Microsoft NAP/TNC alliance brings new dimension to network access control decisions

Until recently, enterprises seeking to implement network access control faced a dilemma not unlike the HD-DVD/Blu-Ray schism in the world of digital media: too many competing standards. Cisco Systems Inc. offered its NAC Framework, while Microsoft touted its own Network Access Protection (NAP) product. Network-centric shops, especially those with Cisco infrastructures, leaned toward the green-box NAC Framework, while OS types wanted to jump on board with Microsoft.

For more information: Companies are taking a wait-and-see approach, hoping that NAC's maturity will make it more cost effective. A panel discussing the potential of using network access control (NAC) says the technology may not be worth the price.  Learn why NAC success demands careful planning and a good understanding of the company network.

In an attempt to standardize efforts around an independent, open-source architecture, a new group entered the fray. The Trusted Computing Group, a consortium of industry firms, including IBM, Sun Microsystems Inc., Hewlett-Packard Co. and Intel Corp., introduced the Trusted Network Computing (TNC) framework. That was all well and good, but initially, neither Cisco nor Microsoft dropped their proprietary efforts to jump on the TNC bandwagon. That all changed in May 2007, however, when Microsoft announced its intention to make NAP interoperable with TNC.

Before diving into the nuts and bolts of how TNC/NAP interoperability works, let's take a quick, 40,000-foot look at the NAC process. The technology involves three components: the endpoint, the policy enforcement point (PEP) and the policy decision point (PDP). The endpoint, through an agent, certifies its health to the PDP; in this case, a NAC server. The PDP then makes an access determination based upon the state of the endpoint and the identity of the user. The decision point communicates that action to the PEP, which is typically a network switch or similar device. Here's a graphical look at the process:

Software running on the endpoint makes the system health assertions. Before the interoperability announcement, however, that software had to be from the same company that manufactured the PDP software. Interoperability changes those strict requirements, though, and allows more options.

The IF-TNCCS-SOH Statement of Health Protocol takes the formerly proprietary Microsoft NAP SOH protocol and makes it an open standard available to all solution providers. The move is a significant one. Microsoft's NAP client is integrated into Windows Vista and will be part of Windows XP Service Pack 3 and Windows Server 2008, both planned for release in early 2008. NAP will then, of course, receive an automatic lion's share of the desktop and server markets.

What does this mean to you, as a networking or security professional? If looming incompatibility issues have kept you from adopting a NAC product, you can breathe a little easier.

At this point, it's safe to assume that any NAC product using the TNC standard will soon have out-of-the-box compatibility with Microsoft operating systems. It is important to note, though, that Cisco is not a TNC member, so the future of Cisco NAC is a little murkier, i.e. Cisco's NAC products are only guaranteed to interoperate with other Cisco products. However, IF-TNCCS-SOH is an open standard, so there's nothing that would prevent Cisco from adopting it down the road. If the company decides to incorporate that standard in its Cisco NAC Appliance, we'll have NAC nirvana: interoperability among all major NAC platforms and the Windows operating systems.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Enterprise role management: Trends and best practices Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Screencast: An introduction to the Open Source Security Testing Methodology Manual (OSSTMM) Understanding multifactor authentication features in IAM suites Network intrusion prevention systems: Should enterprises deploy now? Network Access Control Basics Sophos finds patching issues through endpoint NAC tool Forrester: NAC ready for wider deployments Quiz: Using NAC to create a strong endpoint security strategy Phased NAC deployment for compliance and policy enforcement What should an internal support model for identity management look like? Security Wire Weekly: Sizing up the NAC market Making the NAC decision: Open source vs. commercial network access control products Experts: NAC not dead, just immature FreeRADIUS: Acing a secure connection How to test drive NAC without busting the budget Endpoint Security Hidden endpoints: Mitigating the threat of non-traditional network devices Symantec launches Endpoint Management Suite Symantec to offer Endpoint Management Suite Sophos finds patching issues through endpoint NAC tool Websense, Reconnex top Forrester ranking of DLP vendors Cisco, EMC to partner on data protection, PCI Product review: Promisec's Spectator Will Lockdown customers be left in the lurch? NAC, disk encryption gaining attention, survey shows Symantec fills gap with whole disk storage encryption RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Kerberos  (SearchSecurity.com) masquerade  (SearchSecurity.com) phreak  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.