NAC competition: Start with a little TCG

Working on Trusted Network Connect since mid-2004, company seeks completed architecture.

The TCG, a nonprofit industry-based standards organization comprising interested vendors, has been working on its Trusted Network Connect scheme since mid-2004 and still doesn't have a completed architecture.

The Trusted Network Connect framework includes six separate protocols to build a complete system, but only two of these have been fully defined, making it impossible to have a fully deployed Trusted Network Connect NAC network. TCG has promised the rest of the protocols any day now.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Click to see: Clear Choice Analysis logo

The TCG, a nonprofit industry-based standards organization comprising interested vendors, has been working on its Trusted Network Connect scheme since mid-2004 and still doesn't have a completed architecture.

The Trusted Network Connect framework includes six separate protocols to build a complete system, but only two of these have been fully defined, making it impossible to have a fully deployed Trusted Network Connect NAC network. TCG has promised the rest of the protocols any day now.

That said, the best starting point for evaluating NAC architecture is with the TCG's Trusted Network Connect, because its specifications are created in an open, vendor-neutral environment and can be used as a good model just to get the terminology straight.

Every proposed NAC strategy can be mapped to the Trusted Network Connect architecture, but that doesn't mean Trusted Network Connect is a superset of other products. Many NAC vendors add features not explicitly discussed by TCG, such as control of personal firewall or continuous rechecking of endpoint security. Other NAC vendors handle cases that are not discussed in the TCG architecture, such as how to provide access controls when the end system is a guest laptop and doesn't have all the necessary software installed.

The Trusted Network Connect architecture divides the NAC problem into three entities: the Access Requestor, the Policy Enforcement Point and the Policy Decision Point (see graphic "Walking through a generic NAC process").

TCG's Access Requestor is a combination of the entity trying to gain access to the network, such as a laptop or desktop computer, and the software and drivers that implement authentication and endpoint-security assessment processes. TCG divides the Access Requestor into three smaller pieces. At the bottom is a Network Access Requestor, software used by the client to connect to the network, request access and provide authentication. For example, an 802.1X supplicant or an IPSec VPN client could handle a network-access request.

Integrity Measurement Collectors, software components responsible for evaluating the security posture of the end system, are on top of the Network Access Requestor, still on the client system and part of the access. If your policy is defined such that everyone has to be running anti-virus software, then your anti-virus vendor would provide a plug-in that serves up status information on its software.