Interop shows slow, steady progress on NAC

New specs, products fill in network access picture

Network access control was a hot topic at last year’s Interop show, despite an evolutionary state that was barely protozoic. But new developments from the Trusted Computing Group (TCG) and pure-play vendors such as Vernier and InfoExpress could soon enable the technology to crawl out of the muck and take its place on enterprise networks, according to one expert.

The multivendor TCG plans to announce three new specifications: a client-server protocol for Trusted Network Connect (TNC) dubbed IF-TNCCS; IF-T, a specification for client server communications over tunneled EAP (Extensible Authentication Protocol); and a policy enforcement protocol called IF-PEP for RADIUS.

The new specifications fill in gaps in the TNC architecture, said Steve Hanna of Juniper Networks, co-chairman of the Trusted Network Connect subgroup.

IF-TNCCS allows TNC client and server plug-ins from different vendors to communicate. IF-T provides a way for security integrity measurements from firewalls or anti-virus software to be transmitted using EAP. Finally, IF-PEP for RADIUS enables RADIUS authentication servers from TCG members like Juniper and Meetinghouse to communicate authentication decisions to policy enforcement points such as VPN gateways from other TNC-compliant vendors, Hanna said.

The new TNC specifications build on technologies, such as RADIUS and EAP, that many companies are already using.

“We said, ‘Let’s not reinvent the wheel.’ If you have a switch or firewall or VPN gateway that supports RADIUS and EAP, you’ve already got everything in the device to support TNC -- not just for identity, but for integrity,” Hanna said.

Pure-play companies are refining their NAC technology as well.

Vernier Networks will use Interop to introduce the EdgeWall 8800, a new addition to its NAC product line for high-speed LANs.

The new EdgeWall appliances use Cavium Networks’ Octeon Multi-Core MIPS64 to do intrusion detection scans on layer 4-7 traffic for user authentication, quarantine, and remediation, according to Rob Murchison, vice president of marketing at Vernier.

Open standards like TNC that tie together products from different vendors will be crucial if NAC is to gain broad acceptance, said Chris Cahalin, network manager at Papa Gino’s Holding Corporation, which operates a chain of 165 pizza shops.

Papa Gino’s uses TCG member Wave Systems for client security, but is waiting for guidance from companies such as Juniper before forging into a full-fledged client health screening using TNC, Cahalin said.

Customer demand for NAC technology is high, but there has been little adoption of the mostly immature NAC products on the market,

Unable to match the marketing muscle of Cisco or Microsoft, TCG will have to rely on the grassroots support of vendors and enterprise customers like Papa Gino’s for TNC-compliant products, said Jon Oltsik of Enterprise Strategy Group, who has worked as a consultant for Trusted Computing Group in the past.