Microsoft, TCG, Juniper Tie the NAC Knot

Two of the three NAC giants have joined to make their frameworks interoperable, leaving only Cisco partially noninteroperable.

A lot of vendors selling a lot of components that have to agree on how to measure a lot of things have to come together to make an effective Network Access Control system.

This involves vendors of hardware, security, network security, client security and operating systems deciding how to tell whos running a system trying to access the network, whether that systems healthy, whether it needs to be quarantined, how to give it the proper level of network access and how to fix it if its not up to snuff.

Microsoft and the Trusted Computing Group on May 21 are making an announcement that will provide the fabric to mesh much of all that.

At Interop in Las Vegas, the two are letting it be known that the TCGs TNC (Trusted Network Connect) NAC architecture will adopt Microsofts NAP (Network Access Protection) protocol, which is primarily a client/server NAC spec.

Juniper Networks at the same time is announcing that its working with Microsoft on interoperability between Junipers UAC (Unified Access Control) NAC standard and Microsofts NAP.

The NAP-TNC move streamlines customer choices in this nascent security architecture. Up until May 21, interested organizations have been faced with three standards: NAP, TNC and Ciscos NAC (Network Admission Control). At this point, the only influential NAC player left out of the loop is Cisco, since it has eschewed joining the TCG. The TCG is an industry consortium—of which Microsoft is a member—that develops open standards for computing security.

Paul Mayfield, Group Program manager of Microsofts Windows Enterprise Networking Group, said that together with industry partners, the company will be demonstrating products based on the new protocol at Interop. "Youll see things like the Vista operating system out of the box working against a Juniper server to control the access a client receives," he said in an interview with eWEEK.

Vista supports the standard now, and the next release of Windows XP will as well. Microsoft hasnt publicly committed to a ship date yet, but XP SP3 is targeted near the ship of Windows Server 2008—toward the end of the year, he said. Support for the standard is being built into Windows Server 2008 as well. Other TNC members—Juniper, for example—are targeting having commercial availability of products that support the standard in the first half of next year, he said.

Mayfield said that Microsoft has heard from a number of customers that in spite of the momentum theyre seeing behind the NAC industry, theres been one solution from Microsoft and one from the TCG. "[Theyre asking,] Which one do I buy? Weve driven a lot of clarity into this announcement, regarding [the question of] Should I buy one or the other? They can [now] buy one. …"

/zimages/4/28571.gifRead more here about standards and the state of NAC.

"I think it simplifies things," said Lawrence Orans, an analyst with Gartner, in an interview with eWEEK. "Its good for the industry, for organizations looking to deploy generic access control. You no longer have to choose between NAP and the TNC framework. Theyll be interoperable: Components that worked in the TCGs TNC framework should also work in a NAP framework."

Steve Hanna, co-chair of the TCG TNC work group and distinguished engineer at Juniper Networks, said that deciding which of the three architectures to go with has been one barrier as technology customers try to decide how to tackle NAC, which is a complex and costly proposal that few have even begun to deploy.

"By having two major players aligning with Microsoft NAP, thats a pretty big alignment and helps make the decision a lot easier for customers. Its going to make deployment easier for customers, too. It means somebody can take a Vista machine, which supports the NAP architecture and standards, and have it work easily with a TCG TNC implementation like Junipers. And the Juniper server would be able to check the health of a Vista laptop or client without having to load any extra software on there. … As long as the server and the client support the same standards," a NAC installation should be plug and play, Hanna said during an interview with eWEEK.

"Thats how people want their machines to work," he said. "You plug it in and start it up and it works. From a NAC perspective, it will just work."

The first step in the interoperability of NAP and TNC will be enabled by Microsofts contribution of its SoH (Statement of Health) protocol to the TCG. The two organizations are releasing a new spec—the IF-TNCCSSOH—on May 21 as part of the TNC architecture. Vendors, which have lined up to cheer on the integration, can begin implementing the IFTNCCS-SOH spec immediately. Microsoft and the TCG will be demonstrating the new spec at work at their Interop booths (the TCGs in booth 211 and Microsofts at #1548) during the week.

Besides interoperability and the freedom it brings to choose best-of-breed products, the NAP-TNC merge means that customers can now start deploying TNC-based products, such as Junipers NAC technology, and be assured that their investments will hook up to Windows Vista—which already fits into the arrangement—and Windows Server 2008 when it ships, Hanna said. The upcoming release of Windows XP SP3 will also include the NAP Agent component as part of the core operating system.

Next Page: Move Earns a Cheering Section