Securely controlling what devices and users gain access to corporate networks is a dominant theme at Interop with the Trusted Computing Group demonstrating interoperability among multiple vendors' gear and individual vendors announcing mutual compliance with the TCG standard.

Elsewhere at the show, the Interop Labs demonstrated implementations of similar security schemes from Cisco and Microsoft.

The demonstrations all fall under the generic name network access control (NAC), which is verifying that computers and other devices meet network security policies before being admitted to corporate networks. This is done by scanning the machines for key configurations like updated operating systems, updated and operating virus scanning and personal firewalls.

NAC then compares the scan to network policies, and enforces them. So if, for example, the policy says when the machine flunks the scan access must be denied, an enforcement device blocks admission. This can be done by a switch that supports 802.1x authentication or by a VPN device.

More on the iLabs NAC tests
Full Interop coverage

TCG's architecture supported by 60 of its vendor members is called Trusted Network Connect (TNC). At the show, vendors including Extreme, Juniper, IBM, Symantec, Meetinghouse, Nevis, Nortel, Enterasys, Wave Systems, and others joined together to demonstrate TNC at various demonstrations on the show floor.

Beyond TNC the best-known efforts are from Cisco (called network admission control or NAC) and Microsoft (network access protection or NAP). Other vendors are developing their own architectures with their own products and those of selected partners.

TCG's booth hosted several demonstrations of TNC. One consisted of Juniper's use of its Odyssey Access Client on remote machines in conjunction with Symantec's Host Integrity software scanning a PC for security compliance before being allowed network access. The scanning data was passed off to a Juniper Infranet Controller that determined whether the scan results met policy. That decision triggered whether the PC was granted access to an active corporate virtual LAN as controlled by an HP switch.

Similarly, Lockdown Networks demonstrated its Lockdown Enforcer appliance worked in conjunction with Microsoft's NAP architecture. The appliance authenticates machines, evaluates their security posture and enforces whether or not the device gains network access. Microsoft's NAP, which is not generally available yet, includes software to communicate endpoint status to policy decision points such as Enforcer and Microsoft's own Network Policy server, also not generally available.