"It says QUARANTINE on the inside of the hatch to keep you down here—to keep you scared." I'm a fan of the TV show Lost, so I think of "the hatch" when I hear the word "quarantine." And actually, the hatch isn't such a far-fetched analogy for network quarantine, which isolates computers that might be a danger to your network until they're patched or until you get antivirus software, enable a firewall, or comply with whatever measures your company's security policies dictate. Unlike the hatch, however, network quarantine is supposed to prevent you from being scared.
Network Access Protection (NAP) is Microsoft's new network quarantine platform and the subject of this month's reader survey. NAP is currently in beta and will ship with Windows Vista and Longhorn Server. If you don't know much about NAP, don't worry: Only 14.5 percent of this month's 406 survey respondents were familiar with it, and only 20 percent said they currently use a network access or endpoint security-enforcement solution. (For an overview of Network Access Control—NAC products, see Market Watch: Network Quarantine, InstantDoc ID 50253.) Respondents want to understand NAP and how it relates to solutions such as VPNs; the small percentage who are familiar with it also demanded ease of use, indicated what functionality they wanted, and requested update and remediation capabilities.
What Is NAP?
NAP client-side software determines a PC's state of health, including its patch level, antivirus signature level, and firewall configuration. When the PC tries to connect to corporate network resources, the NAP client sends a statement of health to the NAP server, a Longhorn Server system configured as a Network Policy Server (NPS). The NPS communicates with policy servers, such as antivirus and patch-management servers, to determine whether the PC meets the predetermined health standard. If so, the PC is allowed to communicate with other computers on the network. If not, the NPS informs the NAP client how to correct the PC's health state but doesn't grant the PC access to the full network. The NAP client can't initiate communication with computers on the internal network; however, it can communicate with a remediation server to bring the PC into compliance, then submit a new statement of health to the NPS.
Because so many readers were unfamiliar with NAP, I asked Microsoft's representatives—Lead Program Manager Calvin Choe, Program Manager Kevin Rhodes, Group Product Manager Mike Schutz, and Product Manager Arlene Binuya-Murray—to give an overview. (For links to Microsoft resources about NAP, see " Network Access Protection" at http://www.microsoft.com/technet/itsolutions/network/nap/default.mspx.)
Mike explained, "NAP is a security-policy enforcement technology built into Windows Vista and Longhorn Server. The XP Pro NAP is on track and currently in beta."
Kevin added, "Specifically, the full NAP functionality will be available when Longhorn Server ships because Longhorn is one of the critical pieces of the functionality, and that release is scheduled for 2007."
Mike continued, "NAP lets administrators make sure devices that connect to the network meet a minimum security requirement, or policy. NAP lets administrators validate the health of devices, isolate noncompliant devices so that they can get compliant, and update devices that don't meet requirements. NAP then provides a mechanism to ensure ongoing compliance as the security policies change over time."
Furthermore, Calvin said, "NAP is a platform. Out of the box, NAP supports IPsec, DHCP, VPN, 802.1X, and a Terminal Server quarantine enforcement client."
One reader asked whether you can use NAP without Active Directory (AD), and Calvin's response raised some points that clarify NAP's purpose: "One of NAP's design goals was to be domain agnostic. So domain membership isn't required. Traditional network-security models include authentication and authorization. NAP adds a layer called health validation. Authentication and authorization are orthogonal to the health validation—NAP doesn't care who you are as long as your machine is healthy."
VPN and NAP
The idea of secure access to corporate network resources understandably raised questions about VPN functionality, such as that provided by Microsoft ISA Server. Mike explained that NAP checks a client device's security compliance no matter how that device reaches the network. "One scenario NAP covers is remote access. Customers told us that it's absolutely critical to make sure devices are healthy before road warriors connect from home and hotels. But once you've covered the remote-access scenario, the acute pain around protecting the internal network—whether it be wired or wireless connections—is equally important. Our VPN quarantine solution for Windows Server 2003 and ISA has evolved as that need has evolved, so NAP's unified platform with Vista and Longhorn addresses all the scenarios. Regardless of how a device connects to my network, I want to make sure it's healthy. NAP covers remote access but also internal wired and wireless activity."
Mike went on, saying that NAP works with both Microsoft and third-party VPN solutions. "We've taken an agnostic and platform-centric view to developing NAP because customers told us they didn't want to rip and replace their existing infrastructure, whether it be a VPN or existing routers and switches, to deploy a solution like NAP. Over 60 partners that provide VPN solutions, routers and networking equipment, antivirus products, patch solutions, and management products have signed up and committed to plugging into the NAP platform." Those partnerships mean that you'll be able to verify that your clients have thirdparty security solutions enabled if your policy requires such solutions.
The topic of IPsec came up in connection with VPN functionality. I noted that 53 percent of the survey respondents reported using IPsec.
Mike pointed out, "We find that often there's confusion about IPsec's specific use, and many customers think in terms of IPsec used for VPN functionality. Microsoft has a specific implementation of that, as do most VPN manufacturers. NAP implements a different use of IPsec, so the 53 percent may reflect the use of IPsec for VPNs."
Previous
Register
