13.4. Open NAC Standards

Open NAC standards include the Trusted Network Connect (TNC) and the Network Endpoint Assessment (NEA) from the IETF. Many vendors actively implement TNC as part of their shipping NAC solutions, and NEA's standards body is, while we write this book, in the process of finalizing it.

13.4.1. Trusting TNC

The Trusted Computing Group (TCG) is a not-for-profit organization that was formed in 2003 to develop, define, and promote open standards for hardware-enabled trusted computing and security technologies across multiple platforms, peripherals, and devices. The membership includes some of the world's more recognizable brand names; emerging leaders; and successful vendors and developers of components, software, systems, and network and infrastructure. These companies and other organizations have joined forces to develop, define, promote, and approve open, accessible standards for trusted computing and security technologies.

Trusted Network Connect (TNC) is both a TCG Work Group and a TCG eponymous open standard and architecture for NAC and network security. Many of TCG's membership actively participate in the definition and specification of the TNC's open NAC standards and architecture.

The TNC Work Group has created an open, standards-based set of standards and architecture for device authentication and platform integrity measurement, which is a foundation for developing open-architected, standards-driven, interoperable NAC solutions. The TNC architecture and standards define several open, standard interfaces that enable components from different vendors to securely interoperate together, while creating a standards-based NAC solution that leverages existing installed equipment and heterogeneous networks. It builds on existing industry standards and protocols widely supported by networking equipment vendors, such as 802.1X, RADIUS, IPSec, EAP, and TLS/SSL (which we cover in sections "IETF Standards" and "IEEE Standards," earlier in this chapter), and defines new open standards as needed, with the objective of enabling non-proprietary and interoperable solutions to work together within multi-vendor environments.

Here's how the TNC open standards and architecture extends NAC beyond pre- and post-admission checks:

• Its foundation of industry standards and protocols enable organizations to incorporate the TNC standards and architecture, leveraging their existing infrastructure investments without sacrificing interoperability or their freedom of choice.

• The TNC's open specifications encompass the definition of software interfaces and protocols for communication among endpoint security components, as well as between endpoint hosts and networking elements.

• The TNC architectural framework provides for interoperable solutions from multiple vendors and offers you greater choice when you're selecting the components best suited to meet endpoint integrity and network access control requirements.

• The TNC architecture

  • Delivers a guideline for the interaction between various network components

  • Measures the state of a device that attempts network connection;

  • Communicates the device state to other network entities, such as systems, appliances, and servers.

The TNC specifications and architecture allow it to authenticate the user and assess the device's compliance to a minimum baseline of security policy, as set by you and your organization, as well as the determination of the network's reaction to a request for access. The TNC standard and architecture makes establishing a level of trust certain, before it allows a user and device to connect to the network.

13.4.2. In the know on NEA

In October 2006, the IETF created a Network Endpoint Assessment Working Group (IETF NEA WG). The IETF NEA WG provides an open, neutral forum for vendors that allows them to work together and arrive at a standard client-server interoperation for endpoint assessment, which is a core component for NAC solutions.

Many different components from various vendors need to come together to form NEA, so interoperability is vital. Any member organization or vendor of the IETF NEA WG can come together in the IETF Work Group to agree on these standards and the interoperation of products in this space.

The TNC Work Group of the TCG and Cisco are playing active roles in the IETF NEA WG, with representatives from each entity serving as co-chairs of the IETF NEA WG. The IETF NEA WG is focused on creating and driving the success of the NEA standard, and any other standard or standards that the NEA WG produces.

• The IETF NEA WG charter and focus is to work only on requirements and standards for client-server interoperability for endpoint assessment; specifically, ensuring both client-side interoperability for endpoint assessment in heterogenous environments.

• The TNC focuses on defining and delivering open standards and interoperability for NAC overall, including

  • Client-server protocols

  • Application programming interfaces (APIs) for client- and server-side plug-ins

  • Enforcement mechanisms