NAP keeps noncompliant machines from accessing and infecting your network
"It says QUARANTINE on the inside of the hatch to keep you down here—to keep you scared." I'm a fan of the TV show Lost, so I think of "the hatch" when I hear the word "quarantine." And actually, the hatch isn't such a far-fetched analogy for network quarantine, which isolates computers that might be a danger to your network until they're patched or until you get antivirus software, enable a firewall, or comply with whatever measures your company's security policies dictate. Unlike the hatch, however, network quarantine is supposed to prevent you from being scared.
Network Access Protection (NAP) is Microsoft's new network quarantine platform and the subject of this month's reader survey. NAP is currently in beta and will ship with Windows Vista and Longhorn Server. If you don't know much about NAP, don't worry: Only 14.5 percent of this month's 406 survey respondents were familiar with it, and only 20 percent said they currently use a network access or endpoint security-enforcement solution. (For an overview of Network Access Control—NAC products, see Market Watch: Network Quarantine, InstantDoc ID 50253.) Respondents want to understand NAP and how it relates to solutions such as VPNs; the small percentage who are familiar with it also demanded ease of use, indicated what functionality they wanted, and requested update and remediation capabilities.
What Is NAP?
NAP client-side software determines a PC's state of health, including its patch level, antivirus signature level, and firewall configuration. When the PC tries to connect to corporate network resources, the NAP client sends a statement of health to the NAP server, a Longhorn Server system configured as a Network Policy Server (NPS). The NPS communicates with policy servers, such as antivirus and patch-management servers, to determine whether the PC meets the predetermined health standard. If so, the PC is allowed to communicate with other computers on the network. If not, the NPS informs the NAP client how to correct the PC's health state but doesn't grant the PC access to the full network. The NAP client can't initiate communication with computers on the internal network; however, it can communicate with a remediation server to bring the PC into compliance, then submit a new statement of health to the NPS.
Because so many readers were unfamiliar with NAP, I asked Microsoft's representatives—Lead Program Manager Calvin Choe, Program Manager Kevin Rhodes, Group Product Manager Mike Schutz, and Product Manager Arlene Binuya-Murray—to give an overview. (For links to Microsoft resources about NAP, see " Network Access Protection" at http://www.microsoft.com/technet/itsolutions/network/nap/default.mspx.)
Mike explained, "NAP is a security-policy enforcement technology built into Windows Vista and Longhorn Server. The XP Pro NAP is on track and currently in beta."
Kevin added, "Specifically, the full NAP functionality will be available when Longhorn Server ships because Longhorn is one of the critical pieces of the functionality, and that release is scheduled for 2007."
Mike continued, "NAP lets administrators make sure devices that connect to the network meet a minimum security requirement, or policy. NAP lets administrators validate the health of devices, isolate noncompliant devices so that they can get compliant, and update devices that don't meet requirements. NAP then provides a mechanism to ensure ongoing compliance as the security policies change over time."
Furthermore, Calvin said, "NAP is a platform. Out of the box, NAP supports IPsec, DHCP, VPN, 802.1X, and a Terminal Server quarantine enforcement client."
One reader asked whether you can use NAP without Active Directory (AD), and Calvin's response raised some points that clarify NAP's purpose: "One of NAP's design goals was to be domain agnostic. So domain membership isn't required. Traditional network-security models include authentication and authorization. NAP adds a layer called health validation. Authentication and authorization are orthogonal to the health validation—NAP doesn't care who you are as long as your machine is healthy."
VPN and NAP
The idea of secure access to corporate network resources understandably raised questions about VPN functionality, such as that provided by Microsoft ISA Server. Mike explained that NAP checks a client device's security compliance no matter how that device reaches the network. "One scenario NAP covers is remote access. Customers told us that it's absolutely critical to make sure devices are healthy before road warriors connect from home and hotels. But once you've covered the remote-access scenario, the acute pain around protecting the internal network—whether it be wired or wireless connections—is equally important. Our VPN quarantine solution for Windows Server 2003 and ISA has evolved as that need has evolved, so NAP's unified platform with Vista and Longhorn addresses all the scenarios. Regardless of how a device connects to my network, I want to make sure it's healthy. NAP covers remote access but also internal wired and wireless activity."
Mike went on, saying that NAP works with both Microsoft and third-party VPN solutions. "We've taken an agnostic and platform-centric view to developing NAP because customers told us they didn't want to rip and replace their existing infrastructure, whether it be a VPN or existing routers and switches, to deploy a solution like NAP. Over 60 partners that provide VPN solutions, routers and networking equipment, antivirus products, patch solutions, and management products have signed up and committed to plugging into the NAP platform." Those partnerships mean that you'll be able to verify that your clients have thirdparty security solutions enabled if your policy requires such solutions.
The topic of IPsec came up in connection with VPN functionality. I noted that 53 percent of the survey respondents reported using IPsec.
Mike pointed out, "We find that often there's confusion about IPsec's specific use, and many customers think in terms of IPsec used for VPN functionality. Microsoft has a specific implementation of that, as do most VPN manufacturers. NAP implements a different use of IPsec, so the 53 percent may reflect the use of IPsec for VPNs."
Kevin explained NAP's use of IPsec. "IPsec lets you protect network resources from client machines that don't have a particular credential set to prove they've met requirements. So by combining IPsec with NAP, you can have compliance checking within your network."
Arlene added, "What Kevin is talking about specifically is NAP's IPsec enforcement. You can use it for domain and server isolation."
Mike concluded, "What the survey data points out is that we need to clarify in our communication the various uses for IPsec and then specifically what we're talking about with respect to NAP."
Ease of Use
Many respondents asked, "How complex is NAP deployment?" Calvin answered, "Ease of use and the GUI were big requests in the survey. You can use a wizard-based configuration page and answer some simple questions to configure NAP. In the survey, some people said the command line was a shortcoming of existing products. We can configure, deploy, and monitor using just the UI."
For users who prefer a command line interface, Calvin noted, "When we designed the product, we had both IT generalists and specialists in mind. IT generalists want to use and configure everything through the GUI. IT specialists want to go to the command line. We're providing both GUI and command-line interfaces."
Why is ease of use such a concern? Calvin pointed out, "When it comes to narrow access authorization, there are so many moving parts: NAP needs to integrate with user authentication and machine authorization. There's the multidomain model and so many different kinds of clients. It's good that you can validate the system health, but how do you provide automatic updates to keep systems compliant? Because there are so many moving parts, Microsoft needs to provide ease of use and a well-integrated product end to end."
Most Requested Features
The survey asked readers what elements of the client they want NAP to inspect and verify. Calvin said, "I was pleased to see that the top functionalities that customers want align with what we've done. Nearly 93 percent of readers wanted NAP to verify an antivirus signature, 86.9 percent said patch level, followed by OS configuration \[62.8 percent\] and host firewall configuration \[57.6 percent\]. When we designed the product, these elements were our top goals, and these are health-status checks NAP performs."
In addition, many readers want NAP to go beyond identifying and isolating noncompliant machines by providing remediation.As one reader put it, isolating machines and "giving a user a message or a Web link doesn't provide remediation. It generates Help desk calls." Calvin agreed: "There are four pillars of NAP: client validation, isolation, remediation, and ongoing compliance. Automatic remediation is built into the product with the System Health Agent (SHA). If your machine is out of compliance, you'll be notified of the consequence—for example, limited network connectivity. But while you're getting the notification, SHA will do its best to automatically remediate. If a machine is out of compliance, it will follow SHA's instructions, such as turning on the firewall, to get out of quarantine."
Turning on a firewall is a quick solution, Calvin admitted, but some compliance actions, "such as downloading a service pack, can take hours. You can configure such actions on the server side." For example, you can specify deferred enforcement, which Calvin explained: "I won't quarantine you immediately, but you have 30 days to comply with the corporate policy of downloading a service pack. Then NAP will download automatically." Calvin emphasized, "We don't expect users to go to a Web site and download patches or turn on the firewall. That should happen automatically."
It's All in the Policy
What were the key takeaways for the NAP team? Kevin said, "This survey really drove home the importance of ease of use. Also, we noted some confusion about using IPsec, so we need to do clarity and focus on IPsec in our guidance."
Kevin continued, "Another point was that 70 percent said they have a written security policy. Developing security policies is the most important step. Any enforcement technology is only truly effective if the proper level of thinking has gone into developing appropriate access policies. So we need to educate people about why they need a policy and what that policy is. Just installing NAP does nothing for you if you don't have anything to marry that to."
Mike added, "Maybe it's a catch-22. Why create a policy if you have nothing to enforce it? Maybe NAP is the catalyst for the other 30 percent to develop a security policy."