Intel adds desktop NAC to latest chips

Intel's move to provide new integration with NAC (network access control) tools in its latest vPro desktop processors could provide interesting opportunities for use with the device authentication systems while further strengthening the technology standards it supports, according to industry watchers.

One of a handful of new security features built into the vPro Core 2 Duo chips introduced by Intel on Monday, the added support for the 802.1x standard for NAC and interoperability with Cisco's Network Admission Control guideline -- delivered via the processors' Intel Embedded Trust Agent -- could help accelerate adoption of the device authentication systems while solidifying support for the two formats, experts said.

NAC systems are used to scan device and user authentication information whenever a machine attempts to log onto to a network protected by the tools. In addition to protecting against potential break-ins from uninvited outsiders, the tools are also considered a useful alternative for enterprises to employ in segregating access to IT systems shared with partners or contractors.

Using the Embedded Trust Agent, Intel said that it can now provide NAC systems -- including any built on the 802.1x or Cisco NAC platforms -- to garner device identity information directly from processor, bypassing the need for the authentication technologies to interact with PC operating system software.

One of the potential methods to circumvent NAC systems outlined by security researchers thus far has been to use some method to spoof or misrepresent device information to dupe the network defense tools. By presenting machine identity data on the processor, such attacks could be largely eliminated, Intel officials said.

While Intel did not promote direct linkage between Embedded Trust Agent and Microsoft's flavor of NAC -- known as Network Access Protection and already integrated into the software giant's Vista OS -- Cisco and Microsoft have previously announced an agreement to make all of their respective network authentication systems compatible.

Similar support for NAC on mobile platforms will arrive with Intel's next batch of Centrino chips, slated for shipment sometime in 2008, said company officials.

Cisco officials participating in Intel's vPro launch said that the CPU-level NAC integration could prove to be a significant accelerant to adoption of the technology, which most industry experts have charted as relatively slow thus far, despite the networking giant's claim that many of its customers are tuning on the next-generation authentication systems.

"The strength of NAC is certainly based on the reliability of the information that you can present to the network, and having direct access to information on the hardware provides a whole new opportunity that hasn't been present only with OS interaction," said Brendan O'Connell, senior product manager for Cisco's Security Technology Group.

"In the past, even with existing NAC systems, what's happened is that when a PC starts up on the network, the security decision is held off while other things are being run in the background, but we're hoping to see that change and get in the door earlier," he said. "There are some big advantages for getting this type of information to present device security posture assessment sooner in the process, both for desktops and down the road for other types of devices."