Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

Interop: Is NAC Interoperability a Myth?

While some vendors claim that NAC is still mature, not everyone is so sure.

http://www.internetnews.com/infra/print.php/3772531

By Sean Michael Kerner
September 18, 2008


NEW YORK -- Network access control, commonly referred to by its acronym NAC, has been one of the big buzzwords of the networking space for the last few years. At Interop, a panel of vendors argued that NAC has now reached a point of maturation, though audience members disagreed with the assertion claiming that interoperability doesn't yet exist.

NAC offers the promise of secure networks, while preadmission control ensures that only validated end points can get network access. As NAC matures, post-connect use case scenarios for NAC also emerge, making the technology approach a broader security methodology for networks.

"We've reached a point of maturity in the NAC marketplace with many products in second or third release and are solid," Steve Hanna, Trusted Network Connect (TNC) co-chair at the Trusted Computing Group (TCG), told the audience. "Customers have been using it for a few years and they have figured out some of the issues and vendors have found ways to address the issues."

The TNC is a standard produced by the TCG for NAC, participating members in TNC include Microsoft and Juniper Networks where Hanna holds the title of distinguished engineer.

Cisco on the other hand is the vendor that first coined the term NAC, and it, too, is seeing maturity in the market.

"Three years ago everyone just called everything that smelled like a security solution, NAC, but that's not the case anymore." Brendan O'Connell, senior manager of product management at Cisco Systems, said.

So with vendors claiming that NAC is now mature, what should enterprise do? Hanna argued that enterprises should future proof themselves by using a standards-based approach.

"One way to get that is by making sure whatever you deploy today is based on open standards TNC standards are the most widely adopted," he said.

The problem, though, is that there is no globally accepted standard for NAC today, as Cisco is not TNC-compliant and not a member of the TCG. Cisco is, however, active in the IETF standards body, which is also working on a NAC standard and based in part on what TNC offers.

Hanna referred to the fact that Cisco is not TNC compliant as a "small exception," which is a comment that solicited several sneers from his fellow panelists and the audience alike.

One audience member said that since there is no real global standard, customers can't deploy it.

"I agree there are gaps there," Hanna responded.

Hanna added that the IETF does not move quickly, though the current schedule has the IETF NAC standard set for completion in 2009.

"The standards that are being approved are the TNC specs, so it's not a rip and replace issue," Hanna argued. "IETF is not a rubber stamp organization. So there will be a point release of TNC to align with the IETF changes. But it will be one stream moving forward. Come that day you won't have to worry about interoperability with Cisco."

Cisco's O'Connell responded that the Cisco is part of the IETF NAC effort, and it is a standard that Cisco will adopt.

"Do all vendors want their product to interoperate, of course," O'Connell said. "Things don’t always happen quickly, but they do happen and it is in our best interest because it's the only way we can address the whole market. Three years ago, we wouldn't even have agreement on what NAC was so at least we know we have agreement on that."

Surprisingly, though, the actual protocol specifications around NAC are not really the big concern for Cisco.

"I don't care what the protocol is that handles this stuff," O'Connell said. "What I care about is what the product does, since frankly at the end of the day the functional difference about protocol definitions become meaningless when it is time to implement."

Hanna quickly pounced on O'Connell's comment asking, "So if you don't care about the bits -- why don't you just implement TNC? Apparently he does care because they're not implementing the open standards."

Moving beyond the standards debate on NAC, the vendors are now taking a broader view of what NAC should also encompass. Hanna noted that the TCG is now working on the IF-MAP standard for postconnect to correlated security events after a user connects to the network. IF-MAP was first announced at Interop Las Vegas earlier this year.