The constant development of built-in network access control solutions, such as Microsoft NAP, have created a lot of confusion about the functions, features and implementation options available to organizations.
MICROSOFT NAP SUPPORTS LINUX, MAC
Contrary to popular thought, Microsoft NAP is not designed to manage only Microsoft environments. Following through on original promises, Microsoft was pretty quick to release NAP agents for both Linux and Mac platforms, making it a viable option for most organizations. Admittedly, during NAP's early life, it's recommended to stay close to home when starting a rollout with Microsoft NAP and I wouldn't suggest getting too creative until you're comfortable with it in its native state.
Specifically in Microsoft environments, clients with Windows XP SP3 and later are already equipped with the NAP client and servers from Windows Server 2008 R2 currently have the most functionality in management options. In general, the newer the platform, the more options are available for endpoint control.
USING NAP FOR PORT SECURITY
Most organizations looking at NAC are interested in one of two things: 1) endpoint integrity (verifying the posture of the endpoints) or 2) port security (controlling Layer 2 or 3 access to the network at the edge). Although Microsoft NAP offers access enforcement options such as 802.1X comparable to most other NAC solutions, it wasn't designed to ease port security enforcement. The planning and integration on the infrastructure side is just as tedious with Microsoft NAP as with any NAC solution using port security features. Here's one place where traditional NAC products and Microsoft NAP are pretty equal in implementation.
USING NAP FOR ENDPOINT INTEGRITY
If, on the other hand, an organization is most interested in endpoint integrity, then Microsoft NAP offers an option with much less cost and complexity than traditional NAC solutions. When implementing endpoint integrity rules, the most common policy checks include:
- Verification of operating system versions and patch levels.
- Verification of host firewall configurations.
- Verification of the presence and signature status of antivirus or antimalware.
- Verification of the presence of antispyware.
- Restriction of access to specific applications.
While there are organizations with more specific needs, the majority are looking for only a handful of critical postures such as those listed above.
MICROSOFT AND NON-MICROSOFT POLICY EVALUATION WITH NAP
In its raw native state, Microsoft NAP includes built-in checks for security postures directly related to Microsoft components, such as a Microsoft operating system, Microsoft updates, Microsoft firewall, etc. In environments that are 100% Microsoft, these checks may be enough to verify basic corporate policy compliance for endpoints. In fact, Microsoft NAP native checks in combination with Active Directory Group Policies can deliver endpoint security similar to many traditional NAC solutions.
For organizations that are not all Microsoft, or have specific needs outside of the built-in checks, the Microsoft NAP platform easily integrates third-party evaluations, via support for additional system health agents on the client and system health validators on the server. Most technology in use in enterprise endpoints (Symantec, McAfee, Citrix, ConfigureSoft, Sophos, Intel, RSA, Shavlik, Kapersky, LanDesk ) have Microsoft NAP APIs already created. Even more vendors are on board with the TCG's (Trusted Computing Group) TNC (Trusted Network Connect) framework for NAC and security communications, which Microsoft NAP also integrates with. Although third-party integration is not widely implemented yet, as the technology grows and adoption rates increase, the integration will be more familiar of a task, requiring just a few extra check boxes of configuration.
Based on experiences with this platform, I can say the Microsoft NAP agent is easy to manage on endpoints, and the Microsoft NPS (Network Policy Server) is pretty intuitive to use, especially for administrators familiar with creating RADIUS policies. Most organizations looking for endpoint integrity control generally allow grace periods for remediation, favoring network availability over immediate security by quarantine. In those environments, the statement of health checks available with Microsoft NAP (native or third party) can deliver an easy solution for endpoint health compliance without the added hassles of managing port security, policy servers and additional agents in traditional NAC products.
Jennifer Jabbusch is an infrastructure security consultant with Carolina Advanced Digital, Inc., a security integrator based in North Carolina. She specializes in areas of network security, NAC/NAP, 802.1X and wireless security, and consults for a variety of government agencies, educational institutions and Fortune 100 and 500 corporations. She serves as a contributing SME on access control, business continuity and telecommunications, and lead SME in the cryptography domains of the official (ISC)2 CISSP courseware and maintains SecurityUncorked.com blog.
Send comments on this technical tip to firstname.lastname@example.org.
This was first published in October 2009