Do you know the old saying that goes, "The quickest way out of something is to never have been in it?" If such wisdom rings true to you, then a new feature of Windows Server 2008, called Network Access Protection (NAP), should be of significant interest to you.
NAP is at the same time a technology and a technique that allows computers to be evaluated on the basis of their health. An administrator sets a baseline of what a "healthy" computer should be, and if a machine doesn't stack up in any way against that baseline, the system can be prevented from accessing the network -- quarantined, as it were, from the healthy systems until the user fixes his broken machine. If the fix is simple, then, in some cases, NAP services can automatically remediate the problem. For example, if an administrator mandates that the Windows Firewall must be turned on, NAP can easily enable the firewall if it's off, thereby fixing the problem and allowing access to the network.
Network Access Protection consists of three parts:
- Health policy validation
NAP's knacks and perils
NAP is a great feature of Windows Server 2008 -- in fact, it may be my favorite. The advantages are numerous. You get very effective protection against malware before it can infiltrate your network, it is included in the licensing cost of the server product and it presents another way for your users to take security seriously. If their systems aren't up to snuff, they can't get their work done, so system integrity becomes a unified priority across IT and the user community alike. Plus, it's intelligent enough out of the box to fix some simple problems, so quick fixes don't require calls to your support stuff.
That's not to say NAP is a golden ticket to security nirvana; there are indeed some disadvantages. Some skeptics even question why NAP is a security feature at all. (It is.) Consider the following:
- There are enforcement methods that jeopardize the effectiveness of NAP. For example, DHCP-based protection (where a few routes are assigned before health verification) is easily bypassed on the client by knowledgeable users who know what they're doing. They simply enter a static IP address and DNS/router information.
- The element of detection of network devices coming online can be difficult to implement securely, particularly solutions that rely on detecting broadcast packets.
- And finally, the best deployment method -- 802.1x protection with compatible switch or router hardware -- is expensive and requires a lot of time to test and bring online.
NAP with IPsec solves a lot of these problems. How? Stay tuned for Part 2, where I'll explain how the two technologies in conjunction are simply fantastic.
About the author: Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro magazine, SecurityFocus, PC Pro and Microsoft's TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration. He can be reached at firstname.lastname@example.org.
This was first published in November 2007