In today’s business climate employees need to be mobile, and laptops are the device of choice to enable this mobility. Unfortunately, there are problems with all this mobility. If an employee spends more time traveling than in the office, and does not connect back to the office regularly, they will not get necessary patches for security issues in the operating system, or upgrades needed to defend against the latest viruses.
There are two groups trying to define how enterprises can protect themselves from mobile virus threats. One is made up of Cisco and its partners, relying on proprietary Cisco technology, while the other group is a multi-vendor effort backing an open standards-based approach. While both systems will help secure enterprises, there are benefits to running with a standards-based solution over treading a proprietary path.
Both Cisco’s and the TNG’s systems are based on the idea of determining the trustworthiness of the user trying to connect to the network. In both cases there are agents loaded onto the users’ laptops that communicate back to the network, and through the network back to security servers to determine if the laptop complies with corporate policy for level of anti-virus protection, OS patch levels, and any other parameters that the enterprise wishes to check before granting network access to the device. Both solutions will block the laptop from, or limit its access to, the enterprise network at the first ingress point to the network — usually a switch or wireless access point.
Cisco and its partners are advocating Cisco’s Network Admission Control (NAC) method.
The Trusted Computing Group (TCG) — a consortium of companies formed to address the integrity of devices — has created a sub group called the Trusted Network Connect Sub Group (TNC SG) specifically to address devices connecting to the network. Both methods should work, but their implementations differ.
Cisco’s NAC architecture relies on companies that have signed a NAC partnership agreement with Cisco to develop products that talk to a Cisco Security Agent, which is loaded on all the devices to be verified. This agent is an interface between the partners’ integrity monitors on the end device and the Cisco Trust Agent residing on a Cisco switch or router (Policy Enforcement Point — PEP). Cisco’s network element then passes along the integrity information to the Cisco Access Control Server (AAA relay agent), and through it to an integrity policy server from the Cisco partner (Policy Decision Point — PDP). Several companies have joined with Cisco in this architecture, notably Trend Micro, McAfee and Symantec.
On the other side is the TCG, which pre-dates Cisco’s NAC, although the TNC SG was announced around the same time as Cisco announced NAC. Using the TNC SG approach, integrity verification agents (from various vendors) on the end stations communicate with switches, routers and wireless access points (acting as a PEP) and through them to AAA servers (relay agents) and finally to integrity servers (PDP).
Architecturally both approaches are similar.
The major difference between the two methods is the openness of the approach. The Cisco approach relies almost exclusively on Cisco’s technology and protocols. NAC works with Cisco Trust Agents, which reside only on Cisco switches and routers. Cisco does not entertain opening up NAC to other network vendors, and only shares its technology with non-competing partners, who Cisco has approved. This makes NAC’s architecture inherently proprietary and closed to competition.
The TNC SG method is based on an agreement between a number of vendors that have cooperatively created standards for integrity checks. The documents for this solution are published and freely available to businesses and any anti-virus, anti-spyware, personal firewall and network vendor to use and follow. Any organization currently using 3Com, Enterasys, Extreme, Foundry or Juniper networking gear can use the TNC SG solution as long as the TNC SG guidelines are followed, even if the vendor is not part of the TCG.
On one side there is a single vendor-controlled solution, on the other a solution designed by a consortium of cooperating vendors with a published standard. Why should anyone favour one over the other if they both seem to work?
This is clearly an open standard approach versus a proprietary system. In an open standards-based approach the designs are open to criticism from various vendors, academics and end-customers. This approach has proven quite effective at coming up with robust solutions.
When a single vendor designs a solution, forcing others to take a “my way or the highway” approach, there will always be shortcomings. This has been shown again and again in open versus closed developments.
The other problem with a closed approach when considering networks is interoperability. Networks today consist of large numbers of devices from many vendors. Laptops, operating systems, applications, network devices and servers can be from any vendor. When one vendor attempts to create a system whereby only their technology will work in the system, you need to wonder what purpose that will serve. If an organization with a network that is predominantly based on Cisco switches wants to introduce Juniper routers, it should be free to do this. Some organizations spread their purchase among vendors simply to spread the risk — one vendor’s bug is not likely to be another vendor’s bug. If the network is no longer open, competing technology deployment is no longer possible. This increases the risk of failure to the network, as well as opening up organizations to the possibility of monopoly pricing.
While either the Cisco NAC or the TNC SG solutions should verify the integrity of devices entering a network, the approaches need to be considered. An open approach to networking standards that continues a long tradition of open and interoperable systems makes much more sense.
–Kanellakis worked at Enterasys Networks and its predecessor Cabletron Systems for almost 15 years. These days Kelly is enjoying spending time with his family and looking for interesting ventures to pursue.