ISP Planet - Technology - Bolting the Back Door with NAC - Part 3: Comparing the alternatives - page four

Sections

• Best of the Lists
• Business
• CLEC-Planet
• Equipment
• Executive
Perspectives
• Fixed Wireless
• Investor
• Marketing
• Market Research
• News
• Notable Quotes
• Politics
• Profiles
• Resources
• Technology
• Value-Added
Services
• Webhosting
Also ...
• About Us
• Authors
• ISP-Planet Blog
• Letters
• Site Map
• Technology Jobs

ISP Resources

ISP-Lists
ISP Glossary
ISP News
The List
ISPCON Events
Free Newsletters

internet.com

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet.commerce

Partner With Us

Bolting the Back Door with NAC
Part 3: Comparing the alternatives — page four

by Lisa Phifer
VP Core Competence, Inc.
[June 22, 2007]

TCG Trusted Network Connect
The Trusted Computing Group (TCG) develops open standards for hardware-enabled trusted computing and security technologies. TNC is TCG-defined open architecture to enable non-proprietary, interoperable endpoint security auditing and policy enforcement in multi-vendor networks.

The TNC architecture is reminiscent of both CNAC and NAP. At left is a host requesting access; at right are servers that make policy decisions. In between lay the APs, switches, firewalls, and VPN gateways that enforce policy. So what makes TNC different?

Unlike CNAC and NAP, every component of the TNC architecture could be sourced from a different vendor. For example, any mixture of TNC Policy Enforcement Points from Nortel, HP, Extreme, Enterasys, Aruba, Trapeze, Colubris, et al could request access through any TNC-compliant Network Access Authority, from Steel-Belted RADIUS to FreeRADIUS. An open source Linux TNC Client could interact with a Juniper IC 4000 TNC Server appliance. And so on.

To achieve multi-vendor interoperability, TNC functionality is carved into discrete Network Access, Integrity Evaluation, and Integrity Measurement layers. Those layers are implemented by components communicating through open standard interfaces:

IF-PEP: RADIUS bindings that enable communication between heterogeneous Policy Enforcement Points (PEPs) and Policy Decision Points (PDPs).

IF-T: Tunneled EAP bindings relay identity and integrity data between multi-vendor Network Access Requestors (NARs) and Network Access Authorities (NAAs), using access methods like 802.1X, IKE, TLS, or PPP.

IF-TNCCS: Protocols that carry integrity measurement handshakes between TNC-compliant Clients and Servers. Two protocols are now specified: the original XML-based IF-TNCCS and the new TLV-based IF-TNCCS-SOH recently adopted from NAP. TNC PDPs can implement one or both protocols.

IF-IMC: An API that all endpoint security programs—called Integrity Measurement Collectors (IMCs)—use to submit integrity data to the TNC Client.

IF-IMV: An API that all security policy servers—called Integrity Measurement Verifiers (IMVs)—use to receive integrity data from the TNC Server. Both APIs define language bindings for Java, UNIX/Linux, and Windows platforms.

IF-M: Vendor-specific IMC-IMV protocols. Today's IMCs and IMVs are matched pairs that exchange proprietary messages. For example, the Wave Embassy Endpoint Enforcer Client talks to the Wave Embassy Endpoint Enforcer Server, and the PatchLink Update Agent talks to the PatchLink Update Server.

Another core feature that differentiates TNC is optional use of a TCG Trusted Platform Module (TPM). TPM is a hardware security component found on many new laptops. It delivers platform trust services like identity and encryption key storage that make it harder for rootkit-infested endpoints to "lie" about their identity or integrity.

Heterogeneity on paper is one thing, but real-world deployments need interoperable products. Colubris, Enterasys, Fujitsu, HP, Juniper Networks, libTNC, PatchLink, Q1 Labs, Symantec, Trapeze Networks, and Wave Systems participated in an interoperability "plugfest" in March 2007. Those companies were joined by Extreme Networks, Fujitsu, FHH, Microsoft, and Nortel at a May 2007 Interop demo. According to TCG, about 75 member companies are developing TNC-compatible products or technology, including open source TNC Clients and Servers like libTNC, FHH@TNC, and OpenSEA.

TCG expects TNC/NAP interoperability to accelerate adoption by simplifying deployment and protecting investment. For example, in 1H08, not only will Microsoft Vista and Server 2008 speak IF-TNCCS-SOH, but so will TNC-based Juniper Networks Unified Access Control (UAC) products. Vendors at the top of the stack can then use either TNC or NAP APIs, knowing that customers will be able to combine NAP clients with TNC servers and vice versa when both speak the same protocol.

Page one: Introduction

Page two: Cisco Network Admission Control

Page three: Microsoft Network Access Protection

Page four: TCG Trusted Network Connect

>Page five: IETF Network Endpoint Assessment

ISP News

•IDC: Microsoft's Yahoo Deal Could be a Big Hit
•Ballmer Fills in 'Software-Plus-Services' Plan
•Report: Enterprise Search Will Top $1 Billion by 2010

More >

Best of ISP-Planet

ISP-Planet Guide

ISP-Planet's
Principal Studies

Directories:
• Anti-Spam
• Backbone Providers
• Billing Services
• Customer Support
• IDS
• ISP Associations
• Registrar
• Trouble Ticketing
• Webmail
• Wholesale Dialup
• Wireless Equipment

Q2 2008
Top U.S. ISPs
by Subscriber
(Updated 08/29/2008)

VoIP Ranking by Subscriber (Updated 09/02/2008)

ISP-Planet's
Blogroll

ISP-Planet's RSS feed

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info

Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Whitepapers and eBooks
IBM Whitepaper: Innovative Collaboration to Advance Your Business Internet.com eBook: Real Life Rails Avaya Article: Call Control XML - Powerful, Standards-Based Call Control Tripwire Whitepaper: Seven Practical Steps to Mitigate Virtualization Security Risks Internet.com eBook: The Pros and Cons of Outsourcing Go Parallel Article: Scalable Parallelism with Intel(R) Threading Building Blocks Internet.com eBook: Best Practices for Developing a Web Site IBM CXO Whitepaper: The 2008 Global CEO Study "The Enterprise of the Future"		Avaya Article: Call Control XML in Action - A CCXML Auto Attendant Go Parallel Article: James Reinders on the Intel Parallel Studio Beta Program IBM CXO Whitepaper: Unlocking the DNA of the Adaptable Workforce--The Global Human Capital Study 2008 Adobe Acrobat Connect Pro: Web Conferencing and eLearning Whitepapers Go Parallel Article: Getting Started with TBB on Windows HP eBook: Storage Networking , Part 1 MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts
Go Parallel Video: Intel(R) Threading Building Blocks: A New Method for Threading in C++ HP Video: Is Your Data Center Ready for a Real World Disaster? Microsoft Partner Portal Video: Microsoft Gold Certified Partners Build Successful Practices HP On Demand Webcast: Virtualization in Action Go Parallel Video: Performance and Threading Tools for Game Developers		Rackspace Hosting Center: Customer Videos Intel vPro Developer Virtual Bootcamp HP Disaster-Proof Solutions eSeminar HP On Demand Webcast: Discover the Benefits of Virtualization MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits
Microsoft Download: Silverlight 2 Software Development Kit Beta 2 30-Day Trial: SPAMfighter Exchange Module Red Gate Download: SQL Toolbelt		Iron Speed Designer Application Generator Microsoft Download: Silverlight 2 Beta 2 Runtime MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos
IBM IT Innovation Article: Green Servers Provide a Competitive Advantage Microsoft Article: Expression Web 2 for PHP Developers--Simplify Your PHP Applications		Featured Algorithm: Intel Threading Building Blocks - parallel_reduce MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES