Securely controlling what devices and users gain access to corporate networks is a dominant theme at Interop with the Trusted Computing Group demonstrating interoperability among multiple vendors' gear and individual vendors announcing mutual compliance with the TCG standard.
Elsewhere at the show, the Interop Labs demonstrated implementations of similar security schemes from Cisco and Microsoft.
The demonstrations all fall under the generic name network access control (NAC), which is verifying that computers and other devices meet network security policies before being admitted to corporate networks. This is done by scanning the machines for key configurations like updated operating systems, updated and operating virus scanning and personal firewalls.
NAC then compares the scan to network policies, and enforces them. So if, for example, the policy says when the machine flunks the scan access must be denied, an enforcement device blocks admission. This can be done by a switch that supports 802.1x authentication or by a VPN device.
More on the iLabs NAC testsFull Interop coverage
TCG's architecture supported by 60 of its vendor members is called Trusted Network Connect (TNC). At the show, vendors including Extreme, Juniper, IBM, Symantec, Meetinghouse, Nevis, Nortel, Enterasys, Wave Systems, and others joined together to demonstrate TNC at various demonstrations on the show floor.
Beyond TNC the best-known efforts are from Cisco (called network admission control or NAC) and Microsoft (network access protection or NAP). Other vendors are developing their own architectures with their own products and those of selected partners.
TCG's booth hosted several demonstrations of TNC. One consisted of Juniper's use of its Odyssey Access Client on remote machines in conjunction with Symantec's Host Integrity software scanning a PC for security compliance before being allowed network access. The scanning data was passed off to a Juniper Infranet Controller that determined whether the scan results met policy. That decision triggered whether the PC was granted access to an active corporate virtual LAN as controlled by an HP switch.
Similarly, Lockdown Networks demonstrated its Lockdown Enforcer appliance worked in conjunction with Microsoft's NAP architecture. The appliance authenticates machines, evaluates their security posture and enforces whether or not the device gains network access. Microsoft's NAP, which is not generally available yet, includes software to communicate endpoint status to policy decision points such as Enforcer and Microsoft's own Network Policy server, also not generally available.
During Interop, TCG announced it has completed three new standards necessary to its TNC architecture. The first is a client-server interface between the software that gathers information from the machine accessing the network and the server that verifies policies. The second is the same interface carried over extensible authentication protocol or EAP. The third specifies how RADIUS servers and enforcement points such as 802.1x switches communicate.
None of these three architectures is complete yet, leaving business uses up in the air about which if any to choose, says Steve Hultquist, who headed up the Interop Labs NAC initiative. "I'd say it's an emerging technology, a technology in sort of revolution. What we're going to see is more standards-based technologies available in the near term, the next 12 to 18 months," Hultquist says.
Users really aren’t quite sure what to think of it yet, in my experience," he says. "A lot of them haven't even looked at 802.11x yet, which in my opinion is the precursor to NAC. If you haven't done 802.1x, that is the thing you should look at implementing right now. That's your first step into network access control."