Securely controlling what devices and users gain access to corporate networks was a dominant theme at Interop, with the Trusted Computing Group demonstrating interoperability among multiple vendors’ gear, and individual vendors announcing mutual compliance with the TCG standard.
Elsewhere at the show, the Interop Labs demonstrated implementations of similar security schemes from Cisco and Microsoft.
The demonstrations all fell under the generic name network access control (NAC), which is verifying that computers and other devices meet network security policies before being admitted to corporate networks. This is done by scanning the machines for key configurations, such as updated operating systems, updated and operating virus scanning, and personal firewalls.
NAC then compares the scan to network policies, and enforces them. So if, for example, the policy says, “when the machine flunks, scan access must be denied”, an enforcement device blocks admission. This can be done by a switch that supports 802.1x authentication or by a VPN device.
TCG’s architecture, supported by 60 of its vendor members, is called Trusted Network Connect (TNC). At the show, Extreme, Juniper, IBM, Symantec, Meetinghouse, Nevis, Nortel, Enterasys, Wave Systems and other vendors joined together to demonstrate TNC at various demonstrations on the show floor.
Beyond TNC, the best-known efforts were from Cisco (called network admission control or NAC) and Microsoft (network access protection or NAP). Other vendors are developing their own architectures, with their own products and those of selected partners.
TCG’s booth hosted several demonstrations of TNC. One consisted of Juniper’s use of its Odyssey Access Client on remote machines, in conjunction with Symantec’s Host Integrity software scanning a PC for security compliance, before being allowed network access. The scanning data was passed on to a Juniper Infranet Controller which determined whether the scan results met policy criteria. That decision triggered whether the PC was granted access to an active corporate virtual LAN, controlled by an HP switch.
Similarly, Lockdown Networks demonstrated its Lockdown Enforcer appliance, in conjunction with Microsoft’s NAP architecture. The appliance authenticates machines, evaluates their security posture and enforces whether or not the device gains network access. Microsoft’s NAP, which is not generally available yet, includes software to communicate end-point status to policy decision points, such as Enforcer and Microsoft’s own Network Policy server, which is also not generally available.
During Interop, TCG announced it has completed three new standards necessary to its TNC architecture. The first is a client-server interface between the software, which gathers information from the machine accessing the network and the server that verifies policies. The second is the same interface carried over extensible authentication protocol (EAP). The third specifies how RADIUS servers and enforcement points, such as 802.1x switches, communicate.
None of these three architectures are complete yet, leaving business users up in the air about which if any to choose, says Steve Hultquist, who headed up the Interop Labs’ NAC initiative. “I’d say it’s an emerging technology, a technology in sort of revolution. What we’re going to see is more standards-based technologies available in the near term, the next 12 to 18 months,” Hultquist says.
“Users really aren’t quite sure what to think of it yet, in my experience,” he says.
“A lot of them haven’t even looked at 802.11x yet, which, in my opinion, is the precursor to NAC. If you haven’t done 802.1x that is the thing you should look at implementing right now. That’s your first step into network access control.”