NAC Gets Pervasive

Network Access Control (NAC) offers the promise of ensuring that devices that connect to a network don’t pose a risk. It’s a promise that today stands to become widespread than ever, with a key industry group introducing new approaches for enabling access-control “health checks” across more devices, networks and even application servers.

The multi-vendor Trusted Computing Group (TCG) standards group today announced three new specifications as part of its Trusted Network Connect (TNC) NAC framework: a specification for clientless endpoints, support for SSL/TLS as an authentication transport, and federated TNC.

The new specifications aim to change the way that security is handled online, with servers potentially being able to check the security health of any endpoint or user that is trying to connect.

“What the new specifications provide is they extend the TNC architecture more broadly,” Steve Hanna, co-chair of TCG’s TNC Work Group, told “No longer are the architecture and the standards limited to just pre-authentication and health checking.”

Originally, the TNC specifications described a standard mechanism by which endpoints within a LAN could be checked to ensure that they are properly patched with security updates. The effort grew broader with the support of Microsoft (NASDAQ: MSFT) and TNCCS-SOH, a statement-of-health protocol that helps to provide preadmission control to a network by validating the health level of an endpoint.

The protocol, which Microsoft donated TNCCS-SOH to the TNC in 2007, is part of Microsoft’s Network Address Protection (NAP) technology integrated with Windows Server 2008 and is part of Windows Vista and Windows XP Service Pack 3.

Last year, TNC expanded with the IF-MAP protocol, which goes beyond preadmission access control to include post-connection event correlation for access-control policy.

Now, the TNC is expanding even further, with the ability to check endpoints that don’t have a TNC client on them — which includes devices like printers and VoIP phones, among other devices.

The new capability comes courtesy of a specification called Clientless Endpoint Support. With it, Hanna commented that now almost anything that can connect to an IP network can now be identified, classified and monitored by the TNC architectures.

Hanna added that there had been different approaches by various vendors in the past to authenticate devices without TNC clients. With Clientless Endpoint Support, however, there is a standards-based approach that will enable interoperability across vendors that comply with the specification.

NAC for applications?

NAC is typically thought of as an approach for ensuring local network security, but that could soon be changing, thanks to another new specification that’s making its public debut this week.

The new IF-T Binding for TLS 1.0 specification provides a new transport option for the TNC handshake that checks a device’s health.

“Now applications can take part in the security decision making process,” Hanna explained. “It’s not just the networking layer anymore.”

TLS is basically the same as SSL and is widely deployed on servers for online security. With IF-T Binding for TLS 1.0, Hanna said that it is now possible to do a health check over any IP network.

It also enables constant monitoring, so that if a device falls out of compliance, it can be rapidly identified by a TNC security policy server.

The new specification could also potentially enable a new era of secure Web browsing, Hanna said. For example, a Web site or application server could implement the specification and check the health of the device or user that is trying to connect.

“Because it is based on TLS, which is used for things like secure Web browsing, it will be possible for Web browsers and servers to add support for TNC health checking,” he said. “I’m not aware of any vendors doing this yet, but it is a scenario that is enabled by this new protocol.”

Federation and the future of TNC

The third major update from the Trusted Computing Group aims to move a step beyond enabling browsers and application servers to do health checks on endpoints. The new specification Federated TNC will enable health status to be shared — or federated — across domains.

“Federated TNC is really concerned with conveying the results of a TNC health check across different security domains,” Hanna explained “What we’ve done is defined a new set of profiles that shows how to convey TNC health information in SAML” .

One potential use for Federated TNC is in a Web-based single sign-on scenario. In that case, a user could go to one Web site and authenticate — then have that authentication passed on to other Web sites.

“What this additional SAML profile allows is for the health of a machine to be expressed in the authentication assertion as well,” Hanna said. “So a bank could know whether your machine has been health-checked, and therefore, whether you should be able to log on, trade stocks, etc.”

While numerous vendors — including Juniper, Microsoft, HP ProCurve, Nortel, IBM and Aruba Networks, among others — actively participate and support TNC efforts, there is at least one key networking vendor that is not part of the fold: Cisco.

That is in the process of changing, however, as the TNC specification get rolled into an Internet Engineering Task Force standard effort that counts Cisco as a participant — and the networking giant has said it intends to adopt the final spec.

Hanna said the IETF spec is not far from completion.

Still, with the potential for a truly industry-wide standard approaching, and three new specifications now in play for NAC pervasiveness, Hanna said that there is still some work to be done.

“We’re always making improvements to the TNC spec, but my personal view on this is we have pretty much gotten there in terms of enabling any network, any device on the network, and any security system that might want to integrate with TNC,” Hanna said.

“That doesn’t mean we won’t stop tweaking the specs,” he added. “We’ll keep finding ways to make it better.”

News Around the Web