ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security threats Toolkit

Microsoft and Cisco clash on security

Marguerite Reardon CNET News.com

Published: 17 Sep 2004 13:00 BST

With Cisco's architecture, customers must use the Cisco Access Control Server. With Microsoft's setup, customers are forced to use the Microsoft Windows Internet Authentication Service, or IAS, Radius Server.

Currently, the two Radius servers are not interoperable. This means customers using Cisco networking gear and Microsoft operating software could be forced to install and manage separate Radius servers from each vendor. Security experts are skeptical that an interoperability agreement for the Radius servers would help much.

"The two approaches are fundamentally different," said Bill Scull, senior vice president of marketing for Sygate, a security software maker. "I'm not sure how they could interoperate."

At stake is the success of a new movement in network management that treats security more holistically. As the effects of malicious virus and worm attacks, such as those involving the Sobig and MyDoom viruses, become more costly, companies are looking for solutions that combine traditional virus scanning with network policing to keep attacks from ever entering the network in the first place.

Networking, security and software companies have joined efforts to develop more proactive solutions. Cisco and Microsoft have been at the forefront of this effort, and the success of their plans will be crucial in the fight against new attacks.

Late last year Cisco announced its Network Admission Control, or NAC, architecture. In June the company announced it had completed the first phase of the architecture by introducing NAC software on its IP routers. Support on its switches is due in the first half of 2005. In July, Microsoft announced its Network Access Protection or NAP architecture, which is scheduled to be available sometime in 2005, the company said.

The concepts behind each of the architectures are very similar. Before a user logs on to a network, his or her computer must check in to a third-party machine, controlled by the network administrator, to ensure that the machine meets policy requirements. If it does, the user is allowed access to the network. If it doesn't, the user's connection is funnelled to a restricted virtual private LAN, where the user can make changes, or have changes made automatically, to ensure policy conformance before being redirected to the main network.