The two companies have each proposed competing "end to end" security architectures, marking the latest evolution in network defense -- an approach concerned not only with scanning for viruses but also with policing networks to deny connections to machines that don't conform with security policies. But for now at least the twin offerings are not interoperable. That means customers might be forced to choose between using technology from one company or the other, unless the two tech giants can strike a deal to guarantee compatibility.
Choosing could be tough, given that both companies thoroughly dominate their respective markets: Microsoft has a monopoly in desktop operating systems, and Cisco's share of the corporate network routing market exceeds 70 percent.
Microsoft and Cisco say they are working to ensure interoperability. But at this stage, it's difficult to know how quickly the two sides will come together and what the resulting security plan will look like -- or if it's even feasible to bridge the gap between their technologies at all.
"We know how important it is for us to interoperate with Cisco," said Steve Anderson, director of Microsoft's Windows server group. "But we're both big companies, and it takes a lot of time to work this stuff out. Bill Gates and John Chambers have already been talking. We expect to announce the first step in this process sometime this fall when we announce an interoperability agreement."
A decision is crucial to customers, who now face the prospect of spending their already tight security budgets on running incompatible architectures. At the heart of the debate is the Remote Authentication Dial In User Service, or Radius, the de facto standard for authenticating users accessing networks remotely. In each of the proposed architectures, the companies use their own Radius servers to centrally enforce security policy and provide administration of user profiles.
With Cisco's architecture, customers must use the Cisco Access Control Server. With Microsoft's setup, customers are forced to use the Microsoft Windows Internet Authentication Service, or IAS, Radius Server.
Cisco Systems, Microsoft and the Trusted Computing Group vendor consortium have all developed plans for comprehensive business security architectures.
Sources: Cisco Systems, Microsoft, Trusted Computing GroupEndpoint security specs
"The two approaches are fundamentally different," said Bill Scull, senior vice president of marketing for Sygate, a security software maker. "I'm not sure how they could interoperate."
At stake is the success of a new movement in network management that treats security more holistically. As the effects of malicious virus and worm attacks, such as those involving the MyDoom viruses, become more costly, companies are looking for solutions that combine traditional virus scanning with network policing to keep attacks from ever entering the network in the first place.
Networking, security and software companies have joined efforts to develop more proactive solutions. Cisco and Microsoft have been at the forefront of this effort, and the success of their plans will be crucial in the fight against new attacks.
Late last year Cisco announced its Network Admission Control, or NAC, architecture. In June the company announced it had completed the first phase of the architecture by introducing NAC software on its IP routers. Support on its switches is due in the first half of 2005. In July, Microsoft announced its Network Access Protection or NAP architecture, which is scheduled to be available sometime in 2005, the company said.
The concepts behind each of the architectures are very similar. Before a user logs on to a network, his or her computer must check in to a third-party machine, controlled by the network administrator, to ensure that the machine meets policy requirements. If it does, the user is allowed access to the network. If it doesn't, the user's connection is funnelled to a restricted virtual private LAN, where the user can make changes, or have changes made automatically, to ensure policy conformance before being redirected to the main network.
Differences can divide
Though the overall concepts are similar, the two companies are approaching the problem differently.
4%
4%
