Network Access Protection (NAP) announcement with the Trusted Computing Group (TCG)

  • Article

Today, we are announcing a fairly significant development in our relationship with the Trusted Network Connect (TNC) subgroup of the Trusted Computing Group (TCG) standards body. Microsoft has been a supporter of the TCG since its inception and serves on its board. In April 2005, Microsoft announced that it would be supporting the TNC architecture for Network Access Control. And we did. The basic NAP architecture of clients, infrastructure and servers maps pretty clearly to the TNC architecture of Access Requestors, Policy Enforcement Points and Policy Decision Points respectively.

Today, we are announcing that NAP’s Statement of Health (SoH) protocol is being adopted and published as a standard TCG protocol. SoH is NAP’s primary protocol that enables a NAP client to report its state to a NAP server. It also carries a response from the NAP server that informs the client as to its level of compliance to corporate policy as well as instructions for remediation.

The TCG specification for the SoH protocol is called IF-TNCCS-SOH. The name may be a mouthful but it makes sense if you break down its meaning. All TNC standards start with “IF-TNC” which means “TNC Interface.” The “CS” means “client to server protocol” and the SoH means “Statement of Health.”

What this announcement means is that Network Access Control is getting a whole lot simpler. Client and server vendors can now implement the IF-TNCCS-SOH standard and interoperate with any other TNC or NAP client or server.

Vista supports IF-TNCCS-SOH today and Windows Server 2008 and XPSP3 will support it when they are released. This means that any third party client that implements IF-TNCCS-SOH will be able to participate in a NAP deployment that is being controlled by the Windows Server 2008 Network Policy Server (NPS). In fact, at Interop we are partnering with a company, Avenda Systems, to demonstrate a Linux NAP client working with Windows Server 2008 NPS Server based on the IF-TNCCS-SOH protocol.

Likewise, Vista and XPSP3 will be able to interoperate with any TNC server that supports IF-TNCCS-SOH. We are working with Juniper Networks to demonstrate this kind of interoperability at Interop this week as well. We will show a Vista client authenticating to a Juniper Infranet Controller using IF-TNCCS-SOH and then being granted access accordingly. Commercial availability of TNC clients and servers supporting IF-TNCCS-SOH is expected in the first half of 2008.

Customers have told us that they want standards in the NAC space because they don’t want to buy one solution today that doesn’t work with other solutions tomorrow. They want interoperability as a form insurance against depreciation of their investments in NAC infrastructure. With this announcement today, TCG and Microsoft took a significant step towards providing that investment protection. Customers can buy clients and servers based on IF-TNCCS-SOH and know that they will interoperate over time.

One nice property of the IF-TNCCS-SOH is that it is agnostic to the infrastructure that provides network connectivity. We have yet to find an 802.1x switch or access point that doesn’t already ‘just work’ with IF-TNCCS-SOH. At Interop, we will demonstrate NAP working based on IF-TNCCS-SOH with switches from over 10 vendors including Aruba, Extreme, Foundry, Nortel, HP Procurve, Cisco, Meru, Alaxala, DLINK and Enterasys. This is great news to customers because it means that they wont need to upgrade their 802.1x-capable infrastructure to support IF-TNCCS-SOH. They will only have to upgrade their servers to Windows Server 2008 or a compatible TNC server. They can use the built in NAP agent and 802.1x supplicant in XPSP3 and Vista and avoid client upgrades/deployments as well. This greatly reduces the cost and complexity of a Network Access Control deployment.

We think this announcement is a really good thing and we have already heard some positive feedback around it. It doesn’t, however, represent the end of our standards work. We will continue to participate in the TNC to help develop new standards, particularly in the areas of integrating the Trusted Platform Module (TPM) into solutions like NAP. (Another Interop demo will be the TPM integrated with NAP that we are showing with one of our partners, Wave Systems). We will also continue to participate in the IETF’s Network Endpoint Assessment (NEA) working group to promote interoperability there.

Some people have asked us what this announcement means in terms of our relationship with Cisco. Last September, we announced that NAP and Cisco’s NAC would interoperate. I’m happy to report that that interoperability is progressing well. It is in production at our joint beta customers and support for it is included in Beta 3 of Windows Server 2008 which is already released. Our relationship with Cisco remains strong and we look forward to continuing to work with them at the IETF NEA and in our products in general.

Well that about sums up our announcement. We are super excited. You can find more technical information about IF-TNCCS-SOH in the whitepaper we authored with TCG which is published on the TCG website as well as Microsoft.com/nap.

We’d love to get your feedback on this announcement and hear your opinions about standards and interoperability in NAC in general.

 

Paul Mayfield

Group Program Manager

Network Access Protection