It's all about the policy

The Trusted Computing Group Trusted Network Connect published Microsoft???s Statement of Health protocol (SoH) which lets NAP clients send health information to a Policy Decision Point (PDP)???the server that makes a decision based in whole or in part on the...

Mike Fratto

May 23, 2007

2 Min Read
Network Computing logo

The Trusted Computing Group Trusted Network Connect published Microsoft???s Statement of Health protocol (SoH) which lets NAP clients send health information to a Policy Decision Point (PDP)???the server that makes a decision based in whole or in part on the host health. The new protocol is called IF-TNCCS-SOH. This is pretty big news for anyone buying a NAC solution today, because if and when products start shipping that support SoH on both the client and the PDP (Vista already contains the SoH client with NAP), that should mean easier integration. Many NAC vendors would rather leave the client software to someone else and many companies are resistant to install yet another agent on PC???s. Let???s face it, this type of announcement really legitimizes the TCG/TNC as a viable NAC framework while allowing Microsoft to point to the protocol as an example of how they are embracing open standards. It???s a win-win and the kicker is that you should win too.

NAC vendors are fighting for every deal, margins are thin, and development costs are high. If they start to focus their development efforts on supporting IF-TNCCS-SOH on their PDP???s and wait for Microsoft to push out a NAC client for Windows XP slated for the upcoming SP3 and Windows Server 2008 (was Longhorn) for early next year, then the NAC vendors kill two birds with one stone and potentially get out of the client software business altogether. Beyond the NAC vendors, all the software than can report on an aspect of system health, like AV, patch management systems, desktop security, and a variety of other agents that potentially had to integrate with Microsoft???s NAP, Cisco???s NAC, and the TCG/TNC could focus just on remaining two.

That???s a great plan for the computers that your company manages. What is missing are the network devices like printers and network attached cameras that won???t be able to participate in the NAC and of course there???s that thorny problem of guest users???how are they to be treated and trusted? IF-TNCCS-SoH doesn???t really address that problem leaving it upto the administrators to add rules for these exceptions. The one thing I hate are exceptions. Exceptions cost time, money and can greatly increase complexity. Three things we don???t want to spend. Exception handling and more generally policy development, not client support, will become the deciding factor in NAC deployments.

About the Author(s)

Mike Fratto

Former Network Computing Editor

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights