TNC Endpoint Security Gains Traction

But questions remain over Microsoft's Network Access Protection and Cisco's Network Admission Control.

The movement toward a vendor-neutral, open architecture for endpoint security will get some momentum this week when the Trusted Computing Group consortium unveils new specifications for the Trusted Network Connect architecture at the Interop trade show in Las Vegas.

But enterprise IT managers who are waiting for integration between TNC and competing schemes from Microsoft Corp. and Cisco Systems Inc. may need a lot of patience.

At the Interop trade show in Las Vegas this week, Trusted Computing Group will release a document describing the TNC (Trusted Network Connect) client-server architecture and specifications for APIs for client and server plug-ins that support the TNC standard.

TNC members also will demonstrate TNC-compliant products, said Thomas Hardjono, a principal scientist at TNG member VeriSign Inc.

Third-party software vendors will use the new TNC specification documents to build client and server plug-ins that can collect, transmit and evaluate TNC-compliant client "integrity" data, such as whether a machine that is trying to connect to a TNC-protected network is using updated antivirus software, Hardjono said.

More APIs are needed to support network communications at different layers and to create an interface for the Trusted Computing Groups TPM (Trusted Platform Module) security chip. Integration with the TPM will add an extra dimension to client integrity checks, creating unique IDs for client integrity reports that are impossible to forge, he said.

TCG hopes to have specifications for a TPM client-server interface and for more network transport layers by the end of the summer, bringing the Trusted Network Connect architecture closer to completion and allowing vendors to develop fuller solutions based on TNC, Hardjono said.

But TNC adds more letters to what is already an alphabet soup of competing client security architectures, including Microsofts NAP (Network Access Protection) and Ciscos NAC (Network Admission Control). Plans for tying the architectures together are sketchy, according to interviews with executives.

/zimages/2/28571.gifRead more here about the Trusted Network Connect specification.

The three schemes have similar goals: allowing network administrators to enforce security policies and perform health checks on client machines, such as laptop and desktop computers, before they are allowed to access a network. Client security is a major issue for network security administrators such as Adam Hansen of Sonnenschein Nath & Rosenthal LLP in Chicago.

The law firm already has more laptop than desktop computers and an increasingly mobile workforce, which makes it difficult to monitor critical issues such as operating-system patches and security vulnerabilities, Hansen said. "We have to be able to see you to check on you. We see these mobile workers as a threat when they come back into our network," he said.

However, keeping busy attorneys offline while their system is patched or disinfected can be expensive, Hansen said.

The firm already does quarantining using the Hercules automated vulnerability remediation software from Dallas-based Citadel Security Software Inc. to do limited client security checks, but a solution such as NAC, NAP or TNC would be a more holistic solution, he said.

Next Page: Different approaches to the client security puzzle.