Intel adds desktop NAC to latest chips

Intel's new vPro Core 2 Duo chips will provide integration with NAC tools, though some analysts say it will be some time before NAC use is widespread

Intel's move to provide new integration with NAC (network access control) tools in its latest vPro desktop processors could provide interesting opportunities for use with the device authentication systems while further strengthening the technology standards it supports, according to industry watchers.

[ See also: Intel's vPro chips in more security for business ]

One of a handful of new security features built into the vPro Core 2 Duo chips introduced by Intel on Monday, the added support for the 802.1x standard for NAC and interoperability with Cisco's Network Admission Control guideline -- delivered via the processors' Intel Embedded Trust Agent -- could help accelerate adoption of the device authentication systems while solidifying support for the two formats, experts said.

NAC systems are used to scan device and user authentication information whenever a machine attempts to log onto to a network protected by the tools. In addition to protecting against potential break-ins from uninvited outsiders, the tools are also considered a useful alternative for enterprises to employ in segregating access to IT systems shared with partners or contractors.

Using the Embedded Trust Agent, Intel said that it can now provide NAC systems -- including any built on the 802.1x or Cisco NAC platforms -- to garner device identity information directly from processor, bypassing the need for the authentication technologies to interact with PC operating system software.

One of the potential methods to circumvent NAC systems outlined by security researchers thus far has been to use some method to spoof or misrepresent device information to dupe the network defense tools. By presenting machine identity data on the processor, such attacks could be largely eliminated, Intel officials said.

While Intel did not promote direct linkage between Embedded Trust Agent and Microsoft's flavor of NAC -- known as Network Access Protection and already integrated into the software giant's Vista OS -- Cisco and Microsoft have previously announced an agreement to make all of their respective network authentication systems compatible.

Similar support for NAC on mobile platforms will arrive with Intel's next batch of Centrino chips, slated for shipment sometime in 2008, said company officials.

Cisco officials participating in Intel's vPro launch said that the CPU-level NAC integration could prove to be a significant accelerant to adoption of the technology, which most industry experts have charted as relatively slow thus far, despite the networking giant's claim that many of its customers are tuning on the next-generation authentication systems.

"The strength of NAC is certainly based on the reliability of the information that you can present to the network, and having direct access to information on the hardware provides a whole new opportunity that hasn't been present only with OS interaction," said Brendan O'Connell, senior product manager for Cisco's Security Technology Group.

"In the past, even with existing NAC systems, what's happened is that when a PC starts up on the network, the security decision is held off while other things are being run in the background, but we're hoping to see that change and get in the door earlier," he said. "There are some big advantages for getting this type of information to present device security posture assessment sooner in the process, both for desktops and down the road for other types of devices."

Chip technology providers have attempted to market similar CPU-based security tools -- most notably Phoenix Technologies -- but those efforts have gone largely ignored by customers with Phoenix recently scrapping its core software security products based on insufficient demand.

Other third-party NAC technology providers said that Intel's move to embrace NAC should help drive new interest in the systems and codify the industry around the standards it has chosen to support.

"On a functional level, this should prove useful by speeding up testing. Instead of waiting for a machine to boot up to get a posture assessment, the NAC system will already recognize the machine's attributes and begin assigning privileges," said Alan Shimel, chief strategy officer for StillSecure, a maker of NAC software.

Shimel pointed out that while a nice addition, most NAC systems will still need some form of user identification data, typically provided via software that runs on a device OS, to offer full authentication capabilities.

"It will be interesting to see if AMD adopts a similar approach and the same standards; that could have a good effect on the industry as a whole," he said. "It's good to see that Intel is supporting 802.1x because that's the standard most other NAC vendors are working with."

While CPU-level integration is a nice addition, some industry watchers maintain it will still be some time before NAC is deployed widely by large numbers of enterprise customers.

Because NAC doesn't directly address external threats or efforts to comply with government regulations, such as the Payment Card Industry data security guideline, most companies aren't yet budgeting for NAC tools, said Paul Stamp, analyst with Forrester Research.

"The problem with NAC is that in itself it satisfies no compliance mandate directly, and it doesn't protect against any specific type of attack. The real driver for NAC will be when businesses begin to demand so much mobility and collaboration that current security technologies can't meet those goals," Stamp said. "People are struggling to find a driver for NAC right now, and this type of platform-level interaction could be important when they do, but it could be another five years before we see real demand."

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies