In a move meant to help speed the adoption of its
endpoint security technology, Microsoft has announced
interoperability between its Network Access Protection
(NAP)-enabled products and the Trusted Computing Group's Trusted
Network Connect (TNC) architecture. IT professionals have hailed
the move, but say it won't accelerate their adoption
timetables.
NAP and TNC are two of the three main competing specifications
for network access control deployments and until now products based
on one specification have been incompatible with those using the
other. This has been a stumbling block for enterprises looking to
deploy a comprehensive
NAC infrastructure and enterprise IT managers often cite the
lack of interoperability as one of the main reasons for not using
NAC. Microsoft officials are hoping this move will help change
that.
The Redmond, Wash.-based company's NAP technology is included in
Windows Vista, but won't be fully functional until the release
early next year of the Longhorn server, now known as Windows Server
2008.
Microsoft and Cisco Systems Inc. have been
working together on NAC-NAP compatibility for some time, and
the companies announced some progress last fall. But this is the
first time that Microsoft, a member of the TCG, has announced
any interoperability with the TNC specification.
As part of the plan announced at the Interop show in Las Vegas,
the TCG today published a new TNC specification based on the
Microsoft Statement of Health Protocol, which describes the ways in
which TNC-enabled devices can now interact with NAP-enabled
machines. The new specification enables NAP servers to accept
network access requests and health statements from TNC-enabled
devices. A number of TCG member companies will begin shipping
products in the first half of next year that work with the new
specification.
Dave Bixler, CISO for Siemens Business Services Inc., a
subsidiary of Munich-based Siemens AG, is headed to Interop this
week and one of his specific goals is to get a pulse on the
NAP/NAC/TNC market. He said it's great to see Microsoft and TCG
cooperating, but he expects it to have little impact on his NAC
adoption plans since NAP is on hold until Longhorn ships.
"It's something we have had on our action list for the past 18
months or so, and I plan to have a pilot running by the end of the
year with an eye towards a full deployment in 2008," Bixler said.
"So while this is a great announcement for the industry, it's a
little late for it to impact my plans at the moment."
He's not alone in that assessment. Brian Joyce, IT director of
Chattanooga, Tenn.-based accounting firm Joseph Decosimo and Co.
said he's very interested in NAC/NAP/TNC. In theory, he said, it
would seem the most logical way to protect the perimeter at the
source of access, but he doesn't expect interoperability to speed
up deployments.
"The products aren't mature enough for us yet," Joyce said.
"Microsoft's announcement is good, but there is much more that
needs to happen before we jump on the NAC/NAP bandwagon."
While IT pros have expressed a lot of interest in NAC, experts
have pointed out the technology's drawbacks in recent months.
At the Black Hat DC conference in March, Ofir Arkin, CTO of
Framingham, Mass.-based NAC vendor Insightix, said
NAC implementations are often more difficult
than they need to be because companies don't have a good
understanding of their networks, in turn opening the door for
opportunistic attackers.
He said flaws exist in almost every part of a NAC
implementation, allowing an attacker the ability to bypass most
access control walls. Therefore, he said, careful planning is
essential before implementing any part of NAC.
At the Infosec World Conference and Expo. In Orlando, Fla.,
later that month, a panel of IT security pros suggested
the costs of deploying NAC may not be worth the
benefits promised by the technology.