SolutionBase: Enterprise considerations for Microsoft Network Access Protection
Takeaway: In this installment of the TechRepublic series on Microsoft Network Access Protection, Rick Vanover presents considerations for the enterprise implementations. We will also outline the key requirements of a NAP installation to start the planning process right.
Having a MS-NAP implementation in place will provide your network an extra level of protection at the entry point. There are certainly networks that need the maximum level of security for every point of connectivity; however, only the business or your technology situation can determine what you need from the perspective of network access protection. The MS-NAP implementation uses many different communication mechanisms if fully implemented. A strong point for MS-NAP is that the MS-NAP implementation can be utilized with some or all of the features and roles. In this article, we'll take a look at some of things you need to take into consideration from an enterprise perspective.
Enforcement types for MS-NAP
If you are considering MS-NAP for your environment, you cannot invest enough time in the planning and testing phases. Deciding on the best enforcement type for a policy is critically important. The means of enforcing MS-NAP are varied in their functionality and complexity.
Enforcement types
The MS-NAP implementation can enforce the compliance policy through these four mechanisms:
- VPN: The VPN server relays the policy from the Network Policy Server (NPS) to the requesting client and performs the validation. This is not to be confused with Windows Server 2003's Network Access Quarantine Control feature.
- DHCP: The DHCP server interacts with the policies from the NPS to determine the client's compliance.
- IPSec: The IPSec enforcement of MS-NAP is Microsoft's strongest offering for network access protection. It enforces the policy and configures the systems out of compliance with a limited access local IP security policy for remediation.
- 802.1X: The MS-NAP client authenticates over an 802.1X authenticated network and is the best solution when integrating hardware from other vendors. Luckily, the 802.1X authentication protocol was developed jointly by Microsoft, Cisco, HP, Trapeze, and Enterasys.
Each enforcement type will direct the client that is out of compliance to the remediation network where a resolution should be able to occur before accessing the desired network. The remediation network should be given some thorough planning. Making the remediation network a place where clients (managed or unmanaged) can gain the requisite updates or programs without support staff intervention will be critical in making the entire MS-NAP implementation a success. Choosing an enforcement method is an important first step in a successful implementation.
Planning what can happen on the remediation network is very important as well. Question whether updates be accessed from this network; if anti-virus updates/installations be accessed there; and, most importantly, whether the users perform the required updates automatically or without involving the client support staff.
Network Policy Server (NPS) mastery
In planning a MS-NAP implementation, a deep-level understanding of the NPS role of Windows Server 2008 should be reached. This server role will determine where systems will go based on their configuration. This is especially important because this server role touches other server roles or equipment depending on the enforcement mechanism selected. The NPS role also acts as a RADIUS server for the MS-NAP clients.
Real-world administration effort and support
Many network administrators are overworked and can have a difficult time perceiving a time where they could allocate the time to properly plan a network access protection system much less fully test and implement such a solution. The common response from a quick, unscientific survey of network administrators is "It would be nice, but I don't have the time" for a network access protection solution. Regardless of it being a Microsoft or a networking company solution, the responses are fairly consistent.
From an ongoing support perspective, the MS-NAP implementation can go one way or the other. If the remediation network has a way for the users to become compliant and a robust, intuitive way of doing such, the support effort will be minimized for ongoing access to networks from systems that have dipped out of compliance.
Networking hardware support
If the 802.1X enforcement method is selected, a unique challenge is presented. This method is unique because it would require maintaining support for the MS-NAP implementation from a networking hardware and server operating system perspective. While the implementations offered by the networking hardware vendors offer 802.1X authentication for an individual port, it takes an additional administration effort to ensure end-to-end compatibility.
New services on clients and domain group policy objects
For the client elements using the MS-NAP implementation, there are new services and local configuration elements that are required to utilize the functionality. Pushing these configuration elements to managed systems through an Active Directory domain GPO is the best way to deploy to large numbers of existing systems. The new configuration elements for the MS-NAP implementation are not available in Active Directory domains running at Windows Server 2003 level, but are available for Windows Server 2008 level domains. There are other ways to configure the new services for clients, but it would be optimal to be native in the domain group policy editor and link the new GPO to an OU or a domain.
It is not clear what implementation configuration would be required for Windows XP clients since Service Pack 3 is not yet available; nor is it clear how a Windows XP MS-NAP client would be managed -- if at all possible -- from a Windows Server 2008 functionality level Active Directory domain.
More from TechRepublic Series: SolutionBase
- SolutionBase: Enforce system policies with the Group Policy Diagnostic Best Practice Analyzer
- Fine tuning Microsoft ForeFront Server Security for Exchange
- Implementing Microsoft ForeFront Security for Exchange
- Configuring Exchange 2007 to be an Edge Transport Server
- Get Up To Speed with Interleave
- Installing System Center Essentials 2007
- SolutionBase: Enterprise-ready Process Automation with Interleave
- SolutionBase: Administer PacketFence with ease via Web interface
- SolutionBase: Installing and configuring Network Access Control with PacketFence
- SolutionBase: Block unwanted network access with PacketFence
- SolutionBase: Use PacketFence to stop unwanted network traffic
White Papers, Webcasts, and Downloads
- Using Red Hat Enterprise Linux AS to Achieve Highly Available, Load-Balanced Clusters Dell The Red Hat Enterprise Linux AS operating system integrates Cluster ... Download Now
- Offload Reporting To Improve Oracle Database Performance Quest Software Is your organization looking for a more cost-effective way to get critical ... Download Now
- Email Security and Archiving - Clearer in the Cloud Google The time is NOW for businesses and organizations of all sizes to implement ... Download Now
- More interoperability, plus 3 years Red Hat support, only from Novell Novell With one, unified management tool for both Linux and Windows, your mixed ... Download Now
- Evaluating Price/Performance of VMware ESX Server on Dell PowerEdge Servers Dell This paper examines the price/performance advantage that enterprises can ... Download Now
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
