Infrastructure // Networking
Commentary
7/12/2007
09:45 PM
Mike Fratto
Mike Fratto
Commentary
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%
Repost This

Reality IT: So You Think You're NAC Compliant? Think Again

The lack of a certification program makes it tricky to get NAC right.

As network access control evolves from an interesting concept to a technology that most enterprises are actively evaluating, a couple of points are becoming clear. First, getting network access control wrong is risky for IT--this is a highly invasive technology that touches end users and requires buy-in at all levels of the business. And second, the lack of a certification program for compliance makes getting NAC right needlessly tricky. If you're looking to combine products from multiple vendors to create your system, it's up to you to verify that everything interoperates.

Because NAC integration is a crapshoot, adoption is slower than it otherwise would be. If that's to change, the three primary NAC standards creators--Cisco Systems, Microsoft, and the Trusted Computing Group--need to step up and create certification programs with logos that offer the assurance of interoperability. Certainly, Cisco and Microsoft have plenty of experience creating such programs, each having done so for other partner ventures. They also have a significant incentive--neither company makes every piece required to complete the NAC puzzle, so assembling a broad, trusted set of vendor partners is obviously good for selling the overall vision.

InformationWeek Download

As for the Trusted Computing Group's Trusted Network Connect initiative, until recently I wouldn't have put much credence in a TNC logo program. There just hasn't been market interest, and a recent reader poll found that TNC had by far the lowest recognition of the three major NAC standards. I say "until recently" because Microsoft gave TNC a shot in the arm when it announced at Interop that it would submit its Statement of Health protocol for inclusion in TNC. The Microsoft protocol is used to send host health information to policy servers.

NETWORK ACCESS CONTROL
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE
Acceptance of the Statement of Health protocol by the TCG/TNC is a huge win for both parties. The TCG gets instant Windows compatibility, while Microsoft can make its desktop and server operating systems TNC-compliant without having to do a lick of extra development. In addition, anyone with a Web browser can download the TNC specifications and integrate with Windows. This is a boon to NAC vendors, which have never wanted to develop, maintain, or manage their own Windows client software.

SEAL OF APPROVAL
IT pros needn't look far for instances where the presence of a logo program has driven a market--and where the lack of one has had a stifling effect. SIP has no logo program, though ironically the SIP Forum does compatibility testing. The event is called SIPit, but the Forum refuses to publish its findings. The result? Such a limited compatible feature set that proprietary protocols still dominate the VoIP market.

In contrast, the Wi-Fi Alliance requires its members to submit products to a functional, albeit somewhat limited, set of tests. When was the last time your laptop didn't seamlessly work with any Wi-Fi infrastructure you encountered?

So why don't vendors get moving? Both Cisco and Microsoft say that the myriad configuration options possible with NAC make exhaustively vetting conformance impossible. They contend it's best not to promise something that can't be delivered--the same argument made by the SIP Forum. Members of the TCG/TNC say the idea has come up, but so far, nothing concrete is in the offing.

I know testing is complex since it's what I do most of the day. And exhaustively checking boxes on a feature matrix isn't what's needed. Testing the most common feature sets, as the Wi-Fi Alliance does, would be immeasurably better than what IT groups get now.

Interoperability conformance claims, no matter how well-intentioned, are just that: claims. Bake-offs offer some proof of conformance, but the testing is done under controlled conditions, with engineers and developers twisting the knobs. They don't reflect today's real-world data center. The time has come for framework owners to institute conformance testing so that customers will know they're buying a workable system. NAC is too important to leave interoperability to chance.

Mike Fratto,
Managing Editor, Labs

mfratto@nwc.com

Comment  | 
Print  | 
More Insights
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Register for InformationWeek Newsletters
White Papers
Current Issue
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.