1/27/2004 -- With a pair of extremely virulent viruses on the loose, there’s no time like the present to revisit an initiative that Cisco Systems Inc. announced late last year.

Since first appearing in the wild yesterday afternoon, the Novarg or “MyDoom” virus has caused an estimated $850 million worth of damage, according to one U.K. research firm. Anti-virus researcher Symantec Corp., for its part, says that Novarg-based traffic has reached or surpassed the levels associated with notorious worms such as SoBig.F and Badtrans. Novarg was preceded last week by a similar mass-mailing virus, called “Bagel.”

In November, Cisco announced a new program that it says is designed to help organizations deal more effectively with the impact of worms and mass-mailing viruses such as Novarg. Cisco developed its Cisco Network Admission Control program in conjunction with anti-virus vendors Network Associates, Symantec, and Trend Micro. The result is new IOS functionality that lets Cisco routers enforce access privileges when an endpoint attempts to connect to a network.

A Cisco router will be able to use Network Admission Control capabilities to make intelligent decisions about an endpoint device, based on known information about its anti-virus readiness state and its operating system patch level, which is to be supplied by a compatible anti-virus client. To that end, the networking giant has licensed its Cisco Trust Agent technology to Network Associates, Symantec and Trend at no cost. Cisco claims that administrators will be able to configure routers to deny access to non-compliant devices, place them in a quarantine area, or provide restricted access to network resources.

While analysts say that the strategy looks good on paper, they caution that it’s still more or less a kludge in the absence of open standards. “[T]he solution is laden with dependencies at the desktop, dependencies which create undue complications at the desktop,” notes Joel Conover, a principal analyst for enterprise infrastructure with market research firm Current Analysis Inc. “Furthermore, Cisco’s approach to the problem of Network Admission Control is completely proprietary, and will have a greatly diminished impact in a homogeneous network environment.”

Conover points out that an entire network needs to be Network Admission Control-compliant, or there could be weak spots or entire gaps in coverage. In addition, he says, because Cisco plans to deploy the technology first at the router level, Network Admission Control will not prevent a client from infecting other hosts on a local segment, unless, he notes, it’s combined with a strict 802.1X policy for network access control. There are other onerous issues associated with the new technology, as well, Conover says. “[I]f the client isn’t running the latest definitions, latest anti- virus, or latest windows updates, the enterprise portal must be configured to enable the client to get those updates to enable access to the network,” he points out.

Nevertheless, Conover says, “Cisco’s trust agent … will give customers one more compelling reason to consider Cisco infrastructure when purchasing and deploying new networks and upgrades, due to the added value the customer can derive from the integrated Cisco technology at the desktop.”

Cisco says that Network Admission Control functionality is scheduled to be supported on Cisco's access and mid-range routers in mid-2004. -Stephen Swoyer