Whitepaper Archives
Welcome to the Whitepaper Archives of the Interop Conference. You may reproduce and distribute these files unchanged.
2008 Whitepapers | 2007 Whitepapers | 2006 Whitepapers
2008 Whitepapers
Network Admission Control: Help Customer Improve Security 
Information security is difficult to define and manage. Technology advancements and new trends in business activities have created a fast-moving, amorphous security environment.
Meeting Today’s Security Challenges with End-to-End Network Access Control
In today’s business environment, enterprises need to establish and enforce dynamic, continuous pre- and post-admission network access controls to ensure that users operate within corporate policies. These controls must operate from the LAN edge to the data center and apply to all classes of users and devices.
Introduction to Network Access Protection
One of the most time-consuming challenges that network administrators face is ensuring that computers that connect to private networks are up to date and meet health policy requirements. This complex task is commonly referred to as maintaining computer health. Enforcing requirements is even more difficult when the computers, such as home computers or traveling laptops, are not under the administrator’s control. Yet failure to keep computers that connect to the network up to date is one of the most common ways to jeopardize the integrity of a network.
NAC: Managing Unauthorized Computers
Having an enterprise-level strategy for security compliance and access control is essential to protecting the organization from possible threats. The core infrastructure and network-based resources must be protected using multiple safeguards at multiple access points throughout the enterprise. Well-integrated, multilayered security systems are the best methods for controlling threats to those resources.
Controlling Network Access and Endpoints
As more enterprise computing users become mobile, the chances that one of these laptops will become infected when off your enterprise network becomes more likely. And while many corporate IT departments attempt to secure their laptops with anti-virus and personal firewall software, these defenses aren’t enough to keep up with the malicious software attacks that course through the Internet on an hourly basis.
2007 Whitepapers
What is NAC?
Generic network access control at its core is a simple concept: Who you are
should govern what you're allowed to do
on the network. NAC, then, is simply the hardware and software that together
let you enforce access control policies
based on who you are.
What is 802.1X?
Understanding what IEEE 802.1X is, its relationship to NAC, and why you should
care about it means
understanding three separate concepts: EAP (Extensible Authentication
Protocol), IEEE 802.1X itself, and Tunneled
Authentication.
Getting
Started with Network Access Control
If you'd like to implement Network Access Control, no matter what architecture
you select, you definitely want to
start by building a small interoperability lab. In this white paper, we'll
give you some advice on what to think about
before you get started, and outline what resources you ll need to have in place
in order to begin testing.
What is TCG's
Trusted Network Connect?
The Trusted Computing Group (TCG) is an industry standards body formed to
develop, define, and promote open
standards for trusted computing and security technologies.
TCG has developed an open architecture and standards
for Network Access Control called Trusted Network Connect (TNC).
What is
Microsoft's Network Access Protection?
The most significant differences between Microsoft's Network Access Protection
architecture and other NAC
architectures you see in the iLabs come because Microsoft does
not make switches or routers. Therefore, the path for
handling enforcement is different, focusing on server enforcement and
standards-based switch enforcement. The
original intent of MS-NAP was not security, but to find and
quarantine non-compliant clients in the enterprise LAN.
As the interest in NAC has increased, Microsoft has adjusted their
architecture to include more enforcement
mechanisms, and it's the 802.1x portion of MS-NAP that we tested for
interoperability in the iLabs.
What is
Cisco NAC?
Cisco's Network Admission Control, which we'll call CNAC to avoid overloading
the acronym NAC (for Network
Access Control), maps directly to the IETF and TCG TNC architectures.
Cisco has published a set of architectural
overviews, supported product tables, and deployment guides. This white
paper is derived from some of those overviews as well as the results
of our iLabs testing. You may find it helpful to
have our companion white paper, Network Access Control Architecture
Alphabet Soup, in hand showing the
diagram with different parts of a NAC architecture.
What is IETF
Network Endpoint Assessment?
The Internet Engineering Task Force (IETF) is the ultimate arbiter for
Internet protocols. They have standardized
dozens of critical protocols like IP, TCP, FTP, HTTP, SMTP, and IPsec.
With its many competing and incompatible
architectures and standards, Network Access Control is ripe
for standardization. Fortunately, the IETF has started a
Working Group in this area: the Network Endpoint Assessment (NEA) Working
Group.
Switch Features for
NAC
As an IEEE standard, 802.1X is a critical building block in each of the three
major NAC architectures. Before
deploying one of the NAC architectures, the first step is to roll out 802.1X.
This whitepaper will cover the switch
and access point features that support an 802.1X environment.
How to Handle NAC
Exceptions
The IEEE 802.1X standard gets all of the attention when NAC
is discussed because
it works well, and
consistently, across many networking vendor's hardware.
NAC deployments often depend on 802.1X
both for authentication of the end-user and as a mechanism to tunnel end-point
posture assessment
information. IEEE 802.1X is a key strategy for interoperable and
standards-based NAC deployments.
Most network engineers understand that some devices can't be full NAC
clients with 802.1X support,
but what is surprising is that dealing with these "NAC Exception" devices
will consume a
disproportionate amount of time. The 20% of devices that
can't run 802.1X may end up burning 80% of
your design and deployment time.
Develop
a "NAC" for Troubleshooting
The use of a network analyzer can be invaluable to assist you
in troubleshooting and optimizing your Network
Access Control (NAC) process. In the testing and implementation phases of
NAC, a network analyzer offers
visibility into the network and offers valuable assistance in
troubleshooting potential configuration and
compatibility problems.
Network Access
Control Resources
This white paper provides pointers to some resources that we ve found helpful
in our research on Network Access
Control (NAC) architectures and interoperability.
2006 Whitepapers
Interop Labs PDF Presentations:
- What is TCG’s Trusted Network Connect?
- InteropLabs Network Access Control Architecture v1
- InteropLabs Network Access Control Architecture v2
- Network Access Control Resources
- What is NAC?
- What is Microsoft’s Network Access Protection?
- What is the IETF NAC strategy?
- Getting Started with Network Access Control
- What is Cisco NAC?
- What is 802.1X?
Cisco NAC Info:
Microsoft NAP Info:
- Introduction to Network Access Protection
- Network Access Protection Platform Architecture
- Internet Protocol Security Enforcement in the Network Access Protection Platform
- Network Access Protection: Frequently Asked Questions