NAP offers a network access control solution for SMBs
Takeaway: SMBs are increasingly faced with security threats posed by the computers that connect to their networks. Microsoft's new NAP technology can give you control over the health status of both remote access and on-site clients as your organization grows.
Protecting the network is an important goal of any IT security strategy, and there are a number of sophisticated mechanisms that can give you better control of who accesses the network and how they do it. Unfortunately, small and medium businesses often perceive the available third-party products as too complex and/or expensive to be feasible. For example, Cisco's Network Admission Control (NAC) appliance can cost several thousand dollars. That may be more than small businesses on a budget can afford.
But if you plan to upgrade your network operating systems to the next generation of Windows Server (currently called Longhorn), the Network Access Protection (NAP) platform is already built in and can be used with Windows Vista or with XP clients running the NAP Client add-on software for XP that’s scheduled to be released at the same time as the new server OS (the XP NAP client is currently in beta testing). Windows Server 2003 will also be able to be a NAP client.
SMBs can take advantage of this core component of Longhorn Server and Vista to ensure that clients connecting to their networks meet their health and security criteria.
The importance of protecting network access
Every computer that connects to your local area network poses a potential threat. If it’s infected with a virus or spyware, if it doesn’t have adequate firewall protection, has had the latest security updates and patches installed, etc., the entire network can be placed at risk. You have some control over the on-site computers, but what about those that connect to the LAN via remote access, or the laptops that employees bring to work with them after having connected them to home or public networks?
To protect your network, you should set policies requiring that before it can connect to your LAN, a computer has to meet minimum "health" standards. But you can’t always trust users to comply voluntarily, so you need an enforcement mechanism that can determine whether a system meets the standards and prevent it from connecting, or restrict its access, if it doesn’t. That’s where NAP comes in; it’s Microsoft’s health policy compliance platform.
At first glance, NAP may sound a lot like Windows Server 2003’s Network Access Quarantine Control (NAQC), which can be used to enforce policies for remote access dialup and VPN connections to a Server 2003 system, but it’s a different technology and does much more. NAQC is only for remote access clients, whereas NAP is designed to protect the health of all systems that connect to your network.
For example, with NAP you can enforce IPsec policies to specify requirements for secure communications, enforce 802.1x policies for wireless clients, along with enforcement of health policies on VPN clients. You can also use the DHCP enforcement feature to enforce the health policy whenever a computer tries to renew or obtain a new IP address via DHCP. NAP also has the ability to interoperate with Cisco’s NAC.
With NAQC, you have to write custom scripts and use command line tools to manually configure the behavior. It is possible to use NAQC and NAP at the same time, but in most cases NAP with replace NAQC.
How NAP works
NAP allows you to define the policies you want to apply to computers that connect to the network and check each connecting computer against that set of policies. You also have options as to what happens if a computer is non-compliant. For example:
- You can allow it to access the network anyway, with information noted in the log so you can follow up and see that the computer is brought into compliance.
- You can allow it to only access a restricted network, rather than the entire LAN. This is useful so you can provide resources on the restricted network that the user can use to bring the computer into compliance (for example, required security updates or anti-virus software and updates). You can also restrict the amount of time that a non-compliant computer can access the network.
- It can be automatically updated to bring it into compliance, using SMS or other systems management programs.
Components of NAP
The components in Windows Vista and Longhorn Server that verify a computer's health are called system health agents (SHAs) and system health validators (SHVs). Third-party software vendors can provide SHAs and SHVs in their software for interoperability with NAP.
The SHA runs on the NAP clients and provides information about the client’s health status. The SHV runs on the server and validates whether the health information provided by the SHA complies with your policies. The health policy is configured on the NPS server. The NPS server components include both a NAP Administration Server and a NAP Enforcement Server. User and computer account information, including network access properties, is stored in Active Directory.
You can also use health certificates obtained from a certification authority to prove compliance. In that case, you need a Longhorn Server acting as a Health Registration Authority (HRA) that runs IIS to obtain these certificates.
The server(s) that a non-compliant computer can access on the restricted network, which contain resources that can be used to bring the computer into compliance, are called remediation servers.
For more detailed technical information about what occurs in each step of the NAP validation process, download the whitepaper titled Introduction to Network Access Protection from the Microsoft TechNet web site.
Summary
NAP is a robust solution for controlling network access based on computers’ health status and takes up where NAQC left off. It's a built-in component of Windows Longhorn Server and Windows Vista, so SMBs that use these operating systems will be able to take advantage of its benefits without the need to buy and deploy additional third party solutions. NAP provides for scalability and interoperability with other technologies such as Cisco NAC, so that as your network grows, you can continue to provide the level of protection your organization needs.
SponsoredWhite Papers, Webcasts, and Downloads
- Using the Six Laws of Persuasion in Negotiations Global Knowledge
- BitLocker: Is It Really Secure? Global Knowledge
- The Case for Virtual Local Area Networks (VLANs) Global Knowledge
- 7 Things Every System Administrator Should Know About OpenSSH Global Knowledge
- Preparing for and Taking the PMP Certification Exam Global Knowledge
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
