'NAC 2.0' Takes Shape at Interop
Microsoft, Cisco and TCG converge on standards as broader network access control standards emerge.
A slew of the big names in networking are aiming to push the hot technology of network access control (NAC) beyond its proprietary beginnings, incorporating a broader base of vendor frameworks and implementations.
The effort marks a joint initiative between Cisco and the Trusted Computing Group (TCG) -- a five-year old consortium of vendors working on open standards for hardware-based security that includes HP, IBM, Intel and Microsoft.
Together, the networking colossus and the TCG are rallying behind a new specification called Interface for Metadata Access Point (IF-MAP), designed around aligning their respective access control frameworks. If all goes well, the effort to converge Cisco NAC and Trusted Network Connect (TNC) will result in a standard sanctioned by the Internet Engineering Task Force (IETF).
The news that NAC may be set to become a pervasive technology, interoperable across vendors, gives further signs that NAC may prove to be the cornerstone of end-to-end access control security within an enterprise network.
"We have Cisco, Microsoft and TNC all aligned around protocols," said Stuart Bailey, founder of networking vendor InfoBlox and the editor of the IF-MAP specification. "That's pretty exciting stuff in terms of making a substantial step forward toward network access control interoperability."
The specification is being posted today by the TNC and the group will be demonstrating implementations at the Interop trade show in Las Vegas.
The lynchpin of IF-MAP's interoperability across Cisco, Microsoft and TNC systems is the TNCCS-SOH protocol, which Microsoft donated to the TNC last year. TNCCS-SOH is a statement-of-health protocol that validates the health level of an endpoint to provide what's known as pre-admission control.
TNCCS-SOH is part of Microsoft's network address protection (NAP) technology integrated with Windows Server 2008. TNC members like Juniper and HP ProCurve as still building out the actual implementation of the protocol, but Bailey told InternetNews.com that the foundation is in place.
While Bailey noted that the IETF standardization effort is extremely important, the TNC is also moving forward on a related effort: to expand the definition of what NAC can do.
For one thing, IF-MAP goes beyond pre-admission access control -- validating an endpoint before it is granted access to network assets -- to include post-connection event correlation for access control policy.
"While NAC focuses on pre-admission requirements now because of the proliferation of unmanaged endpoints and compliance issues, there is a need to understand and manage the entire lifecycle," Bailey said.
"It's not good 'enough' to know that we can admit an endpoint to the network -- we need to watch that endpoint through the entire lifecycle and be able to react and adjust to the endpoint as it does what it needs to do," he said.
That's where the new IF-MAP protocol comes into play -- its designers had the goal of using it to provide a unified response to network endpoint events. IF-MAP uses XML-based metadata from network security devices to help correlate actions, thereby helping a network make a decision about access policy for a given endpoint.
"MAP is like a MySpace or Facebook for enterprise infrastructure security pieces that each component publishes and subscribes to," Bailey said. "This is a community of security infrastructure devices where each device can allow its circle to know what it sees on the network, and share information."
For example, if one IF-MAP-compliant security device on a network detects an VoIP phone doing something that it shouldn't, that information can be shared with other network elements to take action. The protocol itself is secured with strong certificate-based authentication and uses Web services, specifically XML over HTTPS, to communicate.
Bailey said that since IF-MAP is based on Web services, existing network security devices could potentially integrate the protocol into their devices with only a software upgrade.
"There is a pent-up demand for network security and the perceived complexity of NAC has made NAC deployment difficult for some," Bailey said. "What IF-MAP may be is a game changer for enterprise network security. It's a simple system that allows existing systems to integrate and it lowers operating cost and reduces vendor cost for integration."
Article courtesy of InternetNews.com