Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

The IETF extends its timeframe for NAC standards

http://www.networkworld.com/newsletters/vpn/2009/020909nac1.html

Network Access Control Alert By Tim Greene , Network World , 02/10/2009

The last newsletter cited in error some milestones for completion of Internet Engineering Task Force NAC standards as if they were the actual timetable.

But rather than representing the current scheduled for completion of the work, the milestones were goals set last year that have been missed, pushing back the date for reasonably expecting the standards by six months or so.

However, according to the co-chair of the IETF Network Endpoint Assessment working group Steve Hanna, the delay was caused in part because the group took the time to include at least three significant improvements to the proposed standards.

One enables NAC servers to retry handshaking with endpoints that have already been admitted to the network. The server might want to do so to recheck the state of endpoints if NAC policies change or if endpoints exhibit behavior that indicates they might have fallen out of compliance since they were admitted, Hanna says.

Related Content
The task force liked the idea, but it took several tries to get a proposal that wasn’t complex and that assured that the NAC state engine wouldn’t be susceptible to inconsistencies when the server retried endpoints, he says.

The second makes the mechanism by which endpoints pass along their health status more efficient. The initial proposal for the protocol was based on the Trusted Computing Group’s Trusted Network Connect standard. Some on the task force favored Microsoft’s version because it sent more compact messages, and so was more efficient.

The drawback of the Microsoft method is that is sends only one health message, thereby limiting the amount of information about the endpoint that can be passed along. The TNC version was more verbose, but could be extended to allow as many exchanges as needed.

A compromise version has been worked out that uses the brevity of Microsoft’s method in combination with greater extensibility to allow multiple exchanges, Hanna says.

The third improvement to the standard involves how third party software interacts with NAC. There is no standard for how, say, an antivirus vendor’s endpoint software communicates with NAC. For that to happen requires the network to also have the server-side antivirus software, Hanna says.

Individual NAC and antivirus vendors might work out ways to pass the information without the server software, but that was done case-by-case.

The current proposal includes standards for how about 15 endpoint attributes should be formatted so any NAC product that adheres to the standard can glean the information. The impact of that is if a new type of device – an iPhone for instance – were to try to join a network, if it adhered to the standard could be queried by a NAC server.

So the standards work on NAC continues beyond the timeframe that the task force initially hoped for but the result is a better proposal.