Many network and security administrators have implemented or are considering network access control (NAC) to support corporate security policies, but doubts remain about the technology.
NAC has grown rapidly as a method for enforcing information security policies, but without a unified standard, there is still uncertainty about how things will shake out. Think Betamax and VHS -- or more recently, Blu-ray and HD DVD -- and the "cold feet" effect becomes understandable.
There are three major approaches to NAC standards, with varying degrees of interoperability and development cooperation.
The Trusted Computing Group's (TCG) Trusted Network Connect (TNC) is a full set of standards for NAC developed by member companies.
Network Access Protection (NAP) is Microsoft's entry into computer posture checking and will become fully operational with Windows Server 2008 .
The Internet Engineering Task Force (IETF) has been working on a set of NAC standards referred to as the Network Endpoint Assessment (NEA).
NEA is still in the standards process and will likely be there for some time. "The IETF is comprised of [sic] individuals, while TNC was developed by member companies," explains Steve Hanna, co-chairman of both the IETF and TCG NAC working groups. Because contributions to IETF initiatives are often from many individuals around the globe via e-mail, whereas the TNC approach is more streamlined because of limited participation, the IETF process takes longer to produce standards.
Hanna explains that the IETF initiative has been under way for over a year, yet there hasn't been an agreement about what the standard should look like. He says he believes the process could take several more years. But does that imply that those who may be waiting for an IETF standard before deploying a NAC system should continue to wait that long?
Wait or deploy?
Recently, I moderated a NAC panel arranged by a network security consulting company. Potential and current NAC users took this opportunity to grill the panel -- which consisted of representatives from Cisco, Hewlett-Packard's ProCurve unit, Symantec and Juniper Networks -- on NAC product offerings and directions.
Without a doubt, the lack of a single, unified standard was on the minds of many of the attendees. When asked if users should wait to deploy NAC until the standards had settled, however, all representatives were unanimous in stating that if there is an immediate need and a solution exists, then deployment now is preferable.
Still, there is a gamble about whether the standards will converge at all. Hanna has hopes that the IETF will eventually be aligned with the TNC initiative. Cisco Systems may not yet be on the TNC bandwagon, but the company supports the IETF initiative and has partnered with Microsoft to ensure interoperability with NAP. Adding the fact that Microsoft donated a standard (download PDF) for the TNC client and a standard to work with the NAP system, it's clear that there is already movement toward that convergence.