Cisco Systems Inc.’s announcement of a network admission control module for its popular Integrated Services Router will allow companies to “stick a toe” into NAC technology at a lower price point, one analyst says.
Cisco launched the NAC Network Module Monday. In a pre-briefing before the launch, Cisco NAC product manager Brendan O’Connell said one of the keys of the ISR line is the ability to plug modular services directly into the backplane of the router and turn them on inside the network hardware.
“Whether it’s security applications like NAC now, or IDS and IPS, or voice applications, the ISR is a fantastic platform for customers who are looking at designs with a lot of these services enabled,” because they are included in a single footprint, O’Connell said.
“That drives down their operational expenditures and their design considerations. When you only have one box out there to deal with, it’s a lot less complex for them to manage.”
That opens up a lot of design options for customers with multiple locations and branches, he said.
Since the ISR was introduced three years ago, Cisco has been trying to bring more components into the platform to provide a full branch solution for the customer, said Inbar Lasser-Raab, director of marketing for Cisco’s Advanced Routing Technology Group.
“From an architecture point of view, we have a lot of ways to add additional modules and additional capabilities,” both hardware and software, Lasser-Raab said, as well as hardware acceleration modules for the performance boost needed to handle the increased number of in-box services.
By adding the NAC module to the line, “we’re really lowering the barrier to entry for our customers, allowing them to start with a NAC solution even at smaller branches that are more remote, where they don’t have IT staff. They just plug that module in and they’re part of the overall NAC solution,” she said.
Phil Hochmuth, senior analyst with Yankee Group, agreed the modular format is a good starting point for companies looking into NAC.
“Integration with the router is a bit of a no-brainer” for Cisco customers, Hochmuth said. It allows customers to get started with NAC at a lower price point than with a standalone appliance.
A company can “stick a toe in the environment,” he said, trialing the NAC technology at branch offices and moving it into head office if it works out. “It’s a similar approach they took to voice over IP a few years ago,” he said.
The module is identical in functionality to Cisco’s NAC appliance, Lasser-Raab said. “We package it as the module with a 50-user licence or the module with a 100-user licence, so it’s really the lowest entry point to the NAC solution that Cisco offers today,” she said. The appliances start at 100 users licences, with 250-, 500-, 1,500- and 3,500-user licence options.
Cisco also announced the NAC Profiler, an appliance which automatically identifies and monitors network end points, particularly those not associated with a user — printers, access points, etc.
“Historically, NAC has been focused on PC-type endpoints,” O’Connell said. For non-PC endpoints, it’s largely been an exception system — simply accepting them an allowing them access to the network. The profiler, rather than just allowing access to the network, gathers more information about the device and its behaviour.
In an enterprise environment that isn’t running voice over IP, half the network end points aren’t PCs; in a VoIP environment, it’s two-thirds, O’Connell said. “They’re printers, they’re projectors, the badge readers on phones, all sorts of other IP-enabled, but not PC, endpoints…The NAC problem is a lot bigger than just operating system-based machines.”
The profiler is designed to automate the manpower-intensive process of identifying machines by MAC address and creating exceptions. It also monitors behaviour, rather than just excepting the device. If a device identified as a printer, for example, is accessing a print server, that’s normal behaviour. If it tries to access a Web page, that isn’t.
