LAS VEGAS Trusted Computing Group’s completion of the Trusted Network Connect (TNC) spec has pushed membership in the group above 130, and spurred innovation among players that group organizers only discovered after the fact.
The standard, unveiled at Interop here, defines an open access control method similar to proprietary efforts from Cisco Systems and Microsoft Corp.
According to TNC working group cochair Steve Hanna of Juniper Networks, "The founding members were dominated by semiconductor companies when the focus of the work was on the Trusted Platform Module. But the multilayer concept of TNC has done more than bring in more network equipment manufacturers and software developers than we can count. We're also seeing informal groups of companies implementing portions of TNC and coming to us later saying, 'Look what we've done.' This was the kind of innovation the TCG wanted to see."
TNC builds on work from the IEEE's 802.1x authentication group, and the Internet Engineering Task Force's Extensible Authentication Protocol, but adds higher-layer functions for policy definition and policy enforcement. Network clients, called "supplicants" in 802.1x parlance, use the flash memory-based TPM to gather statistics known as integrity measurement collectors in the TNC model.
The policy enforcement point in the network, usually at a switch, firewall or virtual private network gateway, is what Hanna calls "the dumb cop in the topologythe intelligence for policy resides in a policy decision point."
"There was a deliberate advantage to making the policy enforcement point simple," Hanna said. "This way, any enforcement point that supports EAP or 802.1x automatically supports TNC, and that really influenced people to come onboard."
The network's Policy Decision Point is the server that can also participate in authentication and authorization tasks in a trusted network.
Network administrators working on security have been adamant about "securing the perimeter," but Hanna said the TNC topology deliberately allows enforcement points inside a trusted network, so that continuous health monitoring can be made of clients. Software is checked on a client system during a "trusted boot" sequence, but nodes in a network should be continuously examined inside a zone of trust, Hanna said.
All of the protocol implementations of TNC are lightweight, so much so that a direct client to server link called the TNCCS protocol, implemented in XML, has more than half its code content taken up by XML.
The Juniper group, formerly known as Funk Software, as well as Funk’s closest competitor Meetinghouse Inc. both have implemented TNC protocols up to the client-server level, while the top-layer measurement protocols have been implemented by IBM, Symantec, and Wave Systems.
Cisco, while not a member of TCG, is expressing some interest at bringing together its own Network Access Control with the TNC work. Microsoft is a little more reticent, but TNC working group members are optimistic that even Microsoft will respond to the stampede for implementation.
TCG's next milestone involves secure storage, and its highest-layer and most difficult tasks cover operating systems and Web services/Service Oriented Architecture standards. While no one is underestimating the latter realms, Hanna said completion of TNC proves how the baseline support of trusted client computers allows multiple layers of secure networking standards to emerge.