As, you can see, your NAC is at a certain point of time aware of your credentials, the version of the antivirus installed on your PC, the patching level of your OS, etc. And now we need such date to be available for the other devices in the network in order to be able to deal with you not only based on your IP Address, but also based on your username, and machine health. We need some database - MAP or Meta-data Access Point - where all the previous info are available for our Firewalls, IPS's, DHCP Servers and any other network element to base their policies on them. Any IPS now that supports such protocol will be able to deal with end-points and have dynamic policies for them based on various parameters, and not just their IP Address.
"Trusted network connect - part of the Trusted Computing Group - published its Interface for Metadata Access Point protocol on April 28 to provide a common framework for sharing event metadata. This means there's finally a way for security and network devices from a variety of vendors to communicate, and thus make better assessments on whether to grant or deny access to everything from PCs to switches", InformationWeek
So now, even if someone changes his IP address, the firewall will not be fooled by his new IP address, but it will be able to deal with him based on his role in the organization regardless of his address. The IPS will be able to treat the different users differently based on their machine health, role in the organization, etc.
Related Links:
InteropLabs, Making NAC Secuirty - Aware with IF-MAP.
Got the NAC Blog, IF-MAP: Integrating All Network Security.
Got the NAC Blog, The Adoption Curve for IF-MAP.
StillSecure, After All These Years, Is IF-MAP the spark that will ignite theTCG/TNC and the security industry?
Rational Survivability, I Can Haz TCG IF-MAP Support In Your Security Product, Please.
Tags: IF-MAP, TNC, NAC, Security, Gr33n Data