Where the TNC fits into network security

Posted by Ken Y-N on June 9th, 2008 at 08:47am

The SearchNetworking magazine recently published a long detailed look at new ways to secure networks, including a short look at the Trusted Computing Group’s (TCG) Trusted Network Connect (TNC) workgroup’s proposals. Although there is little specifically relating to the TCG in the article, it’s a good backgrounder nonetheless.

First, the article highlights that security needs are changing; before it was about establishing a perimeter between the outside world and trusted insider, but now it is about individual access to services, and auditing that access to ensure compliance.

One approach suggested is unified threat management, where systems are placed at internal trust boundaries (such as per department) to distribute workload and to apply policies with a finer degree of granularity.

After discussion of VPNs and endpoint security, the article gets to Network Access Control (NAC). This allows access policies to be made when the device connects (and at other times too), varying according to the type of device, identity of user, and the software present the device, on indeed not present, such as no virus checker. Here is where the TCG comes in, as they have proposed a protocol for NAC using the TNC. However, the use of NAC does not seem to be a universally accepted practise as the article highlights:

Many analysts believe that NAC will become an accepted best practice. Others find NAC architectures overly complex and believe that NAC appliances suffice. Still others argue that endpoint software, rather than the network, should enforce access decisions.

The article finishes off by talking about network security monitoring, but it does not find space to mention the TCG’s Interface for Metadata Access Point (IF-MAP) protocol.

Read the full article on SearchNetworking here.

Tags: nac, searchnetworking

Under TNC Tags: nac, searchnetworking