Access Initiatives Test Limits

What's the best way to limit network access to approved, correctly configured and malware-free end-user devices?

Whats the best way to limit network access to approved, correctly configured and malware-free end-user devices? Cisco Systems Inc., Microsoft Corp. and an industry association called the Trusted Computing Group—along with network equipment makers including Extreme Networks Inc., Juniper Networks Inc. and Vernier Networks Inc.—are trying very hard to answer that question.

The current state of the art is a cluster of products, specifications and emerging protocols that are bunched up around the admission control starting gate.

Cisco is the furthest ahead with its NAC (Network Admission Control) specification, along with product offerings that come in part from its acquisition of Perfigo Inc.s Clean Machine. The Cisco line has been dubbed the Clean Access family of products. Cisco shows every sign that it wants to build more power into the Clean Access products, which basically ensure that end-user systems are virus- and spyware-free before gaining access to the network.

Microsofts NAP (Network Access Protection) is part of the "Longhorn" and Vista betas. NAP uses the operating system and policies created by IT administrators to validate an end-user device (running a beta of the Vista operating system) to ensure that it can safely access the network. NAP, like other admission control systems eWEEK Labs has seen, provides mechanisms such as integration with patch management tools to keep authorized end-user devices updated with the anti-virus and anti-spyware tools needed to meet network admission standards.

Juniper is working to support Microsofts NAP specifications and the Trusted Computing Groups specifications for admission control. However, Junipers focus is a little higher up the network stack, moving from network port and end-user device scanning to focusing on application performance and control. Juniper mixes application performance and network access control in products that will be released in the coming months, Juniper officials said.

Its an interesting model, and readers should watch these pages for reviews of Junipers products as they become available.

The Trusted Computing Group is developing TNC (Trusted Network Connect), a core set of open, vendor-neutral specifications. The group is working in a wide variety of areas, from servers and storage systems to its Trusted Platform Module.

The TNC workgroup issued the first fruits of its labors in May, an architecture specification for determining the security and compliance posture of end-user devices attempting to log on to a network. Using what TNC calls identity and integrity, the architecture outlines how an end-user device should be authenticated, authorized and then checked to ensure the device can safely access the network.

All these initiatives overlap with the existing IT infrastructure, as we found in our review of Vernier Networks EdgeWall 7000 Rx . For now, we advise IT managers that new admission control systems are worth adding to a network only if they can leverage the extensive authentication and authorization infrastructure that is already in place.


Check out eWEEK.coms for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.