Cisco says its road map for tying leading anti-virus software to its network hardware promises to eventually transform every WAN, LAN and Wi-Fi port into a security checkpoint. But the technology - not available until the middle of next year - raises questions about management complexity and the issue of locking users into a single-vendor architecture, observers say.

The company last week unveiled the Cisco Network Admission Control program (CNAC), a strategic push to adapt its routers and then its switches to be able to automatically block Windows-based desktops from accessing the network if they don't have current operating system or virus updates. The ability to do security-policy enforcement - already implemented in different ways in products from Check Point, Enterasys, Nortel, Sygate and others - would let managers of end-to-end Cisco networks build security into every part of a wired and wireless enterprise infrastructure.

Under CNAC, Cisco network devices would cordon off vulnerable Windows NT, XP and 2000 machines during an outbreak.

"A busy systems administrator used to have days to respond to a threat, and now it's only minutes or even a second," said CEO John Chambers last week at an event kicking off the program. Chambers noted that the recent MS-SQL Slammer worm hit 55 million hosts in about 11 minutes and Blaster about 128 million systems in the first 3 minutes.

A main cog in CNAC is Cisco's Trust Agent - client software that gleans security-related information from desktops, based on hard drive scans from anti-virus clients of Network Associates, Symantec and Trend Micro. The Trust Agent - free for Cisco customers - will send the security data to a Cisco Access Control Server (ACS), which will act as a repository and policy-enforcement tool. Cisco also plans to later add the Trust Agent functionality to its desktop intrusion-prevention product, called Cisco Security Agent, which it gained in its acquisition of Okena last year.

The ACS communicates with anti-virus/configuration servers from any of the three partners to check client machine data against policies. Between these two nodes, a client is deemed "good" or "bad." If bad, the ACS tells a Cisco router to block that user's IP address via a Layer 3 access control list (see graphic). A new version of Cisco's IOS routing software would be needed to enable this.

"[CNAC] is going to provide another layer of protection for our customers," said Network Associates' CEO George Samenuk, who joined his anti-virus rivals, Symantec CEO John Thompson and Trend Micro CEO Steve Chang, at Cisco headquarters last week to back the Cisco initiative.

This first phase, for routers, is targeted for the middle of next year, with Catalyst LAN switches and Aironet Wi-Fi access points to follow later with CNAC-supporting software. On the LAN side, 802.1x will be the mechanism for shutting down switch ports, while Cisco's Lightweight Extensible Authentication Protocol will enforce access on the wireless side.

Chambers also outlined a scenario where switches could be configured to route untrusted LAN or remote-access clients into a secure virtual LAN segment. In this scenario, users could update their anti-virus definitions or operating system patches to comply with security policies before being let back onto the network.