Time to bring Cisco, Microsoft and standards together for access control

In many previous articles, we have discussed “de-perimeterization,” an ungainly term describing the erosion of traditional perimeters. Our research indicates that most companies are retrenching and redeploying their perimeter around the crown jewels: the applications and data residing in the data center.

This new, narrower perimeter focuses security controls at the point of access to the data center. The “perimeter of one” strategy layers firewalls, intrusion-prevention systems and anti-malware around every desktop, laptop and even handheld computer. Security policies then connect the two perimeters (the data center perimeter and the one around each endpoint) with an access-control policy that checks every endpoint before allowing entry into the network and data center.

There’s only one problem with this strategy: endpoint access control is currently dominated by proprietary and non-compatible “solutions” by Microsoft and Cisco.

But things may be about to change.

Cisco’s Network Admission Control (NAC) and Microsoft’s Network Access Protection (NAP) are the two most commonly cited approaches for controlling endpoint access. Despite public promises from both vendors for interoperability, the two approaches are still not compatible, almost two years after their introduction.

For IT executives with substantial investments in both vendors’ equipment this is a cruel choice: almost like having to pick one parent’s loyalty over the other. Both vendors seem intent on continuing down diverging paths despite the market demand for broadly interoperable products.

Predictably, Cisco and Microsoft are taking different approaches to endpoint control. One approach seems to emphasize the network, while the other emphasizes the endpoint. Both have a “consortium” of smaller vendors pledging interoperability, but the chasm between the two approaches is as wide as ever.

But NAP and NAC are not the end of the story. An industry standards body, the Trusted Computing Group, has worked with a number of vendors (including Microsoft) to develop a common architecture and interface specification for endpoint verification and access control.

The Trusted Network Connect (TNC) working group has published a set of specifications, and a number of vendors are building standards based endpoint access control. Not only is the TNC standard open, but it is also balanced between the network and the endpoint. For example, in the TNC standard, a policy check (checking the health of the endpoint) is not a one-time event and can be initiated by either the network or the endpoint.

TNC is also modular, allowing multiple policy engines to check different aspects of compliance. While the focus so far has been on anti-malware, operating system patches and so forth, there is no limit to the types of checks that can be implemented in TNC.

The TNC is a working group as well as a standard. And the first TNC products are also compatible with NAP and NAC, creating a “bridge” from those approaches to open standards.

EndForce, Nortel, Juniper, HP, Symantec, Meetinghouse, Nevis and Consentry have either announced products or are in the working group and developing products around TNC. That’s an impressive lineup of vendors.

Maybe it is time for the market to help Microsoft and Cisco make the leap to open standards for NAP and NAC. IT executives: If you want to manage endpoint access control on a heterogeneous and multi-vendor environment, put your money where you mouth is.