Cisco has announced it is adding a network access control blade for its branch office routers in a move the company says will push the admission technology to sites where it might not previously have been affordable.

The new NAC Network Module blade is the equivalent of a Cisco NAC appliance, so if a business wants NAC in a branch office that already has a Cisco Integrated Services Router (ISR), it could install the blade. That would keep down the number of devices to worry about in the branch, Cisco said.

The ISRs are popular multi-platform routers that also support VoIP, VPN, content caching and a firewall.

So far the NAC Network Module can't fail over to another one, but Cisco says it is working on that.

The module fits in Cisco 2800 and 3800 ISRs. The module with a license for 50 users costs US$3,500; 100 users costs US$5,000. Customers can upgrade a 50-user license with a software key.

Cisco is also tapping into a valuable NAC peripheral made by Great Bay Software, whose Endpoint Profiler automatically discovers and profiles all devices attached to the network. Knowing what devices are already on a network is essential to deploying NAC.

Cisco is calling the software NAC Profiler, which identifies devices that can't be scanned by NAC agents, such as IP phones and printers, and assigns them a NAC policy. The software also continues to monitor the behavior of these devices after they are admitted to the network and can flag behavior that violates policies. NAC Profiler will become part of Cisco's NAC appliance server.

The announcements came up during the opening Security Standard roundtable discussion among three Cisco security executives about the changing threat landscape, with the panelists identifying data leakage as the biggest challenge.

"I don't think any of us would say there's a 100 percent solution or even a 70 percent solution," said Richard Palmer, senior vice president and general manager of Cisco's security technology group.

Part of the problem is that businesses want to let employees use managed laptops for limited personal reasons. Dual personal/business use of corporate devices is becoming a requirement in businesses that compete for the best and brightest employees, the panellists said. "If you want to be a preferred employer enabling personal and business use of company devices is one of the questions you have to ask," said Scott Weiss, the co-founder and CEO of Ironport Systems, now part of Cisco.

"This is a difficult thing to balance. There is a thin line between data-leakage protection and employee surveillance."

Personal collaboration tools are becoming more prevalent in business networks and may have to be tolerated, Palmer said. "We're in a cycle where technology and solutions are not being driven top-down by IT, and that's a challenging environment from a security perspective," he said.

Encryption is a key element in protecting against data leakage, the panellists said. Weiss said Cisco's vision is for an encryption gateway that checks outgoing content and encrypts it as necessary based on policies.

Data that is enterprise-critical will be the first category of corporate information to be encrypted both at rest in storage devices and user machines and as it is sent around. Palmer said Cisco will focus on encryption in server storage environments where it will be unobtrusive to the people sending the data. "It's not just what the CSO wants to enforce, it's what the end user will accept and use. That's going to be the key for us," Palmer said.

He added that SSL traffic coming and going from networks can pose a problem because it cannot be scanned for content without breaking the encryption. He said certain trusted entities will be allowed to have the keys to decrypt the traffic so its content can be scanned. These proxies will work in concert with scanning on endpoint devices that send and receive the SSL traffic as well. "This is not as intractable a problem as it appeared it might be a couple of years ago," he said.

Last year at the Security Standard, Cisco set blending physical security with IT security as a goal it wanted to support, but progress has been slow. "Our expectation was that it would happen faster than is the case," said Jeff Platon, Cisco vice president of product and technology marketing for security and application networking.

Some of the delay has to do with the physical security and IT security organizations coming from different cultures and being unfamiliar with each others' technologies. An important prerequisite is for physical security systems to be converted to IP, Palmer said, and that is a big task. "From a deployment point of view, it's going to take some time," he said.

The panel addressed buying decisions customers face when seeking new technologies that are made by start-ups. Customers want more security on their networks and are often attracted by point-products by these young companies, but they would prefer better-integrated technologies, Weiss said.

"Users want different devices that talk and have logical interfaces," he said. "There's a lot of complexity that needs to be simplified through a managed approach."

When deciding whether to go with a point-product from a start-up, customers should consider the breath of that vendor's products and whether it is strong enough to stand alone for the long term against larger, more diverse companies.

If new technology that crops up to address new threats is good enough, larger vendors will try to incorporate it in their products, Weiss said. "It's tough to do everything. Big companies will have to decide whether to build, buy or partner for new solutions," he said.