Got the NAC
Juniper Employee
Juniper Employee
‎09-05-2008 12:11 PM
‎09-05-2008 12:11 PM

The TCG announced a new specification today: IF-MAP. Why should you care? Because this new standard really changes the world of network security.


In the past, security systems were largely silos. Your IDS didn’t talk to your firewalls or your VPN or your identity management system or your endpoint security. If they did talk, it was only through special, proprietary integrations.


The TCG’s TNC standards for NAC have changed some of that, providing a standard way to integrate endpoint security, identity management (usually), and network enforcement (switches, VPN, etc.). But until now, TNC didn’t have a standard way to
include IDS, firewalls, and lots of other important parts of your security system.


The IF-MAP specification provides exactly that. It defines a standard SOAP-based protocol that network security devices can use to communicate with a shared database called a Metadata Access Point (MAP). Using this protocol and database, the network security devices share information about the users and devices connected to the network: who’s logged into what device, how healthy the device is, whether it’s violating policy on behavior and/or health, etc.


Why is this useful? For several reasons:


  • If a user connects their laptop to the network, authenticates, and runs through a NAC health check, and is assigned some privileges based on this, all of that information can be passed on to other network security devices in the network through the MAP.
  • Sensors in the network (like Intrusion Detection Systems and Data Leakage Prevention systems) can customize their policies based on the user’s identity, role, and health.
  • If a user starts acting up after they pass the NAC health check (sending spam or attacking people), an IDS can post an event to the database and the NAC system can shut them down at the switch port and pop up a message on their screen telling them what’s wrong and how to fix it.
  • Device profilers can scan unmanaged endpoints (those that can’t or won’t participate in the NAC process, like a printer) and post information about them in the database so that they can receive an appropriate level of access.
  • Interior enforcement devices (like firewalls) now have a standard way to get information from other network security devices on endpoints so that they can grant an appropriate level of access.


To summarize, the new IF-MAP standard extends the TNC architecture, now providing a standard way to integrate a wide variety of network security devices such as IDS, DLP, and interior firewalls with NAC gear and with each other. This allows the TNC architecture to work with “unmanaged endpoints” and integrate behavior monitoring in addition to or instead of endpoint health checking. It also provides a standard way to integrate firewalls and other enforcement devices into a TNC system. There are other uses of IF-MAP but this is all I have room for today. Look for more posts later.


For more details about the IF-MAP specification, see the TCG web page on this topic. If you have questions, let me know.

Sep 15, 2008
alan shimel

Hi Steve - Welcome to the security bloggers network. I came to the page clicking through the SBN feed. A quick suggestion, this article would really benefit the readers if you had some links to the TCG web page on the topic that you reference. Would be nice to click through to them!

Good luck! alan

Sep 15, 2008
Tarek Amr


Thanks for answering my question, I guess such step is going to speed up the NAC adoption, especially in organizations with multi-vendor security devices