RealTime IT News

Trusting in 802.1X Endpoint Security

The Trusted Computing Group (TCG), a non-profit dedicated to creating standards for making trustworthy and secure computers and networks, earlier this month announced its Trusted Network Connect (TNC) specification. TNC is meant to be an open spec to help stop the spread of viruses, worms, DoS attacks and other vulnerabilities in networks.

Funk Software —one of the TCG's contributor members—announced during Interop last week that it is adopting support for the TNC's endpoint integrity standard in its RADIUS server and 802.1X client. This effectively makes policy enforcement on WLANs, usually the purview of proprietary solutions, an open standard. (For example, remote access providers GoRemote and iPass both handle endpoint security for corporate customers.)

Funk admits it won't be the only one to do this, as other RADIUS solution makers are also part of the TCG (the group also includes rival Meetinghouse Data Communications).

"We demonstrated our Odyssey client and Steel-Belted Radius server software to validate not just the credentials, but also the security state of the machine," says Kevin Walsh, director of product technology at Funk, of the demo his company did at Interop with Check Point Software Technologies Ltd. (using the Check Point Integrity Server and Client) and McAfee.

The demo was possible because of the TNC interfaces that have been made public, called the Integrity Measurement Collector, which is installed in the client software -- and the Integrity Measurement Varifier, installed in the RADIUS server. Walsh calls them "separate applications on top of the core project."

Using a setup consisting of equipment from HP, Cisco, and others, Walsh says Funk successfully demonstrated the products over several types of communication equipment. "I could unplug the wired connection to the HP, go to the Cisco wireless, and get the same access," he says.

Rules are created in the Steel-Belted Radius product beyond just syncing with an LDAP directory for authentication, as in this test where clients were checked to have, for example, up-to-date versions of software security suites like McAfee's. Funk says the endpoint compliance happens simultaneously with user authentication. Non-compliant computers are quarantined until they meet the policy requirements.

Funk expects to have the TNC modules ready for beta testing with customers by June.

The TNC specification is similar to network architecture work being done by some big names such as Cisco Systems' Network Access Control and Microsoft's Network Access Protect. Microsoft is now a promoter member of the TCG, however, so cooperation is possible. Walsh also says that the TCG and Cisco have had "conversations."

The TGC formed in April 2003, and at the time consisted of AMD, Hewlett-Packard, IBM, Intel and Microsoft. Contributing members include Atmel, Infineon, National Semiconductor, Nokia, Philips, Phoenix Technologies, Sony, ST Microelectronics, VeriSign and Wave Systems. Most were held over from the earlier Trusted Computing Platform Alliance.