IETF pushes for interoperable NAC

By Joseph J. Tardo , Network World , 03/16/2007

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Share/Email
Tweet This
Comment
Print

Network access control has come to refer to technology that enables enterprises to enforce security policies on endpoints connected to their networks. An enterprise security policy, for example, might require endpoints to have up-to-date security patches and antivirus tools, or prevent the use of applications such as peer-to-peer file sharing or instant messaging.

NAC endpoint security policies can be verified only by scanning the endpoint for compliance from the inside. This process involves taking measurements on the endpoint, such as file versions or checksums, and comparing them against reference values. But to keep up with antivirus vendors updating their signatures, or operating system vendors issuing new security patches, the database of reference values can change almost daily. Clearly, a certain amount of infrastructure is needed to support all of these NAC moving parts.

The Total Economic Impact of Network Security Intrusion Prevention: Download now

Mapping NAC solutions to the IETF's Network Endpoint Assessment model.

NEA	Microsoft: Network Access Protection	Trusted Computing Group: Trusted Network Connect	Cisco: Network Admission Control
Posture Attribute (PA)	Statement of Health (SoH)	Integrity Measurement (IM)	Posture Token
Posture Collector	System Health Agent (SHA)	Integrity Measurement Collector (IMC)	Posture Plug-in
Posture Broker Client	NAP Agent	TNC Client	Posture Agent
Posture Transport Client	NAP Enforcement Client	Network Access Requestor	Endpoint Device
	NAP Enforcement Server	Policy Enforcement Point (PEP)	Network Access Device (NAD)
PA Protocol		IF-M
PB Protocol		IF-TNCCS
PT Protocol		IF-T	EAP
Posture Transport Server	Network Policy Server (NPS)	Network Access Authority (NAA)	Access Control Server (ACS)
Posture Broker Server	NAP Administration Server	TNC Server	Posture Server
Posture Validator	System Health Verifier (SHV)	Integrity Measurement Verifier (IMV)	Posture Validation Server (PVS)

Click to see: Mapping NAC solutions to the IETF's Network Endpoint Assessment model

Multiple vendors offer what appear to be comparable NAC solutions, but none are interoperable. This makes NAC a strong candidate for standardization. Last fall, the IETF chartered the Network Endpoint Assessment (NEA) Working Group to standardize the protocols common to a number of NAC infrastructure architectures, such as Network Access Protection from Microsoft, Cisco Network Admission Control and Trusted Network Connect from the Trusted Computing Group, with the goal of promoting interoperability.

Related Content

Initially, the priority would be standardizing the protocols that carry information about the status of various endpoint attributes - what the NEA calls "posture attributes" - between "collectors" on clients and the "validators" that run on policy servers.

The NEA tasked a subgroup to put together a first draft of the requirements document, and this draft was circulated on a mailing list in January. It included proposed terminology, use cases and a reference model, with requirements for specific protocols to be standardized (see graphic).

The reference model includes posture collectors and posture validators for specific policy components, such as a particular vendor's antivirus tool. A posture collector assembles posture attribute (PA) values that its corresponding posture validator knows how to evaluate. The posture broker client and server multiplex messages exchanged between collector-validator pairs. The posture transport client and server establish a communications channel between the endpoint (NEA client) and policy server (NEA server).