NAC Standard Emerges as IETF NEA

By Sean Michael Kerner

(Back to article)

LAS VEGAS -- For several years, NAC (Network Access Control) was one of the most hyped terms in network computing, but the key issues were always about multi-vendor interoperability and standards.

But that's set to change with the completion of a new IETF standard for NAC, dubbed Network Endpoint Assessment (NEA).

At the Interop conference this week, the open source alliance OpenSEA demonstrated the first implementation of the NEA standards was demonstrated in the Trusted Computing Group's (TCG) booth. The TCG is the organization behind the Trusted Network Connect (TNC) NAC standards that have won the support of a myriad of vendors including HP, Juniper and Microsoft.

"The NEA standards are based in part on the TNC standards, and when the IETF approved the standards, we published the same day updated TNC standards that corresponded to the NEA standards," Steve Hanna, co-chairman of the TCG TNC workgroup, told InternetNews.com. "So there is no discrepancy or incompatibility between the TNC standards and the IETF standards. That was always our goal -- to achieve a single consistent set of standards in this area."

Work on NEA has been ongoing since at least 2008, and the project was designed as a way to create an IETF standard that could be embraced by both TNC users as well as Cisco NAC users.

With the NEA compliant NAC technology available from OpenSEA, Hanna said he expects commercial vendors will eventually follow suit as well.

"Ultimately what customers are looking for is universal compatibility. That's the point of standards," he said.

As to merging both Cisco's efforts with those of TCG, Hanna noted that the two technologies weren't so different to begin with, at least from an architectural level.

"If you look at the bits on the wire there are some differences there, but we're really all trying to do accomplish the same thing," Hanna said. "That is the ability to authenticate users, health-check their devices and then provision an appropriate level of network access based on the policy that the organization has established."

Hanna added that the key to achieving multi-vendor standards is to not begin with pre-conceived notions, but to remain open to good ideas from any source. As an example, he noted that when the first TNC standards were created they didn't include the ability for a server to initiate a health check. But by adding that ability into the system, the network can now recheck endpoints on a periodic basis as new threats and updates emerge. NEA now facilitates both pre- and post-admission endpoint assessment.

"That's really important as there are a lot of devices that connect to the network and stay connected for months or years," Hanna said. "So if you only check them at the point when they connect to the network, a lot can change. So you need to have the ability to assess an endpoint periodically or continuously."

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.