Extending Network Access Control

Your guide to understanding NAC architectures and how to use them

Network Access Control (NAC) systems limit entry to enterprise networks based on user identity, machine health and other factors. These capabilities are a blessing for IT managers faced with tight compliance requirements and growing demands for network access for contractors, partners, and customers. But many NAC systems are closed, unable to interface with an enterprise's policy servers, authentication servers, network equipment and security systems. Fortunately, hardware and software standards developed by the Trusted Computing Group (TCG) provide standard extension points that enable this necessary multi-vendor interoperability. Based on recent industry progress in the NAC area, the timing is right to explore how these extensions work and how they may be used.

Within the past few years, Network Access Control has entered the spotlight as a technique to provide improved network security. Major vendors have introduced NAC products and customers have begun to deploy them. To ensure interoperability between NAC products and open interfaces between NAC products and other complementary systems, the Trusted Computing Group (TCG) introduced in 2005 the Trusted Network Connect (TNC) architecture and specifications. The open TNC specifications, available at www.trustedcomputinggroup.com, allow NAC products from different vendors to work with each other and with existing network equipment, authentication servers and other components. In May, TCG and Microsoft announced interoperability between Microsoft's Network Access Protection (NAP) architecture and the Trusted Network Connect (TNC) architectures. By examining these two architectures and then diving deeper into the TNC approach, the possibilities now available to ISVs (independent software vendors) and ultimately to users, will be better understood.


NAC Architectures

Two of the major NAC architectures that exist today are the TNC architecture developed by TCG's Trusted Network Connect (TNC) Work Group and the Network Access Protection (NAP) approach developed by Microsoft. There are dozens of other proprietary architectures available from different companies, but for the purpose of this article, the focus is on open standards.

Based on the latest TNC specification, TNC and NAP can now interoperate. However, they do have differences. As shown in Figure 1, the TNC architecture has an Access Requestor, Policy Enforcement Point, Policy Decision Point (PDP), and three different abstraction layers. The specific entities and interfaces (IFs) in this architecture will be discussed. later.

Microsoft's NAP policy enforcement platform, built into Windows Vista and to be included in Windows Server 2008 and Windows XP Service Pack 3, allows users to protect network assets by enforcing compliance with system health requirements. As shown in Figure 2, Microsoft's NAP architecture is a specific instance of the TNC architecture. Although the names of components differ slightly, the functions are identical and interoperability is now possible.


Using Standard Protocols

In order for a NAC system to provide comprehensive network security, any system that connects to the network should have a health check and the user should have an authentication and authorization check performed whenever they connect to the network. Client-server protocols are required to perform the checks.

The TNC architecture has a layered architecture with three client-server protocols. The lowest level is IF-T, a transport protocol that provides many options for transporting messages from the client to the server and back. For remote access, a Secure Sockets Layer (SSL) Virtual Private Networks (VPNs) or an IPsec (Internet protocol security) VPN may be used for IF-T. For 802.1X , the widely-supported Extensible Authentication Protocol Over LAN ( EAPOL) and Remote Authentication Dial-In User Service (RADIUS) standard protocols can serve as client-server transports for both wired and wireless networks .

This content continues onto the next page...