Microsoft NAP-TNC compatibility won't speed adoption, users say

By Bill Brenner and Dennis Fisher, SearchSecurity.com Staff 21 May 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft's announcement is good, but there is much more that needs to happen before we jump on the NAC/NAP bandwagon. Brian Joyce, IT director, Joseph Decosimo and Co.

In a move meant to help speed the adoption of its endpoint security technology, Microsoft Corp. Monday announced interoperability between its Network Access Protection (NAP)-enabled products and the Trusted Computing Group's Trusted Network Connect (TNC) architecture. IT professionals hail the move, but say it won't accelerate their adoption timetables.

NAP and TNC are two of the three main competing specifications for network access control deployments and until now products based on one specification have been incompatible with those using the other. This has been a stumbling block for enterprises looking to deploy a comprehensive NAC infrastructure and enterprise IT managers often cite the lack of interoperability as one of the main reasons for not using NAC. Microsoft officials are hoping this move will help change that.

The Redmond, Wash.-based company's NAP technology is included in Windows Vista, but won't be fully functional until the release early next year of the Longhorn server, now known as Windows Server 2008. Microsoft and Cisco Systems Inc. have been working together on NAC-NAP compatibility for some time, and the companies announced some progress last fall. But this is the first time that Microsoft, a member of the TCG, has announced any interoperability with the TNC specification.

NAC deployments: NAC panel says technology may not add up: A panel discussing the potential of using network access control (NAC) says the technology may not be worth the price of deploying and maintaining it. Expert: NAC not a network security cure-all: According to an expert at Black Hat DC, NAC success demands careful planning and a good understanding of the company network; otherwise, implementations can quickly go awry. Vendors acknowledge NAC-NAP roadmap limits: The NAC-NAP interoperability roadmap Microsoft and Cisco unveiled last week won't be of much use to non-Windows and non-Cisco environments.

As part of the plan announced at the Interop show in Las Vegas, the TCG today published a new TNC specification based on the Microsoft Statement of Health Protocol, which describes the ways in which TNC-enabled devices can now interact with NAP-enabled machines. The new specification enables NAP servers to accept network access requests and health statements from TNC-enabled devices. A number of TCG member companies will begin shipping products in the first half of next year that work with the new specification.

Dave Bixler, CISO for Siemens Business Services Inc., a subsidiary of Munich-based Siemens AG, is headed to Interop this week and one of his specific goals is to get a pulse on the NAP/NAC/TNC market. He said it's great to see Microsoft and TCG cooperating, but he expects it to have little impact on his NAC adoption plans since NAP is on hold until Longhorn ships.

"It's something we have had on our action list for the past 18 months or so, and I plan to have a pilot running by the end of the year with an eye towards a full deployment in 2008," Bixler said. "So while this is a great announcement for the industry, it's a little late for it to impact my plans at the moment."

He's not alone in that assessment. Brian Joyce, IT director of Chattanooga, Tenn.-based accounting firm Joseph Decosimo and Co. said he's very interested in NAC/NAP/TNC. In theory, he said, it would seem the most logical way to protect the perimeter at the source of access, but he doesn't expect interoperability to speed up deployments.

"The products aren't mature enough for us yet," Joyce said. "Microsoft's announcement is good, but there is much more that needs to happen before we jump on the NAC/NAP bandwagon."

While IT pros have expressed a lot of interest in NAC, experts have pointed out the technology's drawbacks in recent months.

At the Black Hat DC conference in March, Ofir Arkin, CTO of Framingham, Mass.-based NAC vendor Insightix, said NAC implementations are often more difficult than they need to be because companies don't have a good understanding of their networks, in turn opening the door for opportunistic attackers.

He said flaws exist in almost every part of a NAC implementation, allowing an attacker the ability to bypass most access control walls. Therefore, he said, careful planning is essential before implementing any part of NAC.

At the Infosec World Conference and Expo. In Orlando, Fla., later that month, a panel of IT security pros suggested the costs of deploying NAC may not be worth the benefits promised by the technology.

Tags: Network Access Control Basics,  Secure Remote Access,  Client security,  DMZ Setup and Configuration,  VLAN Security Management,  Network Device Management,  UTM Appliances and Strategies,  Network Intrusion Detection (IDS),  Network Intrusion Prevention (IPS),  Network Firewalls, Routers and Switches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Access Control Basics Security vendors can learn from ConSentry Networks demise Best Network Access Control Products Perimeter defense in the era of the perimeterless network Network access control technology: Over-hyped or underused? Symantec offers endpoint protection management, monitoring services Configuring access control lists What is the difference between a VPN and remote control? Quiz: Endpoint security on a budget Opinion: Gartner gets NAC wrong, again What security software should be installed on Internet café computers? Secure Remote Access Endpoint protection best practices manual: Combating issues, problems Best Mobile Data Security Products Perimeter defense in the era of the perimeterless network Securing the intranet with remote access VPN security What security software should be installed on Internet café computers? Information security book excerpts and reviews Diverse mobile devices changing security paradigm Cisco warns of security appliance flaws How to configure NAP for Windows Server 2008 Can home PCs provide a way for viruses and spyware to enter a corporate LAN? Client security InZero Systems launches hardware-based security gateway DLP technology challenges security costs Endpoint protection best practices manual: Combating issues, problems Kaspersky update for SMBs in wake of free Microsoft Security Essentials Microsoft makes free antivirus software widely available Security best practices in hotels Best Antimalware Products Perimeter defense in the era of the perimeterless network Microsoft Security Essentials (MSE) shows no vision, expert says Smart tactics for antivirus and antispyware

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Kerberos  (SearchSecurity.com) masquerade  (SearchSecurity.com) phreak  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary