Cisco to Open Source CTA

VE3OGG writes "Cisco, the networking Goliath, has decided to release the source code of its NAC (network admission control) client, Cisco Trust Agent (CTA) to the open source community within 'a few months.' This comes hot on the heels of Cisco announcing its plans to redevelop a new breed of network security infrastructure. 'CTA will be something that's open source. That's just logically where it should end up,' Gleichauf told InfoWorld. 'We don't want to be in the CTA business, so we're going to just open it up.'"

ohhh yeah

[User 956]

This comes hot on the heels of Cisco announcing its plans to redevelop a new breed of network security infrastructure.

Yeah, well they've certainly got a NAC for it.

Re:

[Lord Ender]

Ow! I think I just pulled a muscle in my face rolling my eyes at that awful pun.

VPN

[LDoggg_]

Does this include the VPN client?

The last linux release from cisco's site is a year old and the kernel module doesn't compile against the 2.6.19 kernel. Just to get it to compile against 2.6.18 you had to fake a config.h in your kernel source include folder.

Re:VPN

[c0l0]

The Cisco VPN Client sucks arse. There is, however, a much more comfortable and less-sucky free as in speech userspace-implementation for that kind of VPN available at http://www.unix-ag.uni-kl.de/~massar/vpnc/ [uni-kl.de]

I use it to connect to customer's not having set up OpenVPN every day, and it never failed on me yet. Give it a try, you won't regret it. :-)

Re:VPN

[schwaang]

Vpnc works great but it doesn't do certificates yet like the Cisco client.

Re:

[LDoggg_]

Completely agree with the suckiness of Cisco's proprietary VPN solution. Been using it for years. Not sure why I never came across vpnc.

Thanks for the link. Turns out it's even in the fedora-extras repository. Learn something new everyday :)

Re:

[PCM2]

Wow, you have made my day. Downloaded it and got it working in about one minute flat. Bye-bye, Cisco.

Re:

[IdleTime]

Doesn''t work against my company who uses Cisco VPN.

I'm more interested in getting Cisco IP-Communicator under Linux since it is the last program I need Windows to run and it doesn't run under any form of emulation.

Re:

[Sinryc]

Even the summary says it will be in a few months. Learn to read. Oh wait, this is slashdot, never mind.

And we care because

[Watson Ladd]

The thing about NAC's is they don't offer any real security. You can't tell the difference between a corrupted host emulating a good one and a good one. All open sourcing is is just a way to avoid leaving foo^W customers in the lurch.

Re:

[Kizeh]

That's not exactly true. First, typically NAC requires the user to have valid credentials and provides some accountability -- if a PC turns out to have a virus, at least a person responsible for it can be found and contacted.
NAC can, pretty reliably if done right, confirm that the machine in question has update services running, has an active antivirus (as opposed to just a process with the same name) and is running proper patch levels and virus definitions. This alone fixes the vast majority of security br

Re:

[Stinking Pig]

You can also use external providers for SecureACS to do some very deep scanning and remediation of the system. The stock Cisco NAC solution does rather suck, but as a framework it could work.

Problem one is that unfinished frameworks are a dime a dozen -- figuring out which ones are going to get finished is a job for Nostradamus.

Problem two is that most IT organizations don't have the chutzpah to actually implement trusted access. The coordination requirements between different departments are a killer, and

Re:

[meridian]

Its true that it doesn't ensure that the machine is not compromised and therefore the NAC framework can not ensure a host is not spoofing its nac posture, although they would require to have a valid certificate on the machine for the NAC/802.1x authentication to occur in the first place. However what it does do is ensure that when a new machine does enter the network it is not allowed onto the network in a vulnerable state and ensures that hosts already using the network stay updated quite effectively or do

Re:

[gclef]

NAC isn't really about preventive security, no matter how it's billed...it's sold as a security tool because that's the only way to get the bosses to understand that real security comes from being *organized* and consistent all the way down to the patch levels on *every* *host*. NAC doesn't fix broken machines...it does help you keep organized about what your non-broken machines look like, so that you minimize the number of broken ones.

Re:

[jhfry]

We care because instead of taking a once useful and arguably well made software product and tossing it in the trash... they are instead opening it up for those who are interested.

We care because they are helping to set a precedent, one that I hope becomes the norm for tech and software companies, at end of life... open source!

We care because one of the benefits of open source, is that a particularly well written piece of code can be adapted for a different function while retaining most of what makes it 'goo

Re:

[Lord Ender]

You got that backward. NAC offers real security. It does not offer theoretical security.

theoretical security: there is now known way to circumvent this (think one-time-pad)

real security: it's possible to circumvent this, but for 99.9% of potential attackers out there, it would take more effort than its worth.

Re:

[Kpt Kill]

oh you mean, boot with knoppix cd, authenticate, reboot into windows?

Re:

[Alsee]

You can't tell the difference between a corrupted host emulating a good one and a good one.

Which is exactly why Cisco's Network Access control (NAC) and Microsoft's Network Access Protection (NAP) and the Trusted Computing Group's Trusted Network Connect (TNC) are all actually about cramming Trusted Computing down our throats. All of them do the same thing, and all of them are pretty well pointless without Trusted Computing. If your network connection uses NAC/NAP/TNC, it pretty much requires Trusted Comput

Cisco's table scrap

[Lead Butthead]

We don't want to be in the CTA business, so we're going to just open it up.

Translation :- "Here's something we either can't milk money out of or we're planning to discard altogether, knock yourselves out."

Re:Cisco's table scrap

[jcgf]

You see the same thing over and over, "toss the free software dogs a bone and buy some publicity" the suits think. The only company actually open sourcing anything worth while is Sun and maybe IBM to some extent.

Re:

[Lord Ender]

and Linden Labs (Second Life), and MySQL AB, and AOL (Mozilla), and, well, a lot of companies.

Re:

[meridian]

Sorry but I beg to differ. Firstly NAC is a framework not just the CTA agent. It is now part of Vista. Do you think MS would add a competing companies product/framwork client into their own OS if it was not already leading the way in its field. It is implemented in numerous Cisco products and has been integrated in to nearly every Antivirus product on the market, Kav and Nod32 being the only noteable exceptions at the moment that I'm aware of (and funnily enough probably the two best antivirus products at l

Re:

[BACbKA]

If a company open sources even out of date code it deems useless and announces as such, this is better than code bases going into oblivion when companies change/go out of business.

Gift horse

[forand]

Do you really think that they should be giving you their hard work for free? I would love to have companies which abandon or otherwise stop supporting a product give it to the open source community instead of having it lost forever. Just because you find the product they are going to release beyond use does not mean that it is useless to us all.

Re:

[cfvgcfvg]

Yes, but the table scraps from such a huge organization is pretty big. Can you imagine if all the companies in the world gave back to the people all the technology they never intended to sell again. We'd all eat like kings.

Re:

[just_another_sean]

Really? I get the impression they are more concerned with ensuring people connect to/through their routing and server products. If the client is free and every OS on the planet implements it then Cisco edge products continue to look attractive to companies and give them reasons to upgrade those old, dusty routers.

I wouldn't knock NAC just yet, it's rough still, but it has a lot of potential to help people that are not so talented at security keep themselves a bit safer on the 'net (which is good for everyon

Cisco Security Agent

[c0d3r]

Cisco Security Agent (which installs trust agent) is one of my favorite programs. It pops up messages when programs attempt to record keystrokes (game emulators do this), access the registry and other suspicious activities. It also tells me that the latest ie is apparently injecting code.

CSA is a rootkit

[Myria]

Cisco Security Agent takes over half of Windows XP's system calls. It's a rootkit.

CSA is fairly worthless against an expert who designs their programs to get around it.

Re:

[AgentPhunk]

CSA and CTA (the subject of TFA) are two different products.

CSA is the Host-based Intrustion Prevention software. It stops any anomolous behavior.

CTA is their 'NAC supplicant' that reports back to the querying endpoint (NAC enabled switch, router, etc) about the status of the system (a/v version, is it running?, signature version, etc.)

CSA has CTA built into it, but not vice versa.

It makes sense that Cisco is open-sourcing this - the don't make money on agents, they make money on selling more hardware (NAC

Actually the program is pretty cool...

[Ho Kooshy Fly]

It shows you all the insane registry hacking programs do, overriding or overwriting of DLLs, in general just a lot of bad behavior you see in Windoze. It runs on every desktop where I work and will stop most trojans from installing due to stupid "Oh, lets click on virus.exe" and run it.

Even if they're not making money off it (no clue tbqh), it probably has some cool tidbits of code...

-Ho

And a good thing, too

[Scareduck]

The Chicago Transit Authority needs all the help it can get.

Clever.

[Ant P.]

They're going to force all the dumbass PHBs that think obscurity=security to upgrade to whatever they replace it with.

Re:

[cafucu]

They're going to force all the dumbass PHBs that think obscurity=security to upgrade to whatever they replace it with.

Which is their NAC appliance == Cisco Clean Access == Perfigo. NAC infrastructure hasn't caught on like they hoped it would, so they bought up the most attractive NAC vendor and called it Cisco. Business as usual for them...

Can't get partners, so go open source

[netnull]

What a scam! Cisco has a NAC partnership program that allows partners to either incorporate CTA technology into their client software, or allow them to build third-party security servers that operate behind their CiscoSecure ACS product. But you are not allowed to build a NAD (network access device, i.e. a switch or AP that interrogates CTA) or a replacement for ACS as the authentication server.

So now that Cisco has failed to get the community to play in their proprietary communications sandbox (remember

Good for Users

[RAMMS+EIN]

This is good news for the users of the software. Instead of being stuck with a product that won't see any update or improvement anymore once Cisco stops supporting it, they will be able to make their own updates and improvements (or get them from other customers in the same situation, or ...).

It is even possible that CTA would be developed into a strong player in the market, in which case not only the current users, but the whole world benefits.

I applaud this move, and wish more companies would open source

And wait for the untrusted agent...

[ladybugfi]

I'm not totally convinced this is a good idea. I'm only superficially knowledgeable about NAC and CTA, but we are talking about a trusted agent here. Open sourcing may cause malware versions of that agent being manufactured and distributed. This can cause problems not only to the host with the agent, but also to the infrastructure protected by NAC.

But maybe Cisco has taken this into account in their risk analysis and NAC features.

GPL as a hostility tool

[mapkinase]

Seems like common practice now. Company wants to diminish advantage of functionality competetitors have, so it releases an OS/GPL'ed tool that provides the very basics of that functionality.

Retracted?

[kylearin]

So what are others finding? Our Cisco rep sent us this clarification:

Response to Infoworld article about CTA Open Source

Q. What is this document?

A. This document is a response to the Network World article dated Feb 8, 2007 regarding CTA Open Source

Q. What is the article about? Where is it available?

A. Article is available at

http://www.infoworld.com/article/07/02/07/HNciscot ca_1.html [infoworld.com]

http://www.computerworld.com/action/article.do?com mand=viewArticleBasic&taxonomyName=network_securit y&articleId=9010 [computerworld.com]