- Cool Yule Tools: 2008 Holiday Gift Guide
- 10 kitchen gadgets for the geek gourmet
- Google admits to violating iPhone development terms
- Smartphone smackdown: Storm vs. iPhone
- Google layoffs: 10,000 jobs being cut
The most significant differences between Microsoft's Network Access Protection architecture and TCG's Trusted Network Connect result from the fact that Microsoft doesn't make switches or routers. Therefore, the path for handling enforcement is different, focusing on the SMB-friendly DHCP rather than enterprise-sized 802.1X, though the architecture gives a nod to the latter as an option.
As with Trusted Network Connect, the Microsoft clientside is broken into three parts.
At the top are the Microsoft System Health Agents, taking on the function similar to Integrity Measurement Collectors. These agents are responsible for generating Statements of Health that can be used to assess endpoint security.
Tying the System Health Agents into the rest of the architecture is Microsoft's Network Access Protection Agent, analogous to TCG's Trusted Network Connect Client. Below the Network Access Protection Agent are Microsoft's Enforcement Clients, which line up with TCG's Network Access Requestor.
These Enforcement Clients, typically 802.1X supplicants or VPN clients in other architectures, also include DHCP client capabilities in Microsoft's world.
Microsoft's architectural white papers define clients for DHCP, Point-to-Point Protocol/Layer 2 Tunneling Protocol (PPP/L2TP), and IPSec network access. What is more important, though, is that Microsoft has defined the API connecting its three layers of Network Access Protection on the client.
By creating an API that describes how the three pieces of the client will fit together, Microsoft eliminates an enormous amount of risk and variability in the entire Network Access Control space. Even if Microsoft's entire Network Access Protection product plans were jettisoned internally, the contribution of having these defined APIs shipping with Windows cannot be underestimated.
Of course, the trick will be convincing every other NAC architect in the industry that Microsoft's API is both necessary to a good NAC design and sufficient for the task. No vendor is proposing to make this middleware piece a moneymaking differentiator. It simply exists to let desktop security vendors have a way of communicating the status of their products back to the Policy Decision Points. By simply adopting Microsoft's model, which happens to mesh almost perfectly with the other important NAC models, IT managers won't have to worry about interoperability or vendor lock-in at that point in the scheme.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment