1.1. Who Is the Trusted Computing Group?
Inevitably, if you are researching NAC/NAP, you will come across information about the Trusted Computer Group (TCG).
The TCG describes itself as follows:
The Trusted Computing Group (TCG) is a not-for-profit organization formed to develop, define, and promote open standards for hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices. TCG specifications will enable more secure computing environments without compromising functional integrity, privacy, or individual rights. The primary goal is to help users protect their information assets (data, passwords, keys, and so on) from compromise due to external software attack and physical theft. TCG has adopted the specifications of TCPA [Trusted Computing Platform Alliance] and will both enhance these specifications and extend the specifications across multiple platforms such as servers, PDAs, and digital phones. In addition, TCG will create TCG software interface specifications to enable broad industry adoption.
So, what does this mean? Well, it means they essentially try to create standards that different companies and technologies would use to allow for interoperability between products.
Why is this important? Think of it from a Wi-Fi perspective. If every Wi-Fi vendor used its own, non-standards-based technology, then there would be big problems. Users utilizing Dell Wi-Fi cards wouldn't be able to connect to Cisco Wireless Access Points (WAPs). Users utilizing Cisco Aircards wouldn't be able to connect to D-Link WAPs. Fortunately, there are Wi-Fi standards (802.11a, 802.11b, 802.11 g, and so on) that are not limited to only specific vendors. Thus, consumers and enterprises have a choice, and can mix-and-match vendor technologies based upon their needs and desires. Also, having a standard that everyone else uses simply makes the standard better and more robust.
The specific standard that TCG has created for NAC/NAP is called "Trusted Network Connect" (TNC). Per TCG, TNC is described as follows:
... An open, nonproprietary standard that enables application and enforcement of security requirements for endpoints connecting to the corporate network. The TNC architecture helps IT organizations enforce corporate configuration requirements and to prevent and detect malware outbreaks, as well as the resulting security breaches and downtime in multi-vendor networks. TNC includes collecting endpoint configuration data, comparing this data against policies set by the network owner, and providing an appropriate level of network access based on the detected level of policy compliance (along with instructions on how to fix compliance failures).
Clearly, the goal of TNC is to allow the various NAC/NAP solutions to interoperate and play nicely together. This is an admirable goal that has merit and would ultimately be of benefit to enterprises. The problem, of course, is getting everyone to agree to participate. Even if a vendor does participate, it may not necessarily want to adhere to everything the standard dictates, and it may only want to have a small portion of its solution adhere to this standard. This is where the posturing and bickering enters into the equation.
A quick example has to do with Cisco NAC. Cisco NAC doesn't conform to the TNC standards. Certainly, Cisco is a huge company with some of the best talent in the industry, not to mention a very impressive customer base. Plus, if you're Cisco and your goal is to sell hardware, why on Earth would you want to give the option of using non-Cisco hardware? It doesn't necessarily make bad business sense, and, depending upon whom you talk to, Cisco may not even be being unreasonable about it. It has its interests to protect.
It's kind of funny to see TCG's response to the question of, "How does TNC compare to Cisco Network Admission Control?" Clearly, there is a little bit of animosity present. Their response to this question, per the document titled "Trusted Network Connect Frequently Asked Questions May 2007" (available at https://www.trustedcomputinggroup.org/groups/network/TNC_FAQ_updated_may_18_2007.pdf) is:
The TNC Architecture is differentiated from Cisco Network Admission Control (C-NAC) by the following key attributes and benefits:
Support multivendor interoperability
Leverages existing standards
Empowers enterprises with choice
Also, the TNC architecture provides organizations with a clear future path.... TCG welcomes participation and membership by any companies in the TNC effort and believes interoperable approaches to network access control are in the best interests of customers and users.
If you're looking to be empowered with a choice and want a clear future path with your NAC solution, then it appears as though TNG doesn't think Cisco NAC is an option for you. The real point of showing this information is to realize that NAC/NAP haven't yet really been standardized. TNC is right that interoperable approaches to NAC are in the best interest of customers and users; that is quite obvious. When will this actually take place, that all major players will utilize the same standards? No one knows, but I personally am not counting on it any time soon. Let me put it this way. I wouldn't wait on implementing a NAC/NAP solution until it happens. Companies should be smart in ensuring that their existing technologies will be supported and that they understand key areas of integration with any NAC/NAP solution they are considering.
Now, you're probably wondering where does Microsoft stand with TNC? On May 21, 2007, Microsoft and TCG announced interoperability at the Interop event in Las Vegas, Nevada. This was a significant step both for parties and for enterprises. Basically, it means that devices running Microsoft's NAP agent can be used with NAP and TNC infrastructures. In fact, this TNC-compliant NAP agent will be included as part Microsoft's operating system in the following versions:
Later in this chapter, you will learn about the various technical components that make up NAC/NAP solutions. In doing so, this interoperability will be put into perspective.
As of this writing, the list of companies that currently have interoperability with the TNC standard, or have announced their intent to do so, is: