Cisco TrustSec: Looks Like A Duck To Me

TrustSec, Cisco's network-based access control feature set due in 2008, seems to be analogous to functions like identity-based and role-based access controls that, as Dominic Wilde from Nevis Networks aptly points out, other vendors have had for years. What is new is the use of 802.1AE as the mechanism. More on that later, though. The Cisco TrustSec announcement is interesting on many levels. The announcement came from the switching business unit and not Cisco's Security Technology Group, which manages the NAC appliance and the NAC Framework. TrustSec seems to offer many of the same protective functions that the NAC Framework supplies, including the NAC Appliance. This seems like a case where the right hand doesn't know what the left hand is doing. So when a potential customer comes to Cisco asking about how to network access control for their network, what sales pitch are they going to receive? The NAC appliance? The NAC Framework? Or TrustSec? Or will that depend on which salesperson they talk to?

In a Web cast after the announcement, Cisco representatves were quick to point out that TrustSec isn't network access control (and, in fact, can be used in conjunction with NAC). It doesn???t look that way to me. A host authenticates to the network, is optionally assessed, and placed into a role. Based on role membership, the host is granted access to certain network resources. Looks like TrustSec is performing access control in the network, aka Network Access Control. Granted, 802.1AE, Media Access Control Security, is a Layer Two technology and fundamentally different in how it provides security services, but the result is very similar to Layer Three technologies.

So what is the message? Now there are three options that you can mix and match to form a network security strategy in addition to Layer Three technologies such as firewalls, VPN, and the like? How many layers do we need, anyway? Seems to me with all the options and potential combinations available, the increase in complexity mitigates any benefit of security features and increases the chance inadvertent outages due to misconfigurations. When a user can't connect to the network, is that due to a routing issue, network service outage like a down DHCP server, 802.1X problems, NAC access controls, 802.1AE access controls, a firewall rule, misconfigured VPN, or something else? I thought troubleshooting networks was hard enough.

The network access control market is confusing enough as it is with as many different definitions and meanings for NAC as there are products. The addition of yet another way to perform network access control just can't be good. Maybe because Cisco is a giant, and this adoption of 802.1AE may get some legs, but I'm thinking enterprises are wrestling with enough bigger issues that taking on a whole new protocol suite isn't an option they're looking for.