Reality IT: So You Think You're NAC Compliant? Think Again - InformationWeek
IoT
IoT
Infrastructure
Commentary
7/12/2007
09:45 PM
Mike Fratto
Mike Fratto
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%
RELATED EVENTS
Useing Threat Data to Improve Your Cyber Defense
Aug 10, 2017
Attend this webinar to learn how you can determine which threats pose the greatest danger to your ...Read More>>

Reality IT: So You Think You're NAC Compliant? Think Again

The lack of a certification program makes it tricky to get NAC right.

As network access control evolves from an interesting concept to a technology that most enterprises are actively evaluating, a couple of points are becoming clear. First, getting network access control wrong is risky for IT--this is a highly invasive technology that touches end users and requires buy-in at all levels of the business. And second, the lack of a certification program for compliance makes getting NAC right needlessly tricky. If you're looking to combine products from multiple vendors to create your system, it's up to you to verify that everything interoperates.

Because NAC integration is a crapshoot, adoption is slower than it otherwise would be. If that's to change, the three primary NAC standards creators--Cisco Systems, Microsoft, and the Trusted Computing Group--need to step up and create certification programs with logos that offer the assurance of interoperability. Certainly, Cisco and Microsoft have plenty of experience creating such programs, each having done so for other partner ventures. They also have a significant incentive--neither company makes every piece required to complete the NAC puzzle, so assembling a broad, trusted set of vendor partners is obviously good for selling the overall vision.

InformationWeek Download

As for the Trusted Computing Group's Trusted Network Connect initiative, until recently I wouldn't have put much credence in a TNC logo program. There just hasn't been market interest, and a recent reader poll found that TNC had by far the lowest recognition of the three major NAC standards. I say "until recently" because Microsoft gave TNC a shot in the arm when it announced at Interop that it would submit its Statement of Health protocol for inclusion in TNC. The Microsoft protocol is used to send host health information to policy servers.

NETWORK ACCESS CONTROL
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE
Acceptance of the Statement of Health protocol by the TCG/TNC is a huge win for both parties. The TCG gets instant Windows compatibility, while Microsoft can make its desktop and server operating systems TNC-compliant without having to do a lick of extra development. In addition, anyone with a Web browser can download the TNC specifications and integrate with Windows. This is a boon to NAC vendors, which have never wanted to develop, maintain, or manage their own Windows client software.

SEAL OF APPROVAL
IT pros needn't look far for instances where the presence of a logo program has driven a market--and where the lack of one has had a stifling effect. SIP has no logo program, though ironically the SIP Forum does compatibility testing. The event is called SIPit, but the Forum refuses to publish its findings. The result? Such a limited compatible feature set that proprietary protocols still dominate the VoIP market.

In contrast, the Wi-Fi Alliance requires its members to submit products to a functional, albeit somewhat limited, set of tests. When was the last time your laptop didn't seamlessly work with any Wi-Fi infrastructure you encountered?

So why don't vendors get moving? Both Cisco and Microsoft say that the myriad configuration options possible with NAC make exhaustively vetting conformance impossible. They contend it's best not to promise something that can't be delivered--the same argument made by the SIP Forum. Members of the TCG/TNC say the idea has come up, but so far, nothing concrete is in the offing.

I know testing is complex since it's what I do most of the day. And exhaustively checking boxes on a feature matrix isn't what's needed. Testing the most common feature sets, as the Wi-Fi Alliance does, would be immeasurably better than what IT groups get now.

Interoperability conformance claims, no matter how well-intentioned, are just that: claims. Bake-offs offer some proof of conformance, but the testing is done under controlled conditions, with engineers and developers twisting the knobs. They don't reflect today's real-world data center. The time has come for framework owners to institute conformance testing so that customers will know they're buying a workable system. NAC is too important to leave interoperability to chance.

Mike Fratto,
Managing Editor, Labs

mfratto@nwc.com

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll