I just got back from the Interop conference in New York where we participated in the InteropLabs and the Network Access Control Experts Panel. The show was a lot of fun. We were able to demonstrate NAP interoperability with several vendors including Cisco, HP, Enterasys, Nortel, Extreme, Aruba, Lockdown and Trend. The panel session included representatives from across the industry. A lot of questions were fielded around the business value proposition for network access control, the plans for interoperability across the vendors, and standards.
The topic of standards has come up enough in discussions with customers that it’s probably worth dedicating a blog post.
Currently, there are two major standards initiatives around network access control. The IETF is considering the formation of a new Network Endpoint Assessment Working Group to discuss standards around network access control. The TCG also has subgroup, the Trusted Network Connect, that has been actively working network access control-related standards. Microsoft is a member of the TCG and is participating in the IETF NEA discussion.
Customers often ask us what our position is relative to these standards efforts.
The short answer is that we are committed to standards processes and are evaluating the standards as they are being produced.
There is a long answer too.
Often when customers request support for a standard it is so that they can ensure that they can purchase products from their preferred vendors and know that these products will interoperate with other vendors’ products over time. In this sense, standards are viewed as a sort of insurance that protects the value of the investment in a given vendor’s solution.
For a standard to deliver this kind of value, it has to be known to work in production. It also has to have wide industry adoption. Many standards have been produced over the years that failed to meet these criteria and have thus failed to deliver value to the customer.
We feel that network access control standards will be most successful when the major players in the industry come together and create interoperable products that they know work in real production. Once this is achieved, there is a strong foundation upon which to build the kind of standard that will deliver the value customers are seeking.
In other words, we are committed to interoperability in addition to standards. We believe that interoperability is critical to a creating a standard that will deliver the value customers want.
Hence, we view our joint NAP-NAC interoperability architecture as an important step in the standards process. We are continuing to have discussions with vendors across the industry about interoperability. So far, we are encouraged by the good will that exists to work together. We are optimistic that the industry will ultimately deliver on customers’ desires to purchase products from their preferred vendors and have them work together to provide controls over network access. We believe NAP will be an important component and driver to help make this happen.
All of this said, there are a few other standards and interoperability-related items worth mentioning about NAP.
1. NAP already supports many standards including 802.1x, EAP, IKE, ESP, AH, RADIUS, TLS and X.509. The pieces of a NAP solution that are being discussed in the standards bodies are largely focused on EAP method support for carrying endpoint compliance information.
2. NAP already works with existing network infrastructure. Our NAP partner list is quite comprehensive with respect to the infrastructure that works with NAP.
3. NAP is getting wide adoption by endpoint security vendors. This combined with the network infrastructure supported probably makes NAP the most interoperable solution on the market when it ships.
We’re eager to hear your feedback regarding NAP interoperability and standards. Please feel free to post us your opinions in the comments section.
Group Program Manager
This is great news! I think one thing that we need to make clear is that NAP is much more than "Network" access control. NAP isn't being deployed to protect the "Network", its being deployed to control access to servers and services on the network, and hence Network Access Protection is the more accurate term, and highlights the actual goal of NAP in contrast to NAC. For "Access Control" customers can use perimeter firewalls, for "Access Protection" we need NAP! Might seem like a subtle difference, but an important one to bring into the minds of customers weighing the options. Thanks! --Tom
I dont think so Jim... What had me totally laughing even more was this article on it. Parts of the article