Move Earns a Cheering
Section"> Many networking and security companies are cheering it all on. A release from TCG quotes Symantec, trusted endpoint vendor Wave Systems, Hewlett Packard, WiFi infrastructure vendor Colubris Networks, Nortel and more, all voicing support for the move. "Customers have made it clear that interoperability amongst the major network access control architectures and solutions is critical to helping them reduce overall cost of ownership and time to value," Karthik Krishnan, senior product line manager at Juniper Networks, was quoted as saying in the release. "Todays announcement from Microsoft and the Trusted Computing Group is a watershed event for our industry. Interoperability between Juniper Networks [UAC] and Microsoft [NAP] leveraging this new TNC specification will provide customers with greater choice, flexibility and investment protection for their network access control deployments.""Were seeing a lot of interest in NAC from our clients," Gartners Orans said. "A lot of large organizations are very interested in NAC. But there hasnt been many large implementations. Where we are now, people are looking at pilots and small projects "[But] I dont think theyve been put off by the variety of standards. That hasnt been an overriding obstacle. Complexity is an obstacle, and price has been an obstacle. There are a few options: an infrastructure-based approach, which hasnt been ready for primetime yet. NAP isnt available because Longhorn [aka Windows Server 2008] is not available yet." Specifically, Cisco switches, which provide enforcement, arent ready yet. Instead, Cisco has been pushing its NAC appliance, but those too can be expensive. Another approach to NAC is to use endpoint agents. There, however, you have yet another agent syndrome, Orans said. "A lot [of enterprises] dont want another agent out there on their PCs." There are too many operational issues associated to NAC. Enterprises arent necessarily enthusiastic about quarantining users and keeping them off the network. "That can be a political problem," Orans said. "Those are all reasons for the slowness in adoption of NAC." As for Ciscos absence in the TCG, Orans pointed out that the company has submitted its NAC proposals through the IETF, so it is certainly not shying away from open standards. "You can make the argument that the IETF is a true standards body while the TCG is just this industry consortium," he said. And, given Ciscos installed base and influence in the market, it doesnt have to participate in the TCG if it doesnt choose to, Orans pointed out. Besides, as it is, many of Ciscos NAC products are interoperable with Microsofts, including its 802.1X switches and wireless access points. "We can use any Cisco switch or wireless access point as enforcement points, because of the standards they already support," Mayfield said. "It would be nice to have other Cisco stuff there as well. [But] from an architecture standpoint, you could buy a Juniper or Microsoft server and a Vista laptop, because of [this] interoperability. We dont really need anything [from Cisco]. But you wouldnt get the ability to have a Cisco decision point and a Juniper client or something like that." "Wed be glad to have them join [the TCG]," Hanna said. "But the fact that theyre not a member doesnt mean their equipment cant participate in a TNC environment. Their stuff supports 802.1x, and Radius, so we can use [Cisco products] in some parts of the architecture." Another aspect to the news is that stronger security is coming to the table with the TCGs TPM (Trusted Platform Module). The TPM is a hardware/software chip or function built into a laptop or desktop. All commercial-grade machines shipping now include this chip, often built into the chip set on the motherboard. The TPM has manifold security functions. One is disk encryption, which ensures that a lost or stolen system wont give up its data. The TPM is also used for strong authentication, much like a smart card built into the motherboard. Also, TPM enables a trusted boot. When a machine boots up, everything that loads onto the system machine gets checked. If any infection, such as a rootkit or virus, is lurking on the machine, the TPM picks up on it. When the system attempts to connect back up to the network, the server then discovers the infection and is ready to quarantine the system. Thats much stronger security than NAC alone gives with its checking of up-to-date patches and anti-virus signatures, given that NAC cant get to the hardware level to see whats on a machine preboot, Hanna said. Preboot security checks relate to hardware hacking thats recently been discovered by security researcher Joanna Rutkowska. Rutkowska has specifically focused on PCI cards, for example, and how they can be fooled by virtualization software. "A rootkit is an example of virtualization being used for bad purposes," Hanna said. "[Rutkowska] says what if you have an evil rootkit on a machine, can a [PCI] card detect it? The answer is no, unfortunately. This TPM module, because it comes before software runs on a machine, it can detect rootkits."
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
As much as vendors would like us to believe that interoperability has been keeping customers from deploying NACand it has, indeed, been one hampering factorthere are other issues keeping the platform from bursting onto the scene, even though enterprises are definitely interested.