9/17/2007 -- It's been a time for Cisco Systems Inc. on the Network Admission Control (NAC) front. Cisco last week announced a new NAC Network Module for its Integrated Services Routers (ISR). On top of this, the networking giant unveiled its Cisco NAC Profiler, an endpoint-recognition tool that maintains a detailed inventory of networked devices.

Analysts applaud Cisco's newest NAC deliverables, noting that the two offerings should help reduce the complexity and cost associated with deploying and maintaining NAC solutions. Just as importantly, they say, Cisco's new NAC offerings help neutralize potential threats locally before they're transferred over the WAN -- and address at least one long-standing NAC limitation.

"[T]he introduction of Cisco NAC Profiler reduces a major pain point associated with NAC deployments [i.e., managing devices not associated with a particular user, such as printers] and the NAC Network Module for ISRs will provide a very attractive price point for deploying the NAC appliance in branch office locations," wrote Andrew Braunberg, research director for enterprise software and security with consultancy Current Analysis.

Braunberg says Cisco's NAC Network Module is attractive for a number of reasons, starting first with its formfactor.

"It delivers the Cisco NAC Appliance as a blade that can be deployed in Cisco's 2800 and 3800 families of Integrated Services Routers. This provides an attractive new deployment option for users of these branch office devices," Braunberg said. "Cisco has also significantly reduced the price of the module compared to the list price of the standalone appliance."

Interestingly, Cisco's NAC Profiler isn't based on homegrown or acquired technology; instead, it's an OEM version of Great Bay Software's Beacon System, according to Braunberg. Great Bay's Beacon System reduces the burden of discovering and managing devices that are unmanaged or unmanned.

"Controlling network access for these types of devices can be burdensome, particularly with an otherwise agent-based approach," Braunberg said. "NAC Profiler automates the generation and maintenance of exception lists and also analyzes the network traffic of each device to ensure that they have not been spoofed."

Cisco's newest NAC deliverables aren't all upside, however. Braunberg cites a couple of concerns, starting with the OEMed NAC Profiler, the technology of which isn't "unique to the market and provides Cisco limited ability to differentiate itself from competitors," he said.

Ditto for the ISR NAC Network Module, which -- although it does provide additional flexibility in deploying the NAC appliance as a blade within 2800 and 3800 devices -- might also force customers to "make some hard choices with respect to overall functionality supported in some of these routers because of fixed configurations and limited slots." --Stephen Swoyer