Beating The NAC Standards Bush

Halfway through NAC Day at Interop, I moderated a panel populated by representatives from the sponsors. What became clear during and after the panel is that attendees are very concerned about standardizing NAC. Who wants to buy a proprietary product that won't play well with others?Populating the panel were Prem Ananthakrishnan, technical marketing engineer at Cisco; Rich Langston, senior manager of product management at Symantec; and Joel Maxwell, global technical support specialist at Sophos. The questions of standards support was raised. In addition to Cisco's Network Access Control partner program and Microsoft's Network Access Protection partner program, the Trusted Computing Group's Trusted Network Connect is the only vendor-neutral standards group that really has any legs.

It's not secret that the IETF Network Endpoint Assessment working group was formed to include Cisco in the NAC standards process. The only documents submitted to the NEA working group are all authored by the TNC. The IETF working group certainly won't rubber-stamp the TCG work, but I expect changes to be minor and Steve Hanna, co-chair of the NEA and TNC working groups, promises to normalize the standards documents from the two bodies.

In our last three NAC surveys, the 2008 NAC Survey is available[registration required], the message from respondents is that they want any standard to come to the fore. Standards make purchasing decisions easier since you're not tied to any one proprietary solution. Rip and replace is easier and integration is possible.

Langston as the de facto appointed TNC representative and Ananthakrishnan for Cisco were cornered after the panel by a few attendees that were expressing their frustration with the number of standards and the confusion and uncertainty multiple standards creates. Langston's point with the TCG is that it was started because a smaller, close-knit group can work faster and more effectively than a larger group like IETF working groups, which, while open, can take years to reach consensus. Ananthakrishnan's point about why Cisco doesn't participate in groups like the TCG is that established standards bodies like the IETF and IEEE, while slow-moving, generally create more stable and long-lived standards, which in turn are better for the IT industry.

Both arguments have merit, but the result is that the lack of a clear set of standard inhibits adoption of new technologies. There is plenty of room to innovate within a standard set of specifications. My vote, for what it is worth, is with the TNC working group. That group has published specifications that are available today to implement, provides a single point of standards which all vendors can adopt, and has the backing of many vendors in a diverse set of security technology markets (at least in name). Also, there should be no fear that the standards will unfairly promote one vendor implementation over another.

Vendors always tell me that they will implement a feature when their customers demand it. Are you listening?

9/17: Edited. I mistakently said Rich Langston said the TCG was closed. I meant close knit. My apologies.