Steve Hanna, co-chair of the TNC, described the move by Microsoft announced at the Interop show in Las Vegas last month, as a tectonic shift in the development of NAC. He said that not only did it reduce the sector from three to two camps, with Microsoft’s Network Access Protocol technology now guaranteed to interoperate with that of any TNC vendor, but also it pitted Cisco against the rest of the industry, arguably nudging the networking heavyweight in the direction of interoperability too.

He was careful to point out that, in announcing the donation to TNC, Microsoft said it was continuing with the bilateral interoperability work with Cisco announced last September with regard to NAP and the other’s Network Admission Control technology. However, he described the market reception to the move as lukewarm because it’s a two-server solution whereby you buy both and they’ll work together, whereas people want NAC in the OS to work with whatever solution they already have deployed. The analogy he used was TCP/IP, which used to be an additional item and now it’s just burnt in, like secure web browsers, he said.

By moving NAP completely into the standards-based camp, he said Microsoft has also paved the way for its use in non-Vista environments. You need to use NAC for Macintosh, Linux, old Windows machines, printers, VoIP phones, and networking gear, in fact anything with an IP address, he said.

Hanna said the TNC workgroup was created in May 2004 to drive open standards for NAC to use the TCG’s previous work on the Trusted Platform Module spec for an additional chip to be included in endpoints for storing encryption keys, passwords, and so on.

We recognized that the TPM had a role to play in address the challenge of the lying endpoint, which is where a machine is made to lie about its integrity status by a virus that’s already installed on it, he said. The TPM runs before a machine has even booted and so can take a cryptographic hash of each boot sequence for a check sum operation against a value stored on a NAC server of what is an acceptable configuration, picking up any changes resulting from viruses or rootkits.

Hanna said Cisco’s decision not to take part in the TNC initiative was unfortunate and a result of its hubris at that time. While he said it doesn’t formally support TNC today, its switches and wireless APs support the necessary protocols for a TNC server to control them, namely 802.1x and RADIUS, and we often demo a heterogeneous NAC implementation with multiple vendors’ switches and APs, including Cisco’s. As to whether Cisco will ever join the TNC camp, meanwhile, he said: I’m hopeful, but I guess I’m an optimist.

Hanna said the two client/server protocols (the TNC and NAP) will now be gradually integrated into one, beyond which the next stage of development will see the workgroup expand the scope of NAC. We’ll take it from endpoint checking to overall endpoint and network security, incorporating things like anomaly and vulnerability scanning, as well as device characterization, which is where an endpoint requests access with no NAC software on it, in which case we need to be able to identify it as a printer or whatever, he said.

Our View

A cynic might argue that Hanna’s remarks about Cisco’s hubris in the issue of whether to take part in TNC or not are colored by the fact that he is employed by Cisco’s archrival in routing, Juniper. Nonetheless, with Microsoft falling in behind the TNC banner, Cisco does appear to be in a state of splendid isolation with regard to NAC, though obviously a company that owns upwards of 70% of the Ethernet switching market can afford to go it alone, like the kid that owns the football so argues he can also make the rules.

Even the interoperability work with Microsoft has always seemed to be carried out with gritted teeth by both sides, as the two are natural competitors in many areas. In any case, the initiative does not address other players in the NAC space who are going down the TNC route and whose products may co-exist with Cisco’s in a given environment. And as Hanna clearly stated, NAC is going to have to address heterogeneity. Cisco has actually been relatively quiet about NAC in recent months, after lionizing the technology intensively for a couple of years, which suggests that it may be undergoing something of a rethink about its future strategy.