Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


August 2006

QUARANTINE!

NAP keeps noncompliant machines from accessing and infecting your network
From the August 2006 Edition
of Windows IT Pro
Karen Forster
Hey Microsoft!
InstantDoc #50386
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

"It says QUARANTINE on the inside of the hatch to keep you down here—to keep you scared." I'm a fan of the TV show Lost, so I think of "the hatch" when I hear the word "quarantine." And actually, the hatch isn't such a far-fetched analogy for network quarantine, which isolates computers that might be a danger to your network until they're patched or until you get antivirus software, enable a firewall, or comply with whatever measures your company's security policies dictate. Unlike the hatch, however, network quarantine is supposed to prevent you from being scared.

Network Access Protection (NAP) is Microsoft's new network quarantine platform and the subject of this month's reader survey. NAP is currently in beta and will ship with Windows Vista and Longhorn Server. If you don't know much about NAP, don't worry: Only 14.5 percent of this month's 406 survey respondents were familiar with it, and only 20 percent said they currently use a network access or endpoint security-enforcement solution. (For an overview of Network Access Control—NAC products, see Market Watch: Network Quarantine, InstantDoc ID 50253.) Respondents want to understand NAP and how it relates to solutions such as VPNs; the small percentage who are familiar with it also demanded ease of use, indicated what functionality they wanted, and requested update and remediation capabilities.

What Is NAP?
NAP client-side software determines a PC's state of health, including its patch level, antivirus signature level, and firewall configuration. When the PC tries to connect to corporate network resources, the NAP client sends a statement of health to the NAP server, a Longhorn Server system configured as a Network Policy Server (NPS). The NPS communicates with policy servers, such as antivirus and patch-management servers, to determine whether the PC meets the predetermined health standard. If so, the PC is allowed to communicate with other computers on the network. If not, the NPS informs the NAP client how to correct the PC's health state but doesn't grant the PC access to the full network. The NAP client can't initiate communication with computers on the internal network; however, it can communicate with a remediation server to bring the PC into compliance, then submit a new statement of health to the NPS.

Because so many readers were unfamiliar with NAP, I asked Microsoft's representatives—Lead Program Manager Calvin Choe, Program Manager Kevin Rhodes, Group Product Manager Mike Schutz, and Product Manager Arlene Binuya-Murray—to give an overview. (For links to Microsoft resources about NAP, see " Network Access Protection" at http://www.microsoft.com/technet/itsolutions/network/nap/default.mspx.)

Mike explained, "NAP is a security-policy enforcement technology built into Windows Vista and Longhorn Server. The XP Pro NAP is on track and currently in beta."

Kevin added, "Specifically, the full NAP functionality will be available when Longhorn Server ships because Longhorn is one of the critical pieces of the functionality, and that release is scheduled for 2007."

Mike continued, "NAP lets administrators make sure devices that connect to the network meet a minimum security requirement, or policy. NAP lets administrators validate the health of devices, isolate noncompliant devices so that they can get compliant, and update devices that don't meet requirements. NAP then provides a mechanism to ensure ongoing compliance as the security policies change over time."

Furthermore, Calvin said, "NAP is a platform. Out of the box, NAP supports IPsec, DHCP, VPN, 802.1X, and a Terminal Server quarantine enforcement client."

One reader asked whether you can use NAP without Active Directory (AD), and Calvin's response raised some points that clarify NAP's purpose: "One of NAP's design goals was to be domain agnostic. So domain membership isn't required. Traditional network-security models include authentication and authorization. NAP adds a layer called health validation. Authentication and authorization are orthogonal to the health validation—NAP doesn't care who you are as long as your machine is healthy."

VPN and NAP
The idea of secure access to corporate network resources understandably raised questions about VPN functionality, such as that provided by Microsoft ISA Server. Mike explained that NAP checks a client device's security compliance no matter how that device reaches the network. "One scenario NAP covers is remote access. Customers told us that it's absolutely critical to make sure devices are healthy before road warriors connect from home and hotels. But once you've covered the remote-access scenario, the acute pain around protecting the internal network—whether it be wired or wireless connections—is equally important. Our VPN quarantine solution for Windows Server 2003 and ISA has evolved as that need has evolved, so NAP's unified platform with Vista and Longhorn addresses all the scenarios. Regardless of how a device connects to my network, I want to make sure it's healthy. NAP covers remote access but also internal wired and wireless activity."

Mike went on, saying that NAP works with both Microsoft and third-party VPN solutions. "We've taken an agnostic and platform-centric view to developing NAP because customers told us they didn't want to rip and replace their existing infrastructure, whether it be a VPN or existing routers and switches, to deploy a solution like NAP. Over 60 partners that provide VPN solutions, routers and networking equipment, antivirus products, patch solutions, and management products have signed up and committed to plugging into the NAP platform." Those partnerships mean that you'll be able to verify that your clients have thirdparty security solutions enabled if your policy requires such solutions.

The topic of IPsec came up in connection with VPN functionality. I noted that 53 percent of the survey respondents reported using IPsec.

Mike pointed out, "We find that often there's confusion about IPsec's specific use, and many customers think in terms of IPsec used for VPN functionality. Microsoft has a specific implementation of that, as do most VPN manufacturers. NAP implements a different use of IPsec, so the 53 percent may reflect the use of IPsec for VPNs."

   Previous  [1]  2  Next 


Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events WinConnections and Microsoft® Exchange Connections

Deep Dive into Windows Server 2008 R2 presented by John Savill

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement