Trusted Computing Group (TNG) leads effort to certify NAC products, but not all vendors are on board
The Trusted Computing Group’s Trusted Network Connect (TNC) is an industry-supported working group developing NAC architecture documents and standards. The first public documents came out of TCG’s TNC in 2005 after a year of work, and the group has continued to publish NAC standards and fill out their NAC architecture every year.
The Trusted Computing Group's Trusted Network Connect (TNC) is an industry-supported working group developing NAC architecture documents and standards. The first public documents came out of TCG's TNC in 2005 after a year of work, and the group has continued to publish NAC standards and fill out its NAC architecture every year.
One of the main attributes of the TNC architecture for NAC is that it combined authentication and end-point security posture checking into a single unified protocol. TNC defined the protocol to run over 802.1X (most useful in a one-device-per-switch-port or wireless environment) as well as SSL (useful in more generic environments, such as over VPN tunnels or in routed networks where switch management is undesirable).
When Microsoft released Windows Server 2008, the Microsoft NAP (Network Access Protection) and TNC NAC protocols were linked so that Windows Vista, Windows XP (with service pack 3, which includes the NAC client), and Windows 7 are all interoperable with products that follow the TNC NAC protocols.
This gave TNC significant legitimacy; because it means that every contemporary Windows client is now "TNC compatible" out of the box, which removes the need to install a specific NAC client on Windows devices. No additional client means faster and simpler deployment for network managers.
When TNC first started working on NAC architectures and protocols, Cisco refused to participate, insisting instead that it should take place in the IETF. This led to the founding of the IETF Network Endpoint Assessment (NEA) working group, co-chaired by Susan Thomson (of Cisco) and Stephen Hanna (of Juniper). Slowly, NEA has built their own NAC architecture and protocols, and released three RFCs. All the NEA work is being closely linked to the TNC work, so that the RFCs are compatible with the TNC protocol specifications.
Last month, TNC announced a certification program, which will allow participating vendors to receive a stamp of approval verifying that their products implement the TNC protocols correctly, and that their products are interoperable with other certified products.
Although we didn't find unanimous support for TNC standards among the vendors who participated in our head-to-head NAC testing, the work of the TNC (and the IETF NEA working group) is still important for two key reasons. First, it represents the main path forward for interoperable NAC products. With enterprise networks hosting more non-Windows devices than ever before, the need to have a multi-vendor approach to NAC continues to gain in importance.
The second reason is that these architectures are designed by security and network experts who are more interested in solving problems than getting a product to market quickly. While there are always commercial interests in any modern standards development, network managers can look to TNC and IETF-based products with some confidence that the primary design goal was security.
The standards wars that were so inflammatory five years ago have settled down to truce on all sides, and technically outstanding solutions from the best minds of Cisco, Microsoft, and the members of the TNC.
Learn more about this topic
A prominent Linux kernel developer announced today in a blog post that she would step down from her...
Amazon's re:Invent conference is this week's place to show off the latest and greatest tools for the...
Passwords are a bane of life on the Internet today, but one Turing Award winner has an algorithmic...
Sponsored by SevOne
Sponsored by HP
After a busy week at AWS re:Invent, here’s a recap of the big takeaways
Android Marshmallow and iOS 9 add new tricks to the MDM arsenal, especially for app management
Despite years in the making, many security leaders are still wary about BYOD policy. Here are five ways...
Most computer pros will talk about external threats, like malware, hackers, spyware, DoS attacks and...