The company yesterday announced the delivery of the first wave of Cisco and third-party NAC-compatible software components. Part of the Self-Defending Network strategy, NAC is a way for companies to build host security policy enforcement into their networks.

Cisco also announced a second phase of the program, which will open up select APIs that should enable third-party software vendors, mainly those that make endpoint security software like personal firewalls and intrusion prevention systems, to support the system.

We’re welcoming all comers in that regard, said Russell Rice, Cisco manager of products marketing. He said this second phase will be officially launched in the third quarter. For these vendors, licenses for the Trust Agent are expected to be free.

Network Associates’ Larry McAnallen said he expects that the opening of the APIs will allow the McAfee personal firewall software to work with Cisco’s VPN products for the first time. We’ll continue to participate in future phases, he said.

But it appears that parts of the NAC system that would allow rival router-makers to interoperate will remain closed, which will potentially validate a recent move by members of the Trusted Computing Group to create an open standards NAC alternative.

The idea behind systems like NAC is that agent software deployed on endpoints communicates security state information to routers and policy servers, which then make policy decisions about what level of network access those endpoints should be given.

For example, if a PC had fully up-to-date Windows patches and the freshest virus definitions, it could be given full access, but if it was lacking either it could be either blocked or quarantined to a part of the network where it could only download patches or virus updates.

There are host security products on the market, but the problem is how to ensure compliance on the network when those host agents are not installed, said Trend’s Bob Hansmann, senior product marketing manager. NAC is a way of providing enforcement, he said.

Under NAC, this agent is called the Trust Agent, and can be obtained by itself or bundled with Cisco’s Security Agent host intrusion prevention software (formerly Okena) or anti-virus software from Symantec Corp, NAI or Trend Micro.

This Trust Agent communicates with Cisco’s 830 Series to 7200 Series routers, IOS software-based routers, the company said. The policy decisions are made by the Cisco Access Control Server policy server or the policy servers from the three aforementioned anti-virus firms.

Some rivals, however, see that Cisco is opting for a proprietary approach that excludes some competitors. While the protocol for host software to talk to the Trust Agent will be opened, the protocol for between the agent and the network will only work with Cisco kit.

They want to lock competitors out, said Fred Felman, vice president of marketing at Zone Labs, the host security vendor now owned by Check Point Software Technologies Ltd, a Cisco firewall rival. Companies with diverse networks will be attracted to alternative standards, he said.

Zone is a part of a Trusted Computing Group initiative, a group that comprises most of Cisco’s network hardware competitors such as Juniper and Foundry, along with host security firms such as Sygate and anti-virus vendors including Symantec, McAfee and Trend.

While the majority of the world works on Cisco kit, not all the world does, said Dan Glessner, senior director of marketing for North America at Trend, which is supporting both NAC and TCG. We have to remain flexible.

The TCG’s Trusted Network Connect working group was announced last month, about seven months after Cisco announced its NAC program had been kicked off. Quite apart from the lag inherent in standards bodies, Cisco has a head start.

Trend’s Hansmann said that NAC is just one part of Cisco’s overall strategy. He said: I believe Cisco’s Self-Defending Network vision is much clearer and more precisely defined. The TCG may go that far, but right now they’re more focused on the near-term.

Cisco’s Rice said that creating something like NAC is a tough job, and the company wanted to work with a limited number of partners to get the system working and tested, before opening it up to standards. Other parts of the system will be submitted to standards bodies, he said.

There are a number of related standard protocols for hosts to authenticate themselves on networks, such as 802.1x and the Extensible Authentication Protocol. However, these specs are implemented in different ways by different vendors and appear to be rarely compatible.

802.1x, not to be confused with similar-sounding wireless protocols, is a layer 2 protocol for passing authentication data about the host and user to a network device such as a router. It does not, however, allow information about the security state of the host to be communicated.