Much of the network access control (NAC) hype over the last few years has
involved network defense. For Mauricio Sanchez, chief security architect,
ProCurve Networking by Hewlett-Packard (NYSE: HPQ), NAC can be used as an
offensive tool as well.
The HP ProCurve offensive playbook for NAC comes as HP embraces Microsoft’s
NAP technology with the ProCurve Identity Driven Manager (IDM) policy management
tool. Microsoft’s NAP has the potential to drive NAC adoption even further into
the enterprise mainstream now that Server 2008 is generally available.
“Like any good sports team you need a good offense and a good defense to win
the game, and from a security perspective we feel that our approach should be
the same,” Mauricio Sanchez, chief security architect, ProCurve Networking by
HP, told InternetNews.com. “On the offensive side, the first layer is
around Network Access Control, this is where the network interrogates identity
and the health state of users and devices,” he said, adding that the term NAC
means different things to a lot of people.
“To us and to me, NAC is more of a solution architecture based on performing
some kind of access control when users connect to a network,” Sanchez
explained. “So it’s not about a particular product or technology.”
According to Sanchez, NAC is also about products and technology that convey
the idea that network access should be limited and that people should be asked
some questions before they are permitted to connect.
Sanchez noted that once you get past the offensive layer, with user and
system interrogation, it’s important to have defensive layers to address real
time threats against the network and to protect against failures in the
He says HP will be on the offensive layer of NAC by integrating Microsoft’s
NAP with HP’s Identity Driven Manager (IDM) application.
NAP is an integrated component of Windows Server 2008, which was launched earlier
NAP provides built-in health capabilities to verify endpoint health as
devices come onto the network. It also provides “a nice baseline for us to
leverage as a network vendor and take advantage of it.” Sanchez commented
HP’s IDM, meanwhile, allows administrators to define access policy based on
user group information, time of day and location — all by way of an easy-to-use
Though Microsoft NAP has been officially available only for a few months, it
already has a lot of backers. More than a year ago, Microsoft
claimed it had more than 100 vendors lined up to support and interoperate
Sanchez noted that HP is looking at NAC from a comprehensive network
framework perspective, which is a distinct advantage over a pure play NAC
vendor. In Sanchez’s view pure play NAC solutions are a dead end.
Another key attribute for NAC success is interoperability, something the
Trusted Computing Group’s Trusted Network Connect (TNC) aims to achieve.
Sanchez is a chair on the TNC working group, where both HP and Microsoft are
contributors. Last year Microsoft announced that it would work toward TNC
interoperability with NAP.
Technically the interoperability involves TNC support for a Microsoft NAP
approach called Microsoft Statement of Health Protocol. The IF-TNCCS-SOH (TNC
client server – statement of health) protocol acts as a transport to help
validate that an end point meets the security requirements.
A year later, IF-TNCCS-SOH is still not yet ready for . Sanchez noted that
HP’s interoperability for NAP does not come by way of TNC at this point, but
rather by way of Microsoft APIs for Server 2008.
Other networking vendors such as Juniper Networks (NASDAQ: JNPR) have already
pledged to implement TNCCS-SOH when available.
“The Juniper Networks Infranet Controller, the policy management server at
the heart of Juniper Networks Unified Access Control (UAC), will be able to
leverage the TNC standard IF-TNCCS-SOH protocol,” Rich Campagna, senior product
manager, Juniper Networks told InternetNews.com.
“Juniper Networks UAC is expected to support this new TNC standard in the
first half of 2008,” Campagna said, adding that at Interop Las Vegas 2007, the
company showed a preliminary prototype of this technology.
HP’s Sanchez argued that the differences between what is available with
Windows Server 2008 today and what IF-TNCCS-SOH will provide are “99 percent the
same thing.” The differences according to Sanchez are minor bug fixes and
Overall, though, Sanchez noted that the TNC does matter and customers
appreciate open standards and the ability to choose from a vendor set that
supports those standards.
That said, work needs to be done with TNC to make it more effective..
“One of the things we’re working on is a compliance program to verify that
vendors are adhering to the standards, and I believe that will relieve a lot of
the deployment headaches that people face today,” Sanchez said.
He added that today many interoperability difficulties exist among vendors
who claim to be open standards based.
Article courtesy of