TNC will be a set of specs used checking whether computers are compliant with security policies before allowing them to connect to the network. Non-compliant machines could be blocked or restricted to a quarantine VLAN.
With a combination of switch, client agent, and policy server, the idea is to only grant network access to PCs after they have up-to-date virus definitions installed, a firewall running, and a fully patched operating system, for example.
The two sets of APIs published yesterday are designed to give the agent piece the ability to wrap state information in a standard format before it is sent to an authentication server, and for that server to check the data against policies.
Several companies, including Check Point Software Technologies Ltd, Foundry Networks Inc and Funk Software Inc are demonstrating such functionality at the Networld + Interop conference and trade show in Las Vegas this week.
We’re integrating with Funk’s Odyssey [authentication server] and Foundry switches using 802.1x, said Conrad Herrmann, chief technology officer of Check Point’s Zone Labs division. The combination of the three products gives the ability to evaluate a PC’s compliance with security policy.
Thomas Hardjono, principal scientist at VeriSign and co-chair of the TNC working group, that there are four more specs to coming between now and the end of the third quarter, which will round out the TNC’s work.
These will deal with client-server communications, and communications between the server and what is called, in TNC lingo, the Policy Enforcement Point — basically, the switch or VPN that the endpoint is connecting too.
The problem here is that while TNC has many switch vendors committed to support its specs, the market leader, Cisco, has its own proprietary Network Admission Control initiative that essentially duplicates TNC work.
The Policy Enforcement Point, to be frank, is Cisco’s territory, they own that space, said Hardjono. If Cisco could come to the table and work on the specs, help us with the next three or four specs, it could only benefit them.
TNC has one thing that NAC and Microsoft’s Network Access Protection plan do not have, Hardjono said, compatibility with the Trusted Platform Module, another TCG spec that describes a tamper resistant cryptographic chip for embedding in computers.
A worry with network access control systems is that if an endpoint is compromised, the security agent could be manipulated to provide phony data to the authentication server. Integration with TPM could mitigate that risk.
The two other proposals are like the fox guarding the chicken coop, Hardjono said. Who’s going to guard the agent to make sure it is not corrupted?
Cisco executives have been approached on a personal level by counterparts at VeriSign and other TNC vendor members, but as yet have not said they will join TNC or support its specs, Hardjono said.
Check Point’s Herrmann said that implementations of TNC’s specs will be compatible with Cisco environments, regardless. Cisco has already implement 802.1x and EAP in its switches, and those are the two protocols key to interoperating with the Policy Enforcement Point, he said.
