TNC/TCG Metadata Standard Promises Broad Integration

The Trusted Computing Group's Trusted Network Connect announced Metadata Access Point, IF-MAP, a specification to aggregate and propagate events from multiple sources. IF-MAP is the best thing since sliced bread. In short, IF-MAP standardizes the way network devices, applications, etc., can send event metadata to a central repository. Clients can query the repository and consume the event data. For example, a NAC policy decision point can use data stored in an IF-MAP server to make access decisions. I will be writing more on IF-MAP and its impact on IT soon.

Here at Interop, the TCG had a few running demos of IF-MAP. In particular, Lumeta (you may know them as the network mapping people) spent all of 15 minutes integrating the IF-MAP with its product as a proof of concept. Essentially, Lumeta maps networks, discovering all the ingress and egress paths. Its demo showed the product finding a host that was leaking data to the Internet, and by sending an update to the IF-MAP server, the Juniper UAC product detected the IF-MAP update and cut the offending host off.

While IF-MAP is targeted at NAC, the uses beyond its scope are numerous. One of the biggest issues vendors and enterprises have is integrating security event information. Firewalls, IDS's, and authentication systems all generate events that are useful for making decisions and reporting. The problem is that devices report in proprietary formats and use different protocols like syslog, XML, or something else. Once the event is generated, it has to be parsed into usable data. Anyone familiar with event aggregation has gone through that pain already.

IF-MAP isn't designed to collect raw data or to be used as a security event management system. The data is really pared down to just the actionable data that can be consumed by other systems. For example, an IDS event that lists the IP addresses, event severity, and event ID is the metadata that other applications can use. Other IDS fields like text descriptions are less useful. A NAC policy decision point can gather an event and, based on the severity, take some kind of action.

Here's why I like IF-MAP. Vendors implementing the standard should see many integration woes fall by the wayside because, rather than having to spend time integrating with a number of vendors and joining partner programs, the products can simply implement the API and you get instant integration with any other vendor also implementing the API.Of course, as with any standard, adoption will take time and vendors will fall back on "we will build it if there is customer demand." So, start demanding your vendors adopt IF-MAP. The result will be better integration of all your products, which means you will be able to leverage your investments.