Microsoft, TCG get closer on NAC

New specification should remove significant barriers to the adoption of NAC tools

The Trusted Computing Group (TCG) is tying its authentication software standard to Microsoft's proprietary network access protection platform -- a move that leaders in the network access control (NAC) segment tout as a major step toward getting products made by different vendors to work together.

At the Interop trade show in Las Vegas on Monday, TCG, a non-profit industry consortium, announced a new specification for its trusted network connect (TNC) software platform that will allow products built on the standard to integrate directly with Microsoft's network access protection (NAP) infrastructure.

Officials from TCG and Microsoft  said the move will enable a wide range of NAC technologies made by different vendors to now be able to integrate more smoothly, allowing customers to simplify installation and management of the tools.

NAC products, including Microsoft's NAP, are used to identify and authenticate devices attempting to log onto a network to ensure that they have permission to gain access and can pass a series of security health checks.

In addition to keeping unauthorized visitors off company networks, the systems promise to prevent infected devices from spreading any malware they might carry by scanning for abnormalities and updating onboard security applications.

Some NAC technologies also continue to scan devices after they have entered a network to protect against hidden attacks and control access to individual software applications.

While NAC technologies have been on the market for several years, many customers have expressed frustration with a lack of interoperability between products, leading to high levels of complexity and slow adoption.

By linking TCG's standard, supported by a wide number of vendors, with Microsoft NAP -- which is already embedded in the company's Vista desktop operating system and will be integrated into its Longhorn server products when they are released later this year -- customers will have much brighter prospects for getting NAC tools to work as they have been advertised, industry leaders said.

"We've been hearing from customers that NAC is confusing, that there is too much incompatibility between systems, and they want us to agree on standards to improve performance," said Steve Hanna, co-chair of the TCG's TNC workgroup and a distinguished engineer at Juniper Networks. "We heard those complaints loud and clear, and as a result of this specification there will be easier implementation; we think this should go a long way toward removing significant barriers to adoption that people have been experiencing."

In addition to removing fears over a lack of interoperability between various NAC systems, the new specification should also help ease concerns on the part of customers over committing to any one vendor's version of the tools and potentially limiting their future alternatives, Hanna said.

While Cisco Systems, which claims to be the leading provider of NAC technologies today, has not signed on to support the TCG specifications, the company has already announced a partnership with Microsoft to support its NAP architecture.

Having the support of Cisco for the TCG platform would be ideal, Hanna admits, but the new specification still represents a "watershed" moment for NAC because it allows so many technologies to work together in new ways.

"People have been worried about this problem of incompatibility and have delayed adoption of NAC technologies based on those concerns," said Hanna. "Over the last few years we have had three architectures standing alone with limited compatibility, but aligning two of those is a huge step forward; we eventually hope to get all three together, but this is a very significant announcement in getting the industry to agree around protocols."

To allow for the new TNC specification, dubbed IF-TNCCS-SOH, Microsoft -- which is a member of the consortium -- specifically shared its NAP statement of health (SOH) client-server protocol with TCG.  The specification allows for interoperability of NAP clients and servers with TNC clients, servers and infrastructure, officials said.

One of the most significant benefits of the new specification, according to the partners, is that it will eliminate the need for companies using products built on the standard to install additional software on endpoint devices and servers to facilitate the use of different vendors' NAC technologies.

For instance, a customer using Juniper's unified access control (UAC) products can now begin using them in concert with the NAP features built into Vista, tools that will also be made available to computers running on Microsoft's Windows XP operating system through a service pack update to be shipped by Microsoft later this year.

That level of interoperability is what Microsoft had planned for in building NAP into its next-generation technologies, officials with the company said.

"This was a very logical next step for Microsoft and TNC to take to provide the next layer of interoperability for access protection with the delivery of these protocols," said Mike Schutz, group product manager for security and access at Microsoft. "We're very excited by this coming together of the industry to drop barriers and eliminate doubts and confusion that have been associated with these types of technologies."

To illustrate the benefits of the new TCG standard, a number of companies aligned with the effort will show off products at Interop that have been integrated using the specification.

For instance, Juniper will demonstrate how Infranet Controller, the policy management server at the heart of its UAC products, can utilize the onboard security assessment capabilities built into the Windows Vista. A version of the UAC product that supports the new TNC standard will ship sometime in the first half of 2008, company officials said.

"All of the features of the product can now be leveraged more flexibly allowing customers to use their infrastructure for access control without worrying about interoperability, and to make investment choices based on the components they believe will do the best job in their environments," said Karthik Krishnan, senior product line manager at Juniper, which is based in Sunnyvale. Calif. "I think it's reasonable to assume that there will be a lot more customer interest as we start to ship products that support the specification."