Trusted Computing Group broadens its NAC scope

Clarifying issues surrounding this emerging security architecture

Trusted Computing Group is expanding its area of interest beyond pre-admission NAC to post-connect NAC.

The broadened scope comes in the form of a new protocol called IF-MAP, which stands for interface for meta-data access point. The protocol is intended to be spoken between security devices on networks and a meta-data access point (MAP) that receives and posts the data.

The idea is that security devices such as firewalls, intrusion detection and prevention systems, wireless controllers, configuration and change management platforms and the like, collect data that becomes more valuable if shared. A configuration change management platform could discover a shortcoming in an endpoint and post it to the MAP. An enterprise security management device might then determine that shortcoming violates security policy.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Trusted Computing Group is expanding its area of interest beyond pre-admission NAC to post-connect NAC.

The broadened scope comes in the form of a new protocol called IF-MAP, which stands for interface for meta-data access point. The protocol is intended to be spoken between security devices on networks and a meta-data access point (MAP) that receives and posts the data.

The idea is that security devices such as firewalls, intrusion detection and prevention systems, wireless controllers, configuration and change management platforms and the like, collect data that becomes more valuable if shared. A configuration change management platform could discover a shortcoming in an endpoint and post it to the MAP. An enterprise security management device might then determine that shortcoming violates security policy.

Notification of that violation posted to the MAP could trigger a firewall to block the device from the network.

If it is adopted, IF-MAP could enable gear from multiple vendors to participate in post-connect NAC. From the customer point of view such a development could mean a richer post-connect NAC scheme than a single vendor might offer. Perhaps as importantly, it could enable existing customer gear to participate in the scheme, potentially reducing the overall cost.

This protocol is brand new and no vendors have officially incorporated it in their products, but it’s an option that may materialize soon.

Read more about security in Network World's Security section.

Tim Greene is senior editor at Network World.