By Michael Cherry [bio]
Posted: Nov. 12, 2007

• Illustration: NAP Client Architecture
• Illustration: No Access for You!

The following is the full text of an article published by Directions on Microsoft, an independent research firm focused exclusively on Microsoft strategy & technology. More samples of our content, as well as a list of upcoming articles and reports are also available.

Network Access Protection (NAP), a key feature of Windows Server 2008, will allow an organization to enforce security and configuration policies on all computers accessing the organization's network. NAP provides a new level of control over Windows XP and Vista computers attempting to connect to the network; for example, it can ensure that these computers have the latest updates, which should improve overall security and reliability. However, the NAP architecture and interaction of the components is complex, and the level of protection will depend on compatible NAP hardware and software agents and validators.

Controlling Access to Networks

NAP is a Windows service designed to keep insecure or compromised home and laptop computers off an organization's network. NAP can examine Windows XP and Vista computers for compliance with the organization's configuration standards for the following:

• Security—for example, an organization can require that all computers are running current antivirus software with an up-to-date signature file
• Software updates, such as important security patches
• Configuration settings—for example, NAP can ensure that all computers accessing the network are running the Windows Firewall application and the Windows Update client.

Noncompliant computers attempting to connect to the network can be quarantined, which allows them only to access isolated remediation servers to install the required software, signature files, and updates and make necessary configuration changes.

The need for such protection was already apparent with a wave of major worm attacks in 2001 and 2002 and has become more critical as attackers have moved from simple pursuit of notoriety to active attempts to steal private data from individuals and organizations.

The Windows Server 2003 Resource Kit introduced a form of NAP with a service called Network Quarantine, which scanned computers connecting over virtual private network (VPN) or dial-up connections and measured them against a desired policy. However, the add-in was difficult to implement because each organization had to generate scripts to determine the state of a connecting computer, as well as how to handle computers that were not compliant with the desired policy.

NAP consists of two main components: a NAP client that runs on the computer seeking access to the organization's network and the NAP Network Policy Server (NPS) role of Windows Server 2008, which determines the computer's level of compliance and therefore the level of connection it will be allowed.

The NAP Client

The NAP client gathers information about the health of a computer trying to connect to the network, passes that information to the NPS for analysis, and based on the analysis, controls which network resources the computer can access. The heart of the NAP client is the NAP Agent, which controls Enforcement Agents that connect to the network, and System Health Agents (SHAs) that determine and report on the state of a computer on which it is running. Information about a computer gathered by the NAP Agent is aggregated and forwarded to the NPS for analysis.

(For an illustration showing the NAP components, see "NAP Client Architecture".)

The NAP client supports a variety of network access methods, for example, by a VPN. Each method provides a way to block the client computer's access to the network if it fails the compliance check or limit the client computer to an isolated portion of the network hosting the remediation servers. Multiple methods are needed to handle the different ways people connect to an organization's network, whether wired or wireless, and to support the variety of secure network protocols in use today.

Out of the box, the NAP client can determine and report on the updates that are present on the computer, whether the computer is running current antivirus software, and the status of Windows Update and the Windows Firewall.

The NAP client can be extended by third parties to provide more information. For example, although the NAP Agent has an SHA that can detect the presence of antivirus software, a third-party SHA could extend it to dig deeper into the status of the security software, to provide additional details about the state of signature files or other configuration parameters, for instance. And Cisco will provide two modules that provide and ensure secure transport as well as health information—the Cisco EAP-FAST and the Cisco EAPoUDP module.

The NPS

The NPS integrates with the network infrastructure, including VPN servers, routers, and switches, to get health reports from a NAP client, analyze the reports, and control the client computer's access to the network accordingly. The NPS is fundamentally a mirror of the NAP client, containing services for communicating with computers running the client- and server-side validation components for interpreting the Statement of Health (SOH) reports produced by the NAP Agent.

The NPS analyzes the health report from the NAP client on the connecting computer to determine whether the computer complies with the organization's policies, which administrators configure using the NPS administration console. The administration console is also used to configure third-party SHAs and SHVs.

Based on analysis of the SOH reports, the NPS works with the network infrastructure to either grant or deny access to the network.

(For an illustration of the interaction of the NAP Client and NPS, see "No Access for You!".)

NAP and NAC Interaction

In Oct. 2004, Microsoft and Cisco announced that they would work together to provide greater interoperability between their respective network security and health assurance technologies, Microsoft's NAP and Cisco's Network Admission Control (NAC) technology.

Microsoft and Cisco describe their network protection technologies in a similar fashion—both will enforce policy so that devices connecting to the network must be up to date (with the correct level of OS and patches) and have antivirus software with current signature files. If any of these conditions are not met, the device will be denied access or given restricted access until it complies with the policy. "Soft enforcement" can also be used to notify users of noncompliance without restricting access, which may be particularly useful while an organization transitions to network access control. Organizations that want to control the access of clients or devices other than those running Windows XP and Vista, including personal digital assistants, might choose the solution from Cisco or run a combination of Microsoft and Cisco technologies.

For Windows Vista, both Cisco and Microsoft use the included NAP client. To further support NAP and NAC, Cisco provides network access devices that are NAP and NAC enabled, such as switches, and wireless access points. Cisco Secure Access Control Servers (ACSs), which authorize network management and ultimately enforce access, interact with the Microsoft NPS to validate the health report supplied by NAP clients.

The companies have also agreed to cooperate on agent and update deployment: Microsoft will distribute the two Cisco client modules through Windows Update and the Windows Server Update Services (WSUS).

Finally, the NAP and NAC platforms will support the following:

• Cisco ACSs will pass health reports from NAP clients to an NPS for overall client health validation
• A Microsoft NPS will communicate with Cisco ACS to receive the list of health reports and return the list of responses so that the Cisco ACS can control the level of network access provided to the client.
• Cisco ACSs will perform network access validation based on a health certificate.

Cisco is not the only third party that will have to supply components: third-party security and communications hardware and software vendors will have to supply custom client-side agents and server-side validation components for NAP to ensure that an organization can check the full health of a client requesting connection. Several security software vendors, such as Symantec and McAfee, have signed on to support NAP, and Microsoft is confident that third parties will supply enough components so customers will not have to rip and replace technology already in place in order to use NAP. But, like Microsoft's reliance on third parties to produce high-quality device drivers, the success of NAP will depend not only on the numbers of client-side health detection agents and server-side health validators available but also on their quality. If they are absent or poorly written, then NAP will not succeed.

Availability and Resources

An overview and details on NAP are available at technet.microsoft.com/en-us/network/bb545879.aspx.

Cisco's NAC is described in more detail at www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html.

A white paper on NAC and NAP interoperability can be downloaded from either www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c654/cdccont_0900aecd8051fc24.pdf or download.microsoft.com/download/d/0/8/d08df717-d752-4fa2-a77a-ab29f0b29266/NAC-NAP_Whitepaper.pdf.

Directions on Microsoft is seeking a developer platforms guru to join our team of computing technology experts. Click here for details.