant Products/Services phones that do not fit the standard PC profile.

"The profiler automates the process without anyone having to build a catalog," said O'Connell. "It brings back the information it has gathered about the device and verifies its integrity before allowing it access."