TORONTO -- Microsoft is developing perimeter security technology that could put it in direct competition with networking...
giant Cisco Systems Inc.
The software maker this week outlined plans to build technology into Windows Server that checks the health of PCs entering a network. Microsoft's Network Access Protection (NAP), outlined by Mike Nash, vice president of the Microsoft's security business unit, at the Worldwide Partner Conference, does essentially the same thing as technology planned by San Jose, Calif.-based Cisco.
Cisco's Network Admission Control (NAC) program was introduced in November as a means to combat worms and viruses by restricting network access control. Its first phase, which is rolling out this year, will only be supported on its routers, according to Cisco, but other devices will be supported in subsequent phases.
But Steve Anderson, Microsoft's director of the Windows Server group, said Microsoft is currently in "deep discussions" with Cisco. "The ideal is to bring them together."
Planned for 2005 release
NAP will initially appear as part of Windows Server 2003 R2, due out in 2005. The company has signed up 25 partners that will support NAP,
including Cisco rival Juniper Networks Inc., Symantec Corp., McAfee Inc., Computer Associates International Inc., Altiris Inc., Shavlik Technologies LLC, Bindview Corp. and Hewlett-Packard Co.
The feature, which operates at Layer 3 -- the network layer -- checks compliance levels of a client seeking network access. If a PC is not fully patched or presents any kind of a risk, it will be placed in a restricted network until it is deemed to be in compliance with an organization's defined security policy, said Anderson.
How it works is that a client would request access to the network via a remote authentication dial-in user service -- or radius -- server. The radius server then asks the PC for a statement of its general "health."
The radius server would go to one of the policy provider's servers, such as Symantec or Altiris, for further validation. If the PC fails to receive all the right approvals, it is sent to an isolated network. Microsoft will inform users about their lack of compliance via pop-ups. The system will be managed from an enhanced console on the radius server, the company said.
Not just for remote connections
One IT administrator familiar with NAP said he would be interested in the technology when it becomes available. "We've been trying to come up with a way to validate that all clients
coming into our network have the latest virus pattern files, and this looks like it would fit the bill,'' said Paul Edwards, a Windows administrator at PHH Arval, a Sparks, Md.-based fleet management company that is a division of Cendant Corp.
Anderson said NAP is distinct from the VPN quarantine capability that was disclosed last fall by Steve Ballmer, Microsoft's CEO. Ballmer said Microsoft will release to customers a technology it developed internally that would also quarantine a remote user that tried to access a network through the VPN. NAP is a broader architecture that works without any developer involvement. It also protects all connections and all users, not just remote ones, Anderson said.
NAP will initially support the Protected Extensible Authentication Protocol (PEAP), which is being integrated into Windows clients. The company is still deciding whether it will offer support for the IETF's IPSec, the IEEE standard 802.1x, or both, when the Longhorn version of Windows is released.
Support for 802.1x urged
NAP is a good start, but it needs to support 802.1x to be really effective, said John Pescatore, an analyst at Gartner Inc., the Stamford, Conn.-based consulting firm.
"We believe 802.1x will be key to all scan and block and Microsoft needs to get on board," Pescatore said. "We'd also like to see Microsoft and Cisco make their 802.1x supplicants be compatible."
Separately, Anderson said the second beta for Windows Update Services (WUS) will begin late this year. WUS, which is the next generation of Software Update Services, is now due out in the first half of 2005. It had originally been expected to be released this year.