Cisco's Cone of Silence
Written by Gordon Fecyk, 11/10/2008
SINCE COMING TO THE LAND OF Life, Liberty and The Pursuit of Happiness, I've seen a few technologies designed for the sole purpose of defeating all of the above. Most, I've seen before, like anti-virus software, proxy servers, web filters, traffic filters, even firewalls behind firewalls. I get the impression that the level of Internet access in the American workplace rivals that of the People's Republic of China.
But as far as anti-abuse technology goes, nothing has quite met the level of irony I've come to know and laugh at, like Cisco's Network Access Control system. Also known as the Cisco Clean Access system, or as I've come to know it, the Cisco Cone of Silence.
...imagine a network where your computer wasn't allowed to talk on the network unless its software was fully up to date. Your computer would need the latest operating system updates, the latest application updates and the latest anti-virus updates installed before it could work on the network. On the surface, this seems like a very good idea. Don't come in to play unless you're clean, right?
The problem? What if your updates come from the network? What if your Clean Access Agent ("Agent 86" of course) wouldn't allow your PC on the network to get the updates it needs so it can be on the network in the first place? Nearly every major security product supports updating via a local server or, in a worst case, the Internet. Popular operating systems -- not just Windows -- have update systems that obtain updates from a network source. And many applications, including non-Microsoft applications, support some form of network-based updating.
So what happens when your Cisco NAC-enabled computer gets updates from the network? Yes, that's right. You get the Cone of Silence. You can't get on the network unless you're updated, but you can't get the updates from the network because you're not updated. That is precisely what happened the first time I saw this thing deployed. I can't make this stuff up; it's just too funny. Privacy matters aside, "Agent 86" does a wonderful job of keeping out-of-date computers off the network. For good.
However, I can't help but laugh out loud alongside the Linux religious fanatics at the dripping irony of keeping Windows PCs off the network. Cisco's done more to further their cause than any Windows-based virus. Eat your heart out, China!
Recently Edited Categories:
All trademarks are property of their respective owners.