I published a tip recently covering Microsoft's existing solution for protecting your network from malware installed on remote users' machines, called Network Access Quarantine Control. As I said then, NAQC is effectively the precursor to a much more capable quarantining service, called Network Access Protection, which won't be available until both Vista and Longhorn server are released. In this tip, I'll take a look at the differences and provide some guidance as to what you should be paying attention to and when.
The topic of network quarantining grows in importance each day. The giants in networking and software realize it and have begun releasing products and services that automatically defend your network against foreign threats that find themselves on the wrong side of the firewall (at least from your perspective as the systems administrator).
NAQC and NAP: The differences
The biggest difference between NAQC and NAP is scope: NAQC protects just against machines outside your perimeter that attempt to connect to your network. NAP does that, too, but it takes protection a step further by enforcing policies on computers directly connected to the LAN, including mobile computers that come back to the home office and that connect occasionally. This closes a serious loophole in NAQC coverage.
That's not the only refinement, however. Here is a chart so you can see at a glance the primary differences between the NAQC application that exists today and the set of features that are coming when you pair Windows Vista with Longhorn Server.
|Aspect||NAQC (existing)||NAP (in Vista/Longhorn Server|
|Scope of protection||Remote access and VPN clients||Remote access and VPN clients plus computers connected to local network (complete protection)|
|Deployment||Server: Windows Server 2003 Resource Kit
Client: through Connection Manager profiles
|Baked into server and client releases; no further installation necessary|
|Scope of service||Any existing client that supports Connection Manager profiles (not local clients)||Windows Vista clients, local or remote Protection for remote clients available for all client platforms with a special connection profile|
|Exception Management||Only through custom sets of packet filters||Complete graphical interface for managing individual and group-based exceptions|
NOTE: The features and capabilities of NAP as listed in this tip are as of this writing; of course, when it comes to Microsoft beta software, everything is subject to change before release, even up to the last minute.
Should you deploy NAQC now?
A lot of administrators are wondering whether to go ahead and deploy Microsoft's existing quarantining solution, NAQC, when there's clearly a superior release on the horizon. You might also be considering an investment in Cisco's quarantining solution, Network Access Control -- the primary selling point being hardware-based control of policies that isn't dependent on the operating system software.
In either case, my recommendation is not to wait. In terms of NAQC, for one, the probability that a remote user will infect your premises grows with each passing day, particularly as more locations where mobile users frequent offer unfettered, unfirewalled, completely insecure Internet access. Second, the protection offered to your mobile users can still continue with NAP in its current form, so you don't exactly lose by making the effort to deploy NAQC now. Finally, some security is better than none at all. The only cost of NAQC now is time; you have the tools you need that are freely available. Why not take advantage of them and introduce the concept of quarantining in your organization? In terms of deploying Cisco's solution, consider your investment well protected. NAP and NAC are fully interoperable and compatible.
Either way, deploying quarantining services now will make the transition to full-blown NAP even easier when both Windows Vista and Longhorn Server are finally commercially available.
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.