LAS VEGAS -- Interop -- The NAC wars are over, apparently, and Microsoft won.
The software giant here yesterday revealed an agreement with the Trusted Computing Group (TCG) that will make Microsoft's endpoint security technology -- Network Access Protection (NAP) -- interoperable with the TCG's Trusted Network Connect (TNC), which has been positioned as a multivendor standard for network access control (NAC).
Juniper Networks, which had previously aligned itself with the TCG and Symantec as an alternative to NAP, said in a separate announcement here that it will now work with Microsoft NAP as well.
The accord is a milestone for NAC, which promises to exclude from the network any device that does not fit a corporation's security policies, then help remediate that device to comply with those policies. Many enterprises like the idea of NAC, which theoretically could restrict network access to users and clients that meet their own specific security requirements.
Until now, however, NAC has been mired in a cross-vendor fracas over how the technology should be implemented and enforced. Cisco, which developed the original NAC with its Network Admission Control technology, reached an accord with Microsoft's NAP last year (See Cisco, Microsoft Join Forces on Security. But Microsoft had largely ignored TCG, which had billed TNC as the only vendor-neutral spec, gaining the backing of Cisco and Microsoft competitors such as Juniper and Symantec. (See Symantec & Juniper Join Forces.)
Now that Microsoft and TCG are in line, enterprises can allegedly move forward with their NAC projects, with the knowledge that all their vendors will at least be trying to interoperate. Such interoperability is critical to NAC because of its reliance on enforcement and policies that work on all clients that try to access the network, including guest machines.
The deal confirms that most NAC efforts will revolve around NAP, observers say. "Microsoft won the access control wars last summer when Cisco capitulated," says Eric Ogren, founder of Ogren Group, an IT security consultancy.
"This is an excellent announcement for Microsoft," Ogren says. "It is demonstrating the commitment to work with the security community, and the partner program will verify that hardware devices are indeed NAP compatible. Enterprise IT will now look more seriously at Microsoft security for the endpoints."
Peter Christy, a principal at Internet Research Group, said he wasn't surprised by the Microsoft-TCG announcement. "TCG needs to integrate with Windows," he says. "Customers are saying, 'Don't make us choose between [vendors].' This is good for the customer -- he doesn't have to choose now."
Microsoft and the TCG said that NAP products will eventually work in TNC-protected networks and TNC products will work in NAP-protected networks.
"The first step in the interoperability of NAP and TNC will be enabled by Microsoft's contribution of its Statement of Health (SOH) protocol to the Trusted Computing Group," the partners said. "A new specification, the IF-TNCCS-SOH, is being released today as part of the TNC architecture. Vendors can begin implementing the IF-TNCCS-SOH specification immediately.
"As products supporting the new IF-TNCCS-SOH specification become available in the coming months, customers will be able to start implementing portions of NAP-TNC interoperability," the partners added. "TNC servers that support the SOH protocol can interoperate with Windows Vista and other NAP clients without requiring any extra software... TNC clients that support the SoH protocol can participate in NAP-protected networks, authenticating and participating in health checks."
Microsoft and the TCG published a white paper that outlines their plans for making the two NAC environments work together.
Despite the accord, however, some observers say that NAC still has a long road ahead of it. "I do not believe that NAC/NAP itself will have much more likelihood of succeeding [because of the pact], with the exception of a few niche markets," Ogren says.
"Pre-connect security simply does not meet security requirements for a business world that is increasingly moving to software as a service and loosely connected endpoints," Ogren explains. The release of NAP that's compatible with TCG "won't even be out until Longhorn Server 2008, which means that most IT shops will not even think about a significant deployment until 2010," he predicts. "Lots can happen between now and then."
Rob Enderle, president of the Enderle Group, notes that while Microsoft and TCG are working together, and Microsoft is working with Cisco, Cisco still has not built a bridge to the TCG. "Cisco hasn't been willing to work with TCG, which has been problematic for cross vendor solutions related to Trusted Computing," he says.
"Given that interoperability remains a first-tier requirement for most large scale technology deployments, Cisco's NAC still has a significant problem to overcome," Enderle says. "This is one of the few times I've felt Cisco isn't as focused on the customer as they should be -- and that will be problematic for NAC and Cisco going forward."
Tim Wilson, Site Editor, Dark Reading