Network access control (NAC) systems provide information security teams with a valuable weapon in the endpoint security war. This is because they allow administrators to specify the acceptable states for systems attached to their networks. Systems not meeting the minimum standards are denied network access or quarantined in an isolated subnet with limited (or no) access to enterprise resources. Sounds like an ideal way to bolster network security in the day and age of deperimeterization, doesn't it?
Until recently, enterprises seeking to implement network access control faced a dilemma not unlike the HD-DVD/Blu-Ray schism in the world of digital media: too many competing standards. Cisco Systems Inc. offered its NAC Framework, while Microsoft touted its own Network Access Protection (NAP) product. Network-centric shops, especially those with Cisco infrastructures, leaned toward the green-box NAC Framework, while OS types wanted to jump on board with Microsoft.
In an attempt to standardize efforts around an independent, open-source architecture, a new group entered the fray. The Trusted Computing Group, a consortium of industry firms, including IBM, Sun Microsystems Inc., Hewlett-Packard Co. and Intel Corp., introduced the Trusted Network Computing (TNC) framework. That was all well and good, but initially, neither Cisco nor Microsoft dropped their proprietary efforts to jump on the TNC bandwagon. That all changed in May 2007, however, when
Before diving into the nuts and bolts of how TNC/NAP interoperability works, let's take a quick, 40,000-foot look at the NAC process. The technology involves three components: the endpoint, the policy enforcement point (PEP) and the policy decision point (PDP). The endpoint, through an agent, certifies its health to the PDP; in this case, a NAC server. The PDP then makes an access determination based upon the state of the endpoint and the identity of the user. The decision point communicates that action to the PEP, which is typically a network switch or similar device. Here's a graphical look at the process:
Software running on the endpoint makes the system health assertions. Before the interoperability announcement, however, that software had to be from the same company that manufactured the PDP software. Interoperability changes those strict requirements, though, and allows more options.
The IF-TNCCS-SOH Statement of Health Protocol takes the formerly proprietary Microsoft NAP SOH protocol and makes it an open standard available to all solution providers. The move is a significant one. Microsoft's NAP client is integrated into Windows Vista and will be part of Windows XP Service Pack 3 and Windows Server 2008, both planned for release in early 2008. NAP will then, of course, receive an automatic lion's share of the desktop and server markets.
What does this mean to you, as a networking or security professional? If looming incompatibility issues have kept you from adopting a NAC product, you can breathe a little easier.
At this point, it's safe to assume that any NAC product using the TNC standard will soon have out-of-the-box compatibility with Microsoft operating systems. It is important to note, though, that Cisco is not a TNC member, so the future of Cisco NAC is a little murkier, i.e. Cisco's NAC products are only guaranteed to interoperate with other Cisco products. However, IF-TNCCS-SOH is an open standard, so there's nothing that would prevent Cisco from adopting it down the road. If the company decides to incorporate that standard in its Cisco NAC Appliance, we'll have NAC nirvana: interoperability among all major NAC platforms and the Windows operating systems.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in August 2007