General Architecture
Three basic components are found in all NAC products: the Access Requestor (AR), the Policy Decision Point (PDP) and the Policy Enforcement Point (PEP); see General NAC Framework diagram in the image gallery. Vendors have their own names for these, but we'll use the terms defined by the Trusted Computing Group Trusted Network Connect working group because they're fairly clear-cut.
| FRAMEWORK SUMMARY | |||
| Cisco Network Access Control | Microsoft's Network Admission Protection | Trusted Computing Group, Trusted Network Connect | |
| Host Assessment | The Cisco Trust Agent will be used for Windows pre-Longhorn and Vista, and Red Hat Enterprise 3 and 4. | Microsoft's NAP agent and 802.1X supplicant are part of Windows Longhorn and Vista. APIs are available for other vendors to create and integrate system health agents (SHAs) into the NAP framework. The vendor is responsible for how and what the SHA communicates to the NAP client. For example, self-assessment and real-time change notification are not required. | The TNC specifications deal with communication between an AR and a PDP as well as how software can communicate with the TNC AR. Another system performs the assessment. |
| Validation | Credentials and assessment data are sent to the ACS for validation. The ACS sends them along to Microsoft's Network Policy Server. The ACS selects a policy based on the response from the NPS. | The NPS integrates with external Policy Servers, such as AV and patch management systems, to assess a host's health. | TNC-developed protocols and API specify how components communicate. |
| Enforcement | Cisco hardware is responsible for enforcing the access policy sent by the Access Control Server. | Quarantine may be accomplished by allowing or denying a host access to a VPN or integrating with external systems. | TNC-developed protocols and API specify how components communicate. |
| Partner Programs | Cisco has a large partner program populated with a number of well-known product vendors. Cisco and Microsoft both claim that they will be supporting their own partner programs as well as the NAC/NAP program. Microsoft is planning on migrating its partners to the new API for Longhorn and Vista. | Microsoft has a large partner program, and unlike Cisco, also has a number of infrastructure vendors in the fold. Microsoft also appears to be a strong partner with the Trusted Network Connect working group as well as with Cisco. | The specifications are available for download. Members of the TCG can participate in the working group. Microsoft has released its Statement of Health protocol for the TNC specification. |
| Interoperability Testing | Cisco uses AppLabs, which acquired KeyLabs, for interoperability testing in the NAC program. NAC partners are expected to develop and test their products | Microsoft has no plans for an interoperability testing program. | The TNC is planning future compliance programs, but is otherwise mum on the issue. |
Individual functions of the PDP and the PEP may be contained on one server or spread across multiple servers, depending on vendor implementation, but in general, the AR requests access, the PDP assigns a policy, and the PEP enforces the policy.
The AR is the node that is attempting to access the network and may be any device that is managed by the NAC system, including workstations, servers, printers, cameras and other IP-enabled devices. The AR may perform its own host assessment, or some other system may evaluate the host. In either case, the AR's assessment is sent to the PDP.
The PDP is the brains of the operation. Based on the AR's posture and a company's defined policy, the PDP determines what access should be granted. In many cases, the NAC product management system may function as the PDP. The PDP often relies on back-end systems, including antivirus, patch management or a user directory, to help determine the host's condition. For example, an AV manager would determine whether a host's AV software and signature versions are current, and inform the PDP.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
