In years gone by, maintaining network security was relatively simple: Install a big, bad firewall at the perimeter of your network, and only clients that existed within that perimeter could access your company's critical files and applications. In the modern world, however, this model simply doesn't cut the proverbial mustard.
Modern IT managers need to be able to address growing and changing threats to corporate information security, including:
- Home-based staff members who aren't protected behind the corporate firewall.
- Outside contractors, vendors and business partners who bring laptops inside your firewalled environment and require access to resources.
- High-speed residential Internet connections that provide "always-on" connectivity for your staff members to access corporate resources, often from computers that have not been configured or secured according to corporate IT standards.
NAQC: Not much bang for the buck
Microsoft's first attempt to address this problem was Network Access Quarantine Control, a tool that appeared with very little associated documentation in the Windows Server 2003 Resource Kit. NAQC was a first attempt at performing "health checks" against remote access clients before allowing those clients to connect to resources on the corporate network. These health checks could ensure that antivirus software was installed and that the connecting client was running a sufficiently modern operating system and service pack, among other things.
The down side of this technology was it was incredibly difficult to deploy . As something of a "throw-in" tool in the resource kit, NAQC was poorly documented and required administrators to write complex scripts to perform the necessary health checks.
There have been anecdotal tales of companies that spent tens or even hundreds of thousands of dollars on consultants to create the necessary scripts for NAQC to function. Because of this, NAQC was not widely deployed.
Here comes NAP
In the upcoming release of Windows Server 2008 (code-named Longhorn), Microsoft will deliver a much improved offering to replace NAQC in the form of Network Access Protection. NAP will be an integral offering in Windows Server 2008 and has already been available for testing in the various beta releases of Windows Longhorn Server.
The idea behind NAP hasn't changed all that much from NAQC: to confirm the "health" of computers before allowing them to connect to the network. The major improvements available in NAP are the ways in which it can be implemented and the management tools available for its deployment. Rather than simply allowing IT managers to check the health of incoming Remote Access Service connections, NAP will allow them to do so for both wired and wireless connections, as well as for remote access and for VPN- and LAN-connected devices.
NAP works like this: Any computer that attempts to connect to the network will be prompted by the NAP server to provide a statement of health, indicating configuration items such as what the machine's current patch levels are, whether the Windows Firewall and/or Automatic Updates are turned on, and whether the Windows Defender anti-spyware client is enabled on Vista workstations.
Third-party vendors will also be able to plug into a published API that will ship with NAP, which would allow IT managers to perform health checks against non-Microsoft configuration items as well. This could include requiring clients to run a certain version of antivirus tools from Symantec Corp. or McAfee Inc., or ensuring that a third-party firewall product has been enabled on the client desktop.
Preparing for NAP
So is there anything you can do to prepare your organization to deploy Network Access Protection? Even though Windows Server 2008 is not set to be released for another few months, there are steps you can take and infrastructure you can deploy that will make a NAP deployment much more accessible when the product hits the streets.
NAP is one of those technologies that has a lot of moving parts, so preparing now will make any future deployments that much easier. Some of these steps include:Taking an inventory of your security-related software, and querying vendors to find out if they will be interoperating with NAP. Several major antivirus, firewall and other client security software vendors have already announced their intentions to partner with NAP to allow it to make health-check decisions based on the state of this third-party software, including Altiris, Check Point Software Technologies Ltd., Aruba Networks Inc.
See Microsoft's site for a full list of vendors that have announced their intention to partner or interoperate with NAP.
Taking early steps to prepare your technical infrastructure for NAP
At a minimum, an organization needs to have an internal public key infrastructure deployed because this is essential for the proper functioning of NAP. Additional infrastructure components will depend on how you intend to deploy NAP, but some common requirements might involve deploying an 802.1X infrastructure and/or IPsec security across your Active Directory domain.
A common preparatory task when getting ready for NAP is to deploy server and domain isolation within your AD environment using IPsec as an enforcement mechanism. This will serve double duty for you by improving your security levels now while simultaneously preparing you for the new features that NAP will provide once Windows Server 2008 is released.
Start testing the beta software. The key components of NAP are already available for early testing in the Windows Longhorn beta, which can be accessed using an MSDN subscription or by applying for access to the beta at Microsoft's site. The NAP team at Microsoft has already released a number of white papers and step-by-step guides at http://www.microsoft.com/nap. The team also maintains an active blog at http://blogs.msdn.com/nap.
Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is an Active Directory architect for a major engineering and staffing firm where she provides Active Directory planning, implementation and troubleshooting services for business units and schools across enterprise networks. Hunter is a four-time recipient of the prestigious Microsoft Most Valuable Professional award in the area of Windows Server-Networking. She is the author of Active Directory Field Guide (APress Publishing) as well as co-author of the Active Directory Cookbook, Second Edition (O'Reilly). You can contact her at firstname.lastname@example.org.