As network access control evolves from an interesting concept to a technology that most enterprises are actively evaluating, a couple of points are becoming clear. First, getting network access control wrong is risky for IT--this is a highly invasive technology that touches end users and requires buy-in at all levels of the business. And second, the lack of a certification program for compliance makes getting NAC right needlessly tricky. If you're looking to combine products from multiple vendors to create your system, it's up to you to verify that everything interoperates.
Because NAC integration is a crapshoot, adoption is slower than it otherwise would be. If that's to change, the three primary NAC standards creators--Cisco Systems, Microsoft, and the Trusted Computing Group--need to step up and create certification programs with logos that offer the assurance of interoperability. Certainly, Cisco and Microsoft have plenty of experience creating such programs, each having done so for other partner ventures. They also have a significant incentive--neither company makes every piece required to complete the NAC puzzle, so assembling a broad, trusted set of vendor partners is obviously good for selling the overall vision.
As for the Trusted Computing Group's Trusted Network Connect initiative, until recently I wouldn't have put much credence in a TNC logo program. There just hasn't been market interest, and a recent reader poll found that TNC had by far the lowest recognition of the three major NAC standards. I say "until recently" because Microsoft gave TNC a shot in the arm when it announced at Interop that it would submit its Statement of Health protocol for inclusion in TNC. The Microsoft protocol is used to send host health information to policy servers.
SEAL OF APPROVAL
IT pros needn't look far for instances where the presence of a logo program has driven a market--and where the lack of one has had a stifling effect. SIP has no logo program, though ironically the SIP Forum does compatibility testing. The event is called SIPit, but the Forum refuses to publish its findings. The result? Such a limited compatible feature set that proprietary protocols still dominate the VoIP market.
In contrast, the Wi-Fi Alliance requires its members to submit products to a functional, albeit somewhat limited, set of tests. When was the last time your laptop didn't seamlessly work with any Wi-Fi infrastructure you encountered?
So why don't vendors get moving? Both Cisco and Microsoft say that the myriad configuration options possible with NAC make exhaustively vetting conformance impossible. They contend it's best not to promise something that can't be delivered--the same argument made by the SIP Forum. Members of the TCG/TNC say the idea has come up, but so far, nothing concrete is in the offing.
I know testing is complex since it's what I do most of the day. And exhaustively checking boxes on a feature matrix isn't what's needed. Testing the most common feature sets, as the Wi-Fi Alliance does, would be immeasurably better than what IT groups get now.
Interoperability conformance claims, no matter how well-intentioned, are just that: claims. Bake-offs offer some proof of conformance, but the testing is done under controlled conditions, with engineers and developers twisting the knobs. They don't reflect today's real-world data center. The time has come for framework owners to institute conformance testing so that customers will know they're buying a workable system. NAC is too important to leave interoperability to chance.
Managing Editor, Labs