Trusted Computing Group Continues to Extend TNC Specifications

| May 22, 2009 | Enterprise Security | Show Update

| Analyst: Andrew Braunberg

Current Perspective: Positive
Vendor Importance: High
Market Impact: Moderate

Event Summary

May 18, 2009 -- The Trusted Computing Group has announced that it has extended its Trusted Network Connect (TNC) security architecture and multi-vendor standards to allow all devices on any IP network to be protected against threats and unauthorized access.

Analytical Summary

• Current Perspective: Positive on the Trusted Computing Group’s extension and enhancements to its Trusted Network Connect framework, because although the specifications were originally designed to support network access control (NAC) solutions, the new specifications continue to broaden their appeal and application beyond traditional NAC use cases.

• Vendor Importance: High to the Trusted Computing Group, particularly its TNC working group, because Spring InterOp has become an important show to demonstrate progress on both specifications and interoperability. This year was no exception, as the group introduced interesting new use cases for the IF-MAP specification that it introduced last year at Spring InterOp and presented three entirely new specifications to the framework.

• Market Impact: Moderate on the enterprise security markets, because the TCG TNC effort continues to gather steam. It is interesting, for example, to see how much interest Huawei is showing in the group’s efforts these days (measured by the number of Huawei people participating in specification development). Slowly but surely, these specifications are finding a broader audience, which in turn is uncovering a richer set of use cases.

Current Perspective

We are taking a positive position on the numerous specification releases and interoperability demonstrations by Trusted Computing Group’s Trusted Network Connect (TCG TNC) working group this week at InterOp in Las Vegas. The group continues to expand and mature its TNC framework and its members continue to innovate with new use cases that the framework can support.

The TCG TNC has never generated the attention that the work deserves, but that began to change last year when the group introduced its IF-MAP specification (also done at InterOp). IF-MAP provides a standard way to share metadata regarding devices and users in a way that supports real-time network situational awareness. IF-MAP has made the broader TNC framework interesting to a much larger group of vendors and end users.

The introduction of new specifications this week should continue this trend. The TNC framework is moving beyond its roots in network access control and perhaps some of the baggage associated with NAC solutions. That is not to say that these new specs do not also support a richer NAC experience. The new Clientless Endpoint Support Profile, for example, is a much-needed addition for more comprehensive NAC support. TCG TNC members have also demonstrated some interesting new use cases for the specs, particularly building on IF-MAP, such as integration with physical security solutions and industrial control solutions.

There are no major concerns with these announcements, but as the TCG TNC working group continues to add members and continues to increase the complexity of its overall framework, we would very much like to see it meet its general goal of formally supporting a compliance program by the end of 2009. The group currently does an admirable job of showing off interoperability at events such as InterOp in an ad hoc fashion, but it has matured to the point where it needs a more formal mechanism in place.

As noted, the TCG TNC is starting to generate the buzz we think it deserves. As more members begin to support a broader set of the TNC specifications, it should become even easier to demonstrate and validate the benefits of its use. We expect the framework to continue to attract new users and new use cases as more people get a chance to experiment with the newly released specifications.

Competitive Positives

• The TCG TNC working group introduced three entirely new specifications this week: IF-T Binding to TLS 1.0, Federated TNC 1.0, and Clientless Endpoint Support Profile 1.0. It also introduced three revisions to existing specifications: TNC Architecture 1.4, IF-TNCCS 1.2, and IF-MAP 1.1. TNC members, including Hirsch Electronics, Infoblox, Juniper Networks, Lumeta Corporation, nSolutions, and Trapeze Networks, also demonstrated multiple interoperability scenarios.

• The IF-T Binding for TLS specification is important for several reasons. The spec extends support for the TNC framework to non-802.1x environments. It also provides a much simpler mechanism for initiating post-connect health checks on a device. The first IT-T Binding spec uses EAP, which is more appropriate for performing health checks before a device has TCP/IP access. The new TLS binding also opens up the potential for applications to leverage the TNC framework.

• The Federated TNC 1.0 spec leverages the broadly supported Security Assertion Mark-up Language (SAML) standard. The new spec provides health information extensions to SAML, which can then be shared between organizational domains. The spec includes several profiles, including the Roaming Assessment Profile and the Web Assessment Profile. Both profiles allow organizations or applications to share endpoint health data more easily. Federated TNC is designed to be extensible, and in fact, it supports the transmission of any arbitrary information about an endpoint or an end user associated with an endpoint.

• The new Clientless Endpoint Support Profile finally provides a standardized way for TNC members to assess clientless devices, such a printers, VoIP handsets, and guest laptops. The spec describes how TNC network elements should handle these clientless devices. An interesting aspect is that it supports continuous monitoring of the devices, by leveraging the IF-MAP specification, to ensure that the behavior of the devices matches their identity (for example, a printer is acting like a printer, not a mail server).

• Of the revised specs, the most interesting is the IF-MAP 1.1 release. Two of the unexpected ways that the IF-MAP specification is now being leveraged is by physical security vendors, such as Hirsch Electronics, and by process control vendors, such as Tofino, in supervisory control and data acquisition (SCADA) environments. One drawback with the new IF-MAP 1.1 release is that it is not backward compatible with IF-MAP 1.0.

Competitive Concerns

• Productizing of the TNC specifications continues to be relatively slow. Of the larger vendors participating in the working group, Juniper continues to be the most aggressive in supporting the specifications and the only vendor that seems to take pride in being first to market with new support.

• Integration of the TCG TNC and Cisco CNAC specifications through the IETF Network Endpoint Assessment (NEA) working group continues to be a tough slog. Final publication of the initial set of IETF NEA specifications is expected by the end of the year. The existence of competing frameworks has slowed adoption of the TNC specifications considerably.

• The TNC certification program that the working group announced last month is still a work in progress. The current schedule calls for an official launch in the fall of 2009.

CLIENTS ONLY

| Client access - More reports in Enterprise Security | More information

Top