Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Vendors Get Their NAC Together

Interoperability pact between Microsoft, TCG breaks down endpoint security barriers

LAS VEGAS -- Interop -- The NAC wars are over, apparently, and Microsoft won.

The software giant here yesterday revealed an agreement with the Trusted Computing Group (TCG) that will make Microsoft's endpoint security technology -- Network Access Protection (NAP) -- interoperable with the TCG's Trusted Network Connect (TNC), which has been positioned as a multivendor standard for network access control (NAC).

Juniper Networks, which had previously aligned itself with the TCG and Symantec as an alternative to NAP, said in a separate announcement here that it will now work with Microsoft NAP as well.

The accord is a milestone for NAC, which promises to exclude from the network any device that does not fit a corporation's security policies, then help remediate that device to comply with those policies. Many enterprises like the idea of NAC, which theoretically could restrict network access to users and clients that meet their own specific security requirements.

Until now, however, NAC has been mired in a cross-vendor fracas over how the technology should be implemented and enforced. Cisco, which developed the original NAC with its Network Admission Control technology, reached an accord with Microsoft's NAP last year (See Cisco, Microsoft Join Forces on Security. But Microsoft had largely ignored TCG, which had billed TNC as the only vendor-neutral spec, gaining the backing of Cisco and Microsoft competitors such as Juniper and Symantec. (See Symantec & Juniper Join Forces.)

Now that Microsoft and TCG are in line, enterprises can allegedly move forward with their NAC projects, with the knowledge that all their vendors will at least be trying to interoperate. Such interoperability is critical to NAC because of its reliance on enforcement and policies that work on all clients that try to access the network, including guest machines.

The deal confirms that most NAC efforts will revolve around NAP, observers say. "Microsoft won the access control wars last summer when Cisco capitulated," says Eric Ogren, founder of Ogren Group, an IT security consultancy.

"This is an excellent announcement for Microsoft," Ogren says. "It is demonstrating the commitment to work with the security community, and the partner program will verify that hardware devices are indeed NAP compatible. Enterprise IT will now look more seriously at Microsoft security for the endpoints."

Peter Christy, a principal at Internet Research Group, said he wasn't surprised by the Microsoft-TCG announcement. "TCG needs to integrate with Windows," he says. "Customers are saying, 'Don't make us choose between [vendors].' This is good for the customer -- he doesn't have to choose now."

Microsoft and the TCG said that NAP products will eventually work in TNC-protected networks and TNC products will work in NAP-protected networks.

"The first step in the interoperability of NAP and TNC will be enabled by Microsoft's contribution of its Statement of Health (SOH) protocol to the Trusted Computing Group," the partners said. "A new specification, the IF-TNCCS-SOH, is being released today as part of the TNC architecture. Vendors can begin implementing the IF-TNCCS-SOH specification immediately.

"As products supporting the new IF-TNCCS-SOH specification become available in the coming months, customers will be able to start implementing portions of NAP-TNC interoperability," the partners added. "TNC servers that support the SOH protocol can interoperate with Windows Vista and other NAP clients without requiring any extra software... TNC clients that support the SoH protocol can participate in NAP-protected networks, authenticating and participating in health checks."

Microsoft and the TCG published a white paper that outlines their plans for making the two NAC environments work together.

Despite the accord, however, some observers say that NAC still has a long road ahead of it. "I do not believe that NAC/NAP itself will have much more likelihood of succeeding [because of the pact], with the exception of a few niche markets," Ogren says.

"Pre-connect security simply does not meet security requirements for a business world that is increasingly moving to software as a service and loosely connected endpoints," Ogren explains. The release of NAP that's compatible with TCG "won't even be out until Longhorn Server 2008, which means that most IT shops will not even think about a significant deployment until 2010," he predicts. "Lots can happen between now and then."

Rob Enderle, president of the Enderle Group, notes that while Microsoft and TCG are working together, and Microsoft is working with Cisco, Cisco still has not built a bridge to the TCG. "Cisco hasn't been willing to work with TCG, which has been problematic for cross vendor solutions related to Trusted Computing," he says.

"Given that interoperability remains a first-tier requirement for most large scale technology deployments, Cisco's NAC still has a significant problem to overcome," Enderle says. "This is one of the few times I've felt Cisco isn't as focused on the customer as they should be -- and that will be problematic for NAC and Cisco going forward."

— Tim Wilson, Site Editor, Dark Reading

  • Cisco Systems Inc. (Nasdaq: CSCO)}
  • Juniper Networks Inc. (Nasdaq: JNPR)
  • Microsoft Corp. (Nasdaq: MSFT)
  • Trusted Computing Group

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/4/2020
    Abandoned Apps May Pose Security Risk to Mobile Devices
    Robert Lemos, Contributing Writer,  5/29/2020
    Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: What? IT said I needed virus protection!
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-06-04
    ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
    PUBLISHED: 2020-06-04
    In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
    PUBLISHED: 2020-06-04
    An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
    PUBLISHED: 2020-06-04
    An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
    PUBLISHED: 2020-06-04
    Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...