Trusted Network Connect
The Trusted Computing Group's Trusted Network Connect working group comprises any vendor that wants to make a NAC play and that is not Cisco. The TCG/TNC working group has published a set of specifications defining the data formats and communications protocols for a complete NAC system, but our reader poll and conversations with security and IT professionals show it has a visibility problem. Not surprising, given the disparity in marketing budgets.
The TCG/TNC specifications are vendor-neutral--potentially any company that writes to the specification can integrate with NAC products from any other vendor. The building blocks look very similar to CNAC: IMCs (Integrity Measurement Collectors) send health data to the TNC client software. The TNC client software sends health data to a PDP (Policy Decision Point) that validates the measurements given by the IMC against Integrity Measurement Verifiers, or IMVs.
Once the PDP reaches a decision, an access policy is applied to a PEP (Policy Enforcement Point). The TNC client will most likely by supplied by the same vendor that supplies the PDP, but that doesn't have to be the case.
This model raises many implementation questions. If there are multiple TNC clients on a host, which one will be used? How are TNC clients registered on a host, and what does host configuration involve? Until there are shipping products, these questions won't be answered, nor will best practices be formed.
The group is busily sponsoring demonstrations and adding vendors to its member roster. Although it's extremely tightlipped about unannounced work, the group is kicking around ideas such as integrating work from other TCG working groups and adding more specifications to integrate other network and security equipment into the TNC architecture, which will bring more assessment and enforcement products into the mix. But it won't commit to anything publicly. Maybe not a bad idea, but it's not helping the TCG/TNC's visibility problem.
IETF
Then there's the IETF. Currently, the Network Endpoint Assessment BoF, co-chaired by Cisco's Susan Thomson and Juniper's Stephen Hanna, is working toward gaining working group status. Its initial goal is to define a set of requirements for communications among NAC components and then try to either unify the existing protocols or develop new ones.
While that goal is laudable, don't hold your breath. Agreement by consensus on what to order for lunch can take a long time. For a protocol suite as complex as NAC, it can take a long, long time.
But Will They Work?
Of all of the frameworks available, only CNAC has an interoperability testing program. We see that as a critical factor for any access-control initiative because protocol conformance assures a basic level of interoperability. Standards are written and agreed on by groups, then implemented by other groups.
Of course, no matter how specific a given set of standards are as written, developers are left with a lot of room for interpretation. Suppose two vendors have written to the standards, even participated in an industry bake-off. That doesn't guarantee their products will play well together. Interoperability testing does.
Decision Time
As the NAC market starts to gel, the amount of energy being poured into positioning is amazing, even to those used to vendor hyperbole. NAC systems aimed at everyone from the small office to the global enterprise are available from multiple vendors, each offering a wide array of assessment, enforcement and integration options.
So do you jump in now, or wait to see what shakes out in standards, frameworks and the inevitable consolidation due to acquisitions, mergers and attrition over the coming 12 to 24 months?
Companies with mobile workforces or that frequently have contractors and guests accessing the network can benefit from NAC today, because those two scenarios represent the greatest threat. But, if you can mitigate the problems represented by guest and mobile computers--say, through network segmentation--waiting for the market and standards to coalesce makes sense. You get time to plan for an orderly NAC deployment, standards have time to evolve, and vendors will hopefully make headway integrating their products.
If you want NAC today, we can help ensure that your chosen vendor has a plan that fits with your vision. In our report, "NWC Analytics: Network Access Control" we discuss the results of our e-poll, which reflects your peers' views on NAC, in the context of the market. We also analyze vendor positions and offerings. You can find it at nwcanalytics.com.
Here's a look at the current state of the technology.
