NEW YORK — Network access control, commonly referred to by its acronym NAC, has been
one of the big buzzwords of the networking space for the last few years. At Interop, a
panel of vendors argued that NAC has now reached a point of maturation, though audience
members disagreed with the assertion claiming that interoperability doesn’t yet
NAC offers the promise of secure networks, while preadmission control ensures that
only validated end points can get network access. As NAC matures, post-connect use case
scenarios for NAC also emerge, making the technology approach a broader security
methodology for networks.
“We’ve reached a point of maturity in the NAC marketplace with many products in second
or third release and are solid,” Steve Hanna, Trusted Network Connect (TNC) co-chair at
the Trusted Computing Group (TCG), told the audience. “Customers have been using it for a
few years and they have figured out some of the issues and vendors have found ways to
address the issues.”
The TNC is a standard produced by the TCG for NAC, participating members in TNC
include Microsoft and
Juniper Networks where Hanna holds the title of distinguished engineer.
Cisco on the other hand is the vendor that first coined the term NAC, and it, too, is
seeing maturity in the market.
“Three years ago everyone just called everything that smelled like a security
solution, NAC, but that’s not the case anymore.” Brendan O’Connell, senior manager of
product management at Cisco Systems, said.
So with vendors claiming that NAC is now mature, what should enterprise do? Hanna
argued that enterprises should future proof themselves by using a standards-based
“One way to get that is by making sure whatever you deploy today is based on open
standards TNC standards are the most widely adopted,” he said.
The problem, though, is that there is no globally accepted standard for NAC today, as
Cisco is not TNC-compliant and not a member of the TCG. Cisco is, however, active in the
IETF standards body, which is also working on a NAC
standard and based in part on what TNC offers.
Hanna referred to the fact that Cisco is not TNC compliant as a “small exception,”
which is a comment that solicited several sneers from his fellow panelists and the
One audience member said that since there is no real global standard, customers can’t
“I agree there are gaps there,” Hanna responded.
Hanna added that the IETF does not move quickly, though the current schedule has the
IETF NAC standard set for completion in 2009.
“The standards that are being approved are the TNC specs, so it’s not a rip and
replace issue,” Hanna argued. “IETF is not a rubber stamp organization. So there will be
a point release of TNC to align with the IETF changes. But it will be one stream moving
forward. Come that day you won’t have to worry about interoperability with Cisco.”
Cisco’s O’Connell responded that the Cisco is part of the IETF NAC effort, and it is a
standard that Cisco will adopt.
“Do all vendors want their product to interoperate, of course,” O’Connell said.
“Things don’t always happen quickly, but they do happen and it is in our best interest
because it’s the only way we can address the whole market. Three years ago, we wouldn’t
even have agreement on what NAC was so at least we know we have agreement on that.”
Surprisingly, though, the actual protocol specifications around NAC are not really the
big concern for Cisco.
“I don’t care what the protocol is that handles this stuff,” O’Connell said. “What I
care about is what the product does, since frankly at the end of the day the functional
difference about protocol definitions become meaningless when it is time to
Hanna quickly pounced on O’Connell’s comment asking, “So if you don’t care about the
bits — why don’t you just implement TNC? Apparently he does care because they’re not
implementing the open standards.”
Moving beyond the standards debate on NAC, the vendors are now taking a broader view
of what NAC should also encompass. Hanna noted that the TCG is now working on the IF-MAP
standard for postconnect to correlated security events after a user connects to the
network. IF-MAP was first
announced at Interop Las Vegas earlier this year.
Article courtesy of InternetNews.com