A slew of the big names in networking are aiming to push the hot
technology of network access control (NAC) beyond its proprietary
beginnings, incorporating a broader base of vendor frameworks and
The effort marks a joint initiative between Cisco and the Trusted
Computing Group (TCG) — a five-year old consortium of vendors working on
open standards for hardware-based security that includes HP, IBM, Intel and
Together, the networking colossus and the TCG are rallying behind a new
specification called Interface for Metadata Access Point (IF-MAP), designed
around aligning their respective access control frameworks. If all goes
well, the effort to converge Cisco NAC and Trusted Network Connect (TNC)
will result in a standard sanctioned by the Internet Engineering Task Force
The news that NAC may be set to become a pervasive technology,
interoperable across vendors, gives further signs that NAC may prove to be
the cornerstone of end-to-end access control security within an enterprise
“We have Cisco, Microsoft and TNC all aligned around protocols,” said
Stuart Bailey, founder of networking vendor InfoBlox and the editor of the
IF-MAP specification. “That’s pretty exciting stuff in terms of making a
substantial step forward toward network access control
The specification is being posted today by the TNC and the group will be
demonstrating implementations at the Interop trade show in Las Vegas.
The lynchpin of IF-MAP’s interoperability across Cisco, Microsoft and
TNC systems is the TNCCS-SOH
protocol, which Microsoft donated to the TNC last year. TNCCS-SOH is a
statement-of-health protocol that validates the health level of an endpoint
to provide what’s known as pre-admission control.
TNCCS-SOH is part of Microsoft’s network address protection (NAP)
technology integrated with Windows Server 2008. TNC members like Juniper
HP ProCurve as still building out the actual implementation of the
protocol, but Bailey told InternetNews.com that the foundation is in
While Bailey noted that the IETF standardization effort is extremely
important, the TNC is also moving forward on a related effort: to expand
the definition of what NAC can do.
For one thing, IF-MAP goes beyond pre-admission access control —
validating an endpoint before it is granted access to network assets — to
include post-connection event correlation for access control policy.
“While NAC focuses on pre-admission requirements now because of the
proliferation of unmanaged endpoints and compliance issues, there is a need
to understand and manage the entire lifecycle,” Bailey said.
“It’s not good ‘enough’ to know that we can admit an endpoint to the
network — we need to watch that endpoint through the entire lifecycle and
be able to react and adjust to the endpoint as it does what it needs to
do,” he said.
That’s where the new IF-MAP protocol comes into play — its designers
had the goal of using it to provide a unified response to network endpoint
events. IF-MAP uses XML-based metadata from network security devices to
help correlate actions, thereby helping a network make a decision about
access policy for a given endpoint.
“MAP is like a MySpace or Facebook for enterprise infrastructure
security pieces that each component publishes and subscribes to,” Bailey
said. “This is a community of security infrastructure devices where each
device can allow its circle to know what it sees on the network, and share
For example, if one IF-MAP-compliant security device on a network
detects an VoIP phone doing something that it shouldn’t, that information
can be shared with other network elements to take action. The protocol
itself is secured with strong certificate-based authentication and uses Web
services, specifically XML over HTTPS, to communicate.
Bailey said that since IF-MAP is based on Web services, existing network
security devices could potentially integrate the protocol into their
devices with only a software upgrade.
“There is a pent-up demand for network security and the perceived
complexity of NAC has made NAC deployment difficult for some,” Bailey
said. “What IF-MAP may be is a game changer for enterprise network
security. It’s a simple system that allows existing systems to integrate
and it lowers operating cost and reduces vendor cost for integration.”
Article courtesy of