Much of the network access control (NAC) hype over the last few years has involved network defense. For Mauricio Sanchez, chief security architect, ProCurve Networking by Hewlett-Packard (NYSE: HPQ), NAC can be used as an offensive tool as well.
The HP ProCurve offensive playbook for NAC comes as HP embraces Microsoft’s NAP technology with the ProCurve Identity Driven Manager (IDM) policy management tool. Microsoft’s NAP has the potential to drive NAC adoption even further into the enterprise mainstream now that Server 2008 is generally available.
“Like any good sports team you need a good offense and a good defense to win the game, and from a security perspective we feel that our approach should be the same,” Mauricio Sanchez, chief security architect, ProCurve Networking by HP, told InternetNews.com.
“On the offensive side, the first layer is around Network Access Control, this is where the network interrogates identity and the health state of users and devices,” he said, adding that the term NAC means different things to a lot of people.
“To us and to me, NAC is more of a solution architecture based on performing some kind of access control when users connect to a network,” Sanchez explained. “So it’s not about a particular product or technology.”
According to Sanchez, NAC is also about products and technology that convey the idea that network access should be limited and that people should be asked some questions before they are permitted to connect.
Sanchez noted that once you get past the offensive layer, with user and system interrogation, it’s important to have defensive layers to address real time threats against the network and to protect against failures in the offensive layer.
He says HP will be on the offensive layer of NAC by integrating Microsoft’s NAP with HP’s Identity Driven Manager (IDM) application.
NAP is an integrated component of Windows Server 2008, which was launched earlier this year.
NAP provides built-in health capabilities to verify endpoint health as devices come onto the network. It also provides “a nice baseline for us to leverage as a network vendor and take advantage of it.” Sanchez commented
HP’s IDM, meanwhile, allows administrators to define access policy based on user group information, time of day and location — all by way of an easy-to-use GUI.
Though Microsoft NAP has been officially available only for a few months, it already has a lot of backers. More than a year ago, Microsoft claimed it had more than 100 vendors lined up to support and interoperate with NAP.
Sanchez noted that HP is looking at NAC from a comprehensive network framework perspective, which is a distinct advantage over a pure play NAC vendor. In Sanchez’s view pure play NAC solutions are a dead end.
Another key attribute for NAC success is interoperability, something the Trusted Computing Group’s Trusted Network Connect (TNC) aims to achieve.
Sanchez is a chair on the TNC working group, where both HP and Microsoft are contributors. Last year Microsoft announced that it would work toward TNC interoperability with NAP.
Technically the interoperability involves TNC support for a Microsoft NAP approach called Microsoft Statement of Health Protocol. The IF-TNCCS-SOH (TNC client server – statement of health) protocol acts as a transport to help validate that an end point meets the security requirements.
Next page: Leveraging TNC
A year later, IF-TNCCS-SOH is still not yet ready for prime time. Sanchez noted that HP’s interoperability for NAP does not come by way of TNC at this point, but rather by way of Microsoft APIs for Server 2008.
Other networking vendors such as Juniper Networks (NASDAQ: JNPR) have already pledged to implement TNCCS-SOH when available.
“The Juniper Networks Infranet Controller, the policy management server at the heart of Juniper Networks Unified Access Control (UAC), will be able to leverage the TNC standard IF-TNCCS-SOH protocol,” Rich Campagna, senior product manager, Juniper Networks told InternetNews.com.
“Juniper Networks UAC is expected to support this new TNC standard in the first half of 2008,” Campagna said, adding that at Interop Las Vegas 2007, the company showed a preliminary prototype of this technology.
HP’s Sanchez argued that the differences between what is available with Windows Server 2008 today and what IF-TNCCS-SOH will provide are “99 percent the same thing.” The differences according to Sanchez are minor bug fixes and improvements.
Overall, though, Sanchez noted that the TNC does matter and customers appreciate open standards and the ability to choose from a vendor set that supports those standards.
That said, work needs to be done with TNC to make it more effective..
“One of the things we’re working on is a compliance program to verify that vendors are adhering to the standards, and I believe that will relieve a lot of the deployment headaches that people face today,” Sanchez said.
He added that today many interoperability difficulties exist among vendors who claim to be open standards based.