Last week rumors circulated and this week Cisco announced a Cisco NAC hardware module for their Integrated Service Routers. It's basically a PC on a blade that inserts into the expansion slot of Cisco ISR routers. Now, mind you, it's still running the same seriously flawed (in my opinion) Perfigo/Clean Access NAC product all the other Cicso NAC Appliances run, so it will experience the same flaws and limitations. But the fact of the matter is there will always an audience out there who will buy Cisco no matter what and just hold on until they assimilate the product and fix most problems.
Frankly, I'm not a bit surprised to see this, not because I had any privy insider goo on Cisco's product plans, but rather I've been espousing exactly this for NAC and convergence for quite some time. (I guess in your own blog you can take claim for knowing anything you want too, lol.) Cisco's move of NAC into ISR routers makes sense from several perspectives, and I'd say the move was inevitable.
Here's my "tongue-in-cheek" top ten reasons the NAC module for Cisco ISR routers happened:
10. Security products start as best of breed/standalone products, and over time most migrate into network infrastructure and become value add or standard features
9. Whether you call it admission control or access control, NAC first happens at the edge. Distributing NAC into edge routers just makes sense.
8. First, NAC in routers. Next, NAC in switches. Nevis and Consentry, time left to get acquired is getting short
7. No one bought last week's PR exercise in revisionist history about the Cisco NAC Framework and Cisco NAC Appliances merging into a single NAC strategy, so hopefully this week's NAC announcement will help all of us forget that lame-o announcement
6. If you can't scale, just make smaller versions of your product
5. If Cisco converges NAC security into the network infrastructure and uses Intel hardware to do it, what's left for that Ashley-blogger-dude to gripe about
4. How else would Cisco pinch you for more bucks when you buy a commodity router appliance?
3. It's a good way to get NAC to the SMB and SME markets.
2. The dang router had an expansion slot - an Intel card had to go in there someday!
And... the number 1 reason.....
1. Cisco only did this to make Chris Hoff feel good; NAC is a feature, not a market.
Okay, putting my personal feelings about Cisco's NAC products aside for a moment, moving NAC into routers and switches makes a great deal of sense. Not that the whole product should live there, but elements of NAC make perfect sense to distribute out to the network edge where traffic and devices can be dealt with at the point of connection. More than just behavioral IPS retreads marketed as post-connect NAC solutions, but strong NAC endpoint compliance engines and strong IPS technologies that perform valuable security services at the point of connection.
Cisco has some serious architecting to do before the Cisco NAC ISR module becomes more than just a delivery vehicle for providing a router and NAC in one package. Integrating NAC into the network ednge is a very viable approach but Cisco's announcement isn't about that as much as it is about bringing NAC to SMB and SMEs.
Comments