If you spend much time reading the network security trade journals and newsletters, you might be aware that many of the hardware vendors out there are pushing something called NAC, which means Network Access Control. The goal of these hardware vendors is to provide a mechanism to insure that only healthy client machines should be allowed to connect to the network. Client health, of course, is based on software configuration.
So, if you’re going to choose a solution that’s designed to control access to the network basis on software status and configuration, do you really think hardware vendors are the best solution? It would make sense to use a solution created by a company who only does software. It would be even better if that company is the one that makes the operating system you use on over 95% of the computers on your network.
Well, there is such a solution — Microsoft’s upcoming Network Access Protection or NAP. When Windows Server 2008 comes out next year, you will be able to control who can access your network, or parts of your network, based on the current software status and configuration of the machines connecting to the network. Who better than Microsoft to create a software solution to a software problem?
NAP will work with Windows XP SP3 and Vista clients and it will allow you to control those clients access to the network based on their operating system configuration, AV status and AS status. Third party software makers will be able to hook into the NAP infrastructure, so that you can further extend the required security and software configuration on the client before allowing them onto your network. The best thing is, the client side agent is built into Vista and Windows XP SP3 — no need for third party agents that can be the cause of the classic “finger-pointing” game when things go haywire.
Another nice thing is that there will be Linux and Mac support. From what I hear, Microsoft is creating the Linux piece and ISVs will work on the Mac NAP client. Nice! In addition, NAP will work together to Cisco hardware to work together to Cisco NAP solutions.
I’ve been using NAP for a few months now on my Windows Server 2008 beta network and it’s a dream come true. No longer do I need to worry about customers and guests connecting to my WAP and infecting my network. They just have no access, period. And what’s even better, I can still allow them access to the Internet using NAP controls without having to do anything fancy on my firewalls to support these guests.
I highly recommend that you give the Windows Server 2008 NAP a try. There’s plenty of information on NAP on the Microsoft NAP site at http://technet.microsoft.com/en-us/network/bb545879.aspx
Also, the NAP Team Blog is a great place to get inside information about NAP. Check that out at: http://blogs.technet.com/nap/
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/2gpoo8
Email: [email protected]
MVP – Microsoft Firewalls (ISA)