You were at the coming out party for Windows Server 2003 in April of 2003, admit it. But did you notice that neat little feature standing alone in the corner because nobody was asking her to dance? Her name was Network Access Quarantine Control, and as new features go, it was amazing how little attention she garnered.
This little toy could look at your incoming remote access clients, check their patch levels, antivirus signatures and other pertinent security details, and then grant or deny access to your
|Laura E. Hunter|
The next major advance will arrive in the next release of 2003 -- R2 -- scheduled for release in mid-2005. Currently dubbed "Network Access Protection," this tool improves on NAQC in two significant ways:
- It creates simpler, GUI-based administration and implementation, rather than the extensive scripting needed for NAQC. In addition, Microsoft has promised interoperability with a number of third-party products, including antivirus and existing remote-access technologies.
- It extends the functionality of the protection to all types of connections, both remote access and LAN-based. This part is key because the pervasiveness of "always-on" Internet connectivity, wireless hotspots and smaller Internet-capable devices like cell phones and PDAs has greatly blurred the distinction between what is a locally connected versus a remote-access client. In many ways, the idea of the network perimeter has ceased to be a physical entity like a border router, and has become a much more logical concept.
However, Microsoft's entry into this market seems likely to place it in competition with existing network perimeter security software, most notably Cisco's Network Access Control. Now, I'm a big bad capitalist, and am of the opinion that competition is good for any industry, especially the software business. Competition for customer dollars almost inevitably leads to better products for the money, as different vendors develop more desirable features to "get the contract."
But when security is at stake, interoperability must trump the desire to turn a profit. At the risk of sounding utopian, the idea of a "greater good" needs to extend to the Internet and Internet-connected machines, since their security and well-being affect us all.
At the moment, the Microsoft and Cisco perimeter security products are gearing up to not quite speak to one another. NAP is slated to use PEAP (Protected Extensible Access Protocol), whereas Cisco's NAC is only meant to run on Cisco equipment. Given the prominence of both vendors' products in the enterprise network, this could prove problematic.
If the two offerings don't end up working and playing well together, network administrators who rely on both vendors' products will be forced to jury-rig a solution, either by building their own or using a product from a third-party vendor to create interoperability. I don't know about you, but I get nervous whenever I'm forced to use the word "jury-rig" in connection with network security.
Granted, this may be putting the cart before the horse somewhat, since there isn't much in the way of clearly defined standards for secure network access. But a significant positive indicator for the future is Microsoft's support for 802.1x authentication, both in Windows Server 2003 and Longhorn. If current or future iterations of the Microsoft and Cisco perimeter security offerings can be built according to industry standards -- either 802.1x or some future model -- the security of all those who rely on Microsoft and Cisco technology will certainly benefit.
Laura E. Hunter is a Microsoft MVP and SearchWin2000.com site expert.