An educated guess as to why NAC schemes abound
- 12 April, 2006 11:27
An astute observer of the industry might ponder why Microsoft, Cisco and Trusted Computing Group have nearly identical, yet completely incompatible, NAC (network access control) architectures. We asked the vendors this question but could not get a straight answer. So we're making an educated guess.
With Microsoft, the answer seems to be that its Network Access Protection architecture is the overgrown descendent of a fairly constrained original thought on how to detect out-of-compliance systems and quarantine them without having to make expensive and confusing changes to network infrastructure. If you consider a typical Microsoft small or midsize business network, the original Network Access Protection documents offer a clever way to handle the problem without assuming any intelligence in the network.
Why Microsoft product management let Network Access Protection grow up into the mishmash that exists (at least in part) today is unclear. Perhaps they were reacting to security people critical of the company's original approach, and rather than explain this wasn't a security solution, they threw as much security terminology as they could into it, while trying not to lose the original value of Network Access Protection.
This is not to say that Microsoft isn't bringing value into the equation: no one can handle the client side better -- kind of like how France corners the market on good cheese. And if Microsoft is willing to define the APIs that Cisco, Juniper and TCG need to do a good job in the grander scheme of NAC, then that seems like the way things should be.
One might ask why Cisco hasn't done a wholesale rip and replace of its own Cisco Trust Agent in favour of adopting what Microsoft has designed. If the rest of the industry can get all uppity about how history has shown that Microsoft should not be in the networking or security business, Microsoft has just as much right to declare that Cisco programmers should not be allowed near Visual Studio.
To further delve into how Cisco is muddying the NAC waters, as a leader in the standards-based networking space, why is Cisco not pushing its own agenda in the TCG and helping to build an industry standard that promotes open networking? It's very un-Cisco, frankly. Cisco has often given up competitive advantage in the name of open standards, and now it has suddenly changed its tune?
Here's one theory: it all has to do with the IETF and how NAC will enter it. The non-host part of the NAC architectures will likely be subject to IETF standardization. While industry groups such as the TCG can cover the big picture in a way that the IETF doesn't, the IETF sets standards that tend to dominate the industry and push out competing approaches.
When it came time in the IETF to define a standardized Layer 2 VPN protocol (eventually known as L2TP) to replace Point-to-Point Tunnelling Protocol (PPTP), Microsoft was clearly in the lead with the most experience and a solid contender for the standard. Rather than come to the IETF table with reasons why they didn't like PPTP, Cisco wrote its own Layer 2 VPN protocol, L2F. It's long forgotten, but it gave Cisco a very strategic position in the IETF, which is where the Internet standards are all hashed out: L2F was considered as a base document with equal weight to PPTP. That move positioned things very differently and resulted in a much better protocol, because Cisco claimed L2F was a peer to PPTP -- something the IETF accepted. The IETF working group didn't have to fight about what to put in or take out of PPTP, but about how to combine the best features of the two. About the only thing that remains of L2F is the first two letters: that's where the "L2" out of "L2TP" came from.
This is a long story, but the point is that what happens in the TCG isn't as important as what happens in the IETF, particularly in the areas that Cisco operates.
If Cisco goes to the table in the TCG, it will be just one member and will have to follow the rules of the road in that community. But if it brings its own Network Admission Control scheme to the IETF as a competitive peer to the TCG's Trusted Network Connect, then it will be one player out of two, not one in 20.
The IETF also heavily favours standards that can be demonstrated by working products, which means Cisco will walk into the IETF in a position of strength. Cisco also casts a bigger shadow in the IETF -- a forum it's familiar with and active in -- than TCG, an industry group that hasn't really been part of their orbit before now.