Much of the network access control (NAC) hype over the last few years has involved network defense. For Mauricio Sanchez, chief security architect, ProCurve Networking by Hewlett-Packard (NYSE: HPQ), NAC can be used as an offensive tool as well.
The HP ProCurve offensive playbook for NAC comes as HP embraces Microsoft's NAP technology with the ProCurve Identity Driven Manager (IDM) policy management tool. Microsoft's NAP has the potential to drive NAC adoption even further into the enterprise mainstream now that Server 2008 is generally available.
"Like any good sports team you need a good offense and a good defense to win the game, and from a security perspective we feel that our approach should be the same," Mauricio Sanchez, chief security architect, ProCurve Networking by HP, told InternetNews.com. "On the offensive side, the first layer is around Network Access Control, this is where the network interrogates identity and the health state of users and devices," he said, adding that the term NAC means different things to a lot of people.
"To us and to me, NAC is more of a solution architecture based on performing some kind of access control when users connect to a network," Sanchez explained. "So it's not about a particular product or technology."
According to Sanchez, NAC is also about products and technology that convey the idea that network access should be limited and that people should be asked some questions before they are permitted to connect.
Sanchez noted that once you get past the offensive layer, with user and system interrogation, it's important to have defensive layers to address real time threats against the network and to protect against failures in the offensive layer.
He says HP will be on the offensive layer of NAC by integrating Microsoft's NAP with HP's Identity Driven Manager (IDM) application.
NAP is an integrated component of Windows Server 2008, which was launched earlier this year.
NAP provides built-in health capabilities to verify endpoint health as devices come onto the network. It also provides "a nice baseline for us to leverage as a network vendor and take advantage of it." Sanchez commented
HP's IDM, meanwhile, allows administrators to define access policy based on user group information, time of day and location -- all by way of an easy-to-use GUI.
Though Microsoft NAP has been officially available only for a few months, it already has a lot of backers. More than a year ago, Microsoft claimed it had more than 100 vendors lined up to support and interoperate with NAP.
Sanchez noted that HP is looking at NAC from a comprehensive network framework perspective, which is a distinct advantage over a pure play NAC vendor. In Sanchez's view pure play NAC solutions are a dead end.
Another key attribute for NAC success is interoperability, something the Trusted Computing Group's Trusted Network Connect (TNC) aims to achieve.
Sanchez is a chair on the TNC working group, where both HP and Microsoft are contributors. Last year Microsoft announced that it would work toward TNC interoperability with NAP.
Technically the interoperability involves TNC support for a Microsoft NAP approach called Microsoft Statement of Health Protocol. The IF-TNCCS-SOH (TNC client server - statement of health) protocol acts as a transport to help validate that an end point meets the security requirements.