Are you looking for my non-technical blog?

This is now my technical-only blog, my non-technical blog is here.

12 November 2008

NAC - TNC

I wrote a post here about Network Access/Admission Control as a way to make sure that only authorized and healthy machines will have access to your network.
It's a solution that can check the various hosts before giving them to the network, and it can also control the switches, access points, and create dynamic rules on your firewalls and IPS's in order to granular control the access given to each host to the various resources in the network based on their identity and security posture.
As you can see, to have a successful NAC solution, we need to make sure of the following:

1- You need your NAC Device (Policy Decision Point) to be able to communicate with the different devices in your network (Switches, Access Points, Firewalls, IPS's, etc), in order to push to them the policies needed to control who has access to whcih resources.
2- You can never guarantee that all the devices installed in your network are from the same vendor.

So, the best solution to solve this is to have a standard NAC solution to facilitate the communication between your PDP and PEP's.
And as far as I know, Trusted Computer Group's "Trusted Network Connect" is the only standard available out there.

As for the Switches and Access Points part, TNC decided to make use of the existing 802.1x standard, and added some extension to it in order to transfer the machines health along with the authentication parameters.

But when it comes to the security devices such as Firewall's and IPS's, unfortunately there was no existing standard to depend on. And that's why they decided to introduce a new standard called "IF-MAP" few months ago.

Tags: , ,