Microsoft NAP-TNC compatibility won't speed adoption, users say

In a move meant to help speed the adoption of its endpoint security technology, Microsoft  has announced interoperability between its Network Access Protection (NAP)-enabled products and the Trusted Computing Group's Trusted Network Connect (TNC) architecture. IT professionals have hailed the move, but say it won't accelerate their adoption timetables.

NAP and TNC are two of the three main competing specifications for network access control deployments and until now products based on one specification have been incompatible with those using the other. This has been a stumbling block for enterprises looking to deploy a comprehensive NAC infrastructure and enterprise IT managers often cite the lack of interoperability as one of the main reasons for not using NAC. Microsoft officials are hoping this move will help change that.

The Redmond, Wash.-based company's NAP technology is included in Windows Vista, but won't be fully functional until the release early next year of the Longhorn server, now known as Windows Server 2008. Microsoft and Cisco Systems Inc. have been working together on NAC-NAP compatibility for some time, and the companies announced some progress last fall. But this is the first time that Microsoft, a member of the TCG, has announced any interoperability with the TNC specification.

NAC deployments: NAC panel says technology may not add up: A panel discussing the potential of using network access control (NAC) says the technology may not be worth the price of deploying and maintaining it. Expert: NAC not a network security cure-all: According to an expert at Black Hat DC, NAC success demands careful planning and a good understanding of the company network; otherwise, implementations can quickly go awry. Vendors acknowledge NAC-NAP roadmap limits: The NAC-NAP interoperability roadmap Microsoft and Cisco unveiled last week won't be of much use to non-Windows and non-Cisco environments.

As part of the plan announced at the Interop show in Las Vegas, the TCG today published a new TNC specification based on the Microsoft Statement of Health Protocol, which describes the ways in which TNC-enabled devices can now interact with NAP-enabled machines. The new specification enables NAP servers to accept network access requests and health statements from TNC-enabled devices. A number of TCG member companies will begin shipping products in the first half of next year that work with the new specification.

Dave Bixler, CISO for Siemens Business Services Inc., a subsidiary of Munich-based Siemens AG, is headed to Interop this week and one of his specific goals is to get a pulse on the NAP/NAC/TNC market. He said it's great to see Microsoft and TCG cooperating, but he expects it to have little impact on his NAC adoption plans since NAP is on hold until Longhorn ships.

"It's something we have had on our action list for the past 18 months or so, and I plan to have a pilot running by the end of the year with an eye towards a full deployment in 2008," Bixler said. "So while this is a great announcement for the industry, it's a little late for it to impact my plans at the moment."

He's not alone in that assessment. Brian Joyce, IT director of Chattanooga, Tenn.-based accounting firm Joseph Decosimo and Co. said he's very interested in NAC/NAP/TNC. In theory, he said, it would seem the most logical way to protect the perimeter at the source of access, but he doesn't expect interoperability to speed up deployments.

"The products aren't mature enough for us yet," Joyce said. "Microsoft's announcement is good, but there is much more that needs to happen before we jump on the NAC/NAP bandwagon."

While IT pros have expressed a lot of interest in NAC, experts have pointed out the technology's drawbacks in recent months.

At the Black Hat DC conference in March, Ofir Arkin, CTO of Framingham, Mass.-based NAC vendor Insightix, said NAC implementations are often more difficult than they need to be because companies don't have a good understanding of their networks, in turn opening the door for opportunistic attackers.

He said flaws exist in almost every part of a NAC implementation, allowing an attacker the ability to bypass most access control walls. Therefore, he said, careful planning is essential before implementing any part of NAC.

At the Infosec World Conference and Expo. In Orlando, Fla., later that month, a panel of IT security pros suggested the costs of deploying NAC may not be worth the benefits promised by the technology.