The movement toward a vendor-neutral, open architecture for endpoint security will get some momentum this week when the Trusted Computing Group consortium unveils new specifications for the Trusted Network Connect architecture at the Interop trade show in Las Vegas.
But enterprise IT managers who are waiting for integration between TNC and competing schemes from Microsoft Corp. and Cisco Systems Inc. may need a lot of patience.
At the Interop trade show in Las Vegas this week, Trusted Computing Group will release a document describing the TNC (Trusted Network Connect) client-server architecture and specifications for APIs for client and server plug-ins that support the TNC standard.
TNC members also will demonstrate TNC-compliant products, said Thomas Hardjono, a principal scientist at TNG member VeriSign Inc.
Third-party software vendors will use the new TNC specification documents to build client and server plug-ins that can collect, transmit and evaluate TNC-compliant client “integrity” data, such as whether a machine that is trying to connect to a TNC-protected network is using updated antivirus software, Hardjono said.
More APIs are needed to support network communications at different layers and to create an interface for the Trusted Computing Groups TPM (Trusted Platform Module) security chip. Integration with the TPM will add an extra dimension to client integrity checks, creating unique IDs for client integrity reports that are impossible to forge, he said.
TCG hopes to have specifications for a TPM client-server interface and for more network transport layers by the end of the summer, bringing the Trusted Network Connect architecture closer to completion and allowing vendors to develop fuller solutions based on TNC, Hardjono said.
But TNC adds more letters to what is already an alphabet soup of competing client security architectures, including Microsofts NAP (Network Access Protection) and Ciscos NAC (Network Admission Control). Plans for tying the architectures together are sketchy, according to interviews with executives.
The three schemes have similar goals: allowing network administrators to enforce security policies and perform health checks on client machines, such as laptop and desktop computers, before they are allowed to access a network. Client security is a major issue for network security administrators such as Adam Hansen of Sonnenschein Nath & Rosenthal LLP in Chicago.
The law firm already has more laptop than desktop computers and an increasingly mobile workforce, which makes it difficult to monitor critical issues such as operating-system patches and security vulnerabilities, Hansen said. “We have to be able to see you to check on you. We see these mobile workers as a threat when they come back into our network,” he said.
However, keeping busy attorneys offline while their system is patched or disinfected can be expensive, Hansen said.
The firm already does quarantining using the Hercules automated vulnerability remediation software from Dallas-based Citadel Security Software Inc. to do limited client security checks, but a solution such as NAC, NAP or TNC would be a more holistic solution, he said.
Next Page: Different approaches to the client security puzzle.
Different Approaches
However, NAC, NAP and TNC take different approaches to the client security puzzle. Ciscos NAC emphasizes that companys strength as a provider of network gear, and uses Cisco routers and switches, coupled with a software client called the Cisco Trust Agent, to check and enforce security policy.
The Trusted Computing Groups TNC architecture is similar to NAC but is based on open standards, and it doesnt rely on a single vendor to provide the policy decision-making or enforcement points.
Microsofts NAP, on the other hand, will use that companys strength as a maker of desktop and server operating systems, enforcing client health using NAP components built into Windows XP SP2 (Service Pack 2) and Windows Longhorn DHCP (Dynamic Host Configuration Protocol) or VPN servers.
Microsoft said in April that it will align its NAP architecture with TNC, and promised in a joint statement with Cisco in October to make NAP interoperable with Ciscos NAC.
Microsoft, which is a member of the TCG, has been working with the group since 2004 and will make sure that the next version of Windows, dubbed “Longhorn,” contains interfaces or supports software plug-ins that allow data to be passed back and forth between NAP and TNC components, said Steve Anderson, director of product marketing in the Windows Server Group.
“Our intent is that when a third-party vendor writes to either one of our interfaces, Trusted Computing Groups or Microsofts, in cases where there are different components, they will work together,” he said.
“We have said from the beginning that for NAP to be successful, it has to embrace heterogeneous environments,” he said.
Cisco, which has the most fully evolved endpoint security architecture, supports what the TCG is doing and will read the TNC spec with interest, but the company is more focused on delivering a new set of NAC features for customers than on creating open standards for client security, said Russell Rice, director of product marketing in Ciscos Security Technology Group.
Integrating NAP and NAC is also a high priority for the company, Rice said.
“Theres a lot of pressure at the Ballmer and Chambers level to provide visibility and make [integration] work. Our team has taken that to heart, and there are indications that Microsoft has as well,” he said. “Its not laissez faire.”
That said, industry watchers note that its been more than six months since Microsoft and Cisco announced plans to join NAC and NAP, and the companies still dont have anything to show for it.
Neither Rice nor Anderson could say when the companies might release a plan for integrating NAP and NAC. Both executives said Cisco and Microsoft are trying to actually fuse the two architectures, as opposed to merely providing plug-ins that bridge the gaps between the two.
“We want to provide a fused architectural environment where theres no duplication or vendor requirement that it has to be Microsoft or Cisco,” Rice said.
Microsofts Anderson agreed.
“Theres good customer benefit in loosely coupled integration, but greater customer benefit in tightly coupled integration, and the latter is what were working toward,” he said.
Integration aside, even the most mature client security architecture, Ciscos NAC, isnt yet common inside midtier enterprises that are heavy users of Cisco gear, such as Sonnenschein Nath & Rosenthal, even though administrators are “champing at the bit” for client security features, Hansen said.
“Our hope is that Microsoft and Cisco get behind a common approach and break the logjam,” said John Pescatore, a vice president at research outfit Gartner Inc.
The companies also should get behind open standards such as TNC, even if they want to keep developing their own architectures, Pescatore said.
“The best result would be for companies like Cisco to support open standards, but support NAC as well,” he said.