Many network and security administrators have implemented or are considering network access control (NAC) to support corporate security policies, but doubts remain about the technology.

NAC has grown rapidly as a method for enforcing information security policies, but without a unified standard, there is still uncertainty about how things will shake out. Think Betamax and VHS - or more recently, Blu-ray and HD DVD - and the "cold feet" effect becomes understandable.

There are three major approaches to NAC standards, with varying degrees of interoperability and development cooperation.

  • The Trusted Computing Group's (TCG) Trusted Network Connect (TNC) is a full set of standards for NAC developed by member companies.
  • Network Access Protection (NAP) is Microsoft's entry into computer posture checking and will become fully operational with Windows Server 2008 .
  • The Internet Engineering Task Force (IETF) has been working on a set of NAC standards referred to as the Network Endpoint Assessment (NEA).
NEA is still in the standards process and will likely be there for some time. "The IETF is comprised of [sic] individuals, while TNC was developed by member companies," explains Steve Hanna, co-chairman of both the IETF and TCG NAC working groups. Because contributions to IETF initiatives are often from many individuals around the globe via email, whereas the TNC approach is more streamlined because of limited participation, the IETF process takes longer to produce standards.

Hanna explains that the IETF initiative has been under way for over a year, yet there hasn't been an agreement about what the standard should look like. He says he believes the process could take several more years. But does that imply that those who may be waiting for an IETF standard before deploying a NAC system should continue to wait that long?

Recently, I moderated a NAC panel arranged by a network security consulting company. Potential and current NAC users took this opportunity to grill the panel - which consisted of representatives from Cisco, Hewlett-Packard's ProCurve unit, Symantec and Juniper Networks - on NAC product offerings and directions.

Without a doubt, the lack of a single, unified standard was on the minds of many of the attendees. When asked if users should wait to deploy NAC until the standards had settled, however, all representatives were unanimous in stating that if there is an immediate need and a solution exists, then deployment now is preferable.

Still, there is a gamble about whether the standards will converge at all. Hanna has hopes that the IETF will eventually be aligned with the TNC initiative. Cisco Systems may not yet be on the TNC bandwagon, but the company supports the IETF initiative and has partnered with Microsoft to ensure interoperability with NAP. Adding the fact that Microsoft donated a standard (download PDF) for the TNC client and a standard to work with the NAP system, it's clear that there is already movement toward that convergence.

Vendor direction

So what are some of the vendors' positions on the NAC standards with regard to product development? Eric Stinson, Enterasys Networks' director of product management for NAC, explains that while Enterasys has been building NAC type functionality into its network equipment for some time, continuing to follow industry standards as they develop is an important corporate direction. "We remain committed to interoperability and investment protection through [NAC] industry standardisation efforts."

As HP ProCurve chief security architect Mauricio Sanchez elaborates, NAC is built on existing standards to an extent. "All of the NAC protocol frameworks have some underpinnings and usage of current standards, such as RADIUS, EAP, 802.1x, etc," he says. "No one likes to reinvent wheels, so where existing [standards] made sense, there's no reason why they shouldn't be used."

It's through collaboration that a standard emerges - be it by decree or de facto. Stinson sees movements in collaboration as indicative of the future direction of NAC. "Enterasys expects that TNC and NEA will eventually align with each other, but the fact that Microsoft has endorsed TNC will drive NAC adoption based on Microsoft's market presence in client computing," he says.