NAC standards wars end in truce

The Trusted Computing Group's Trusted Network Connect (TNC) is an industry-supported working group developing NAC architecture documents and standards. The first public documents came out of TCG's TNC in 2005 after a year of work, and the group has continued to publish NAC standards and fill out its NAC architecture every year.

Cisco's approach to NAC leaves customers confused

One of the main attributes of the TNC architecture for NAC is that it combined authentication and end-point security posture checking into a single unified protocol. TNC defined the protocol to run over 802.1X (most useful in a one-device-per-switch-port or wireless environment) as well as SSL (useful in more generic environments, such as over VPN tunnels or in routed networks where switch management is undesirable).

When Microsoft released Windows Server 2008, the Microsoft NAP (Network Access Protection) and TNC NAC protocols were linked so that Windows Vista, Windows XP (with service pack 3, which includes the NAC client), and Windows 7 are all interoperable with products that follow the TNC NAC protocols.

This gave TNC significant legitimacy; because it means that every contemporary Windows client is now "TNC compatible" out of the box, which removes the need to install a specific NAC client on Windows devices. No additional client means faster and simpler deployment for network managers.

When TNC first started working on NAC architectures and protocols, Cisco refused to participate, insisting instead that it should take place in the IETF. This led to the founding of the IETF Network Endpoint Assessment (NEA) working group, co-chaired by Susan Thomson (of Cisco) and Stephen Hanna (of Juniper). Slowly, NEA has built their own NAC architecture and protocols, and released three RFCs. All the NEA work is being closely linked to the TNC work, so that the RFCs are compatible with the TNC protocol specifications.

Last month, TNC announced a certification program, which will allow participating vendors to receive a stamp of approval verifying that their products implement the TNC protocols correctly, and that their products are interoperable with other certified products.

Although we didn't find unanimous support for TNC standards among the vendors who participated in our head-to-head NAC testing, the work of the TNC (and the IETF NEA working group) is still important for two key reasons. First, it represents the main path forward for interoperable NAC products. With enterprise networks hosting more non-Windows devices than ever before, the need to have a multi-vendor approach to NAC continues to gain in importance.

The second reason is that these architectures are designed by security and network experts who are more interested in solving problems than getting a product to market quickly. While there are always commercial interests in any modern standards development, network managers can look to TNC and IETF-based products with some confidence that the primary design goal was security.

The standards wars that were so inflammatory five years ago have settled down to truce on all sides, and technically outstanding solutions from the best minds of Cisco, Microsoft, and the members of the TNC.

Return to main feature.

Read more about wide area network in Network World's Wide Area Network section.

This story, "NAC standards wars end in truce" was originally published by Network World.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon