Network Access Protection (NAP)

Latest news from the Network Access Protection (NAP) team at Microsoft.

Five Ways to Draw More Value from Microsoft NAP Deployments

Five Ways to Draw More Value from Microsoft NAP Deployments

  • Comments 2
  • Likes

Here is a guest posting from our NAP Partner Avenda Systems.

 

When the founders of Avenda Systems decided to build a Policy Platform, one of the first stops included Microsoft. NAP was in the works and discussions with other industry experts led us to embrace the idea of creating a product or products that truly allowed for adding value to the NAP platform.

Early discussions with Microsoft centered on the development of extensible NAP agents for the support of Windows and Vista operating systems, as well as delivering agents for client operating systems other than Windows. The plan was to provide supplemental value to allow organizations to easily deploy NAP in heterogeneous operating system environments and take advantage of NAP’s robust endpoint health policy architecture.

Here are five ways that you can get value from the combination of NAP and products from Avenda Systems:

1.     No other Policy Server required

The use of Avenda’s eAgents lets organizations use the resources they have already deployed to support NAP.  All three functions of Windows Server 2008, Network Policy Server (NPS)—RADIUS server, RADIUS proxy, and NAP health policy server—are leveraged across all access methods, including wireless, wired, and VPNs. 

 

At some point the need to support managed and unmanaged devices in a NAP environment may warrant the use of a complimentary platform, but the addition of intermediary policy servers should not be required when investigating NAP Partner solutions. 

2.    Extended control beyond Windows Security Center checks
When using the Windows Security Health Validator (WSHV), policy validation checks are performed  to verify the existence and status (running or not) of the following; Firewall, Anti-Virus Protection, Spyware Protection, Automatic Updating, and
Security Update Protection.  Based on a client’s response, a noncompliant result can cause the client to be put into a restricted network until the condition has been corrected. For example, if a client has turned off Anti-Virus for some reason, they will not be allowed full network access until the Anti-Virus software has been turned on again.

When using Avenda’s Universal System Health Agent (USHA) and Universal System Health Validator (USHV), administrators gain the ability to create fine-grained policies that extend beyond the verification of the status of the applications and services described above. In addition, the client can be requested to provide version numbers, DAT file and engine revisions and the time the last scan was performed, and automatic remediation can be performed for Anti-Virus and Anti-Spyware applications. The Avenda SHV can also be configured to check for and will start or stop certain services and applications that match specified registry values.  For example, clients that have Skype installed can be restricted (as detected by registry values). Once on the network, if Skype is installed again, the next health evaluation can restrict the client.

As the adoption of Windows Server 2008 increases, inquiries regarding our eAgents has really picked up. Customers are attracted to the expanse of additional functionality and our ability to quickly integrate new features. Additional features such as server-side policy checks for latest versions and updates of anti-malware products and data files are available as a portal service from Avenda.

3.    Supported Operating Systems
Avenda’s eAgents are available for Windows Vista, Windows XP with Service Pack 3, and Windows Server 2008. In addition, we also have a
Linux NAP Agent (with 802.1X enforcement) and a Macintosh NAP Agent is in the works.

 

4.    Dissolvable Agents
Many organizations allow guest and partner access and a common concern has been how to treat unmanaged clients (either lacking or have misconfigured supplicants) that attempt to connect to the network.  The addition of Avenda’s
eTIPS Policy Server, which interacts with Microsoft NPS, supports this requirement. A fully NAP SoH protocol-compliant dissolvable agent (a Java applet), in simple terms, performs Web authentication and health checks through a captive portal. 

For transient users, policies can also determine what level of access is allowed, for what length of time and on which days of the week.

5.    Avenda’s competitive advantage

When deploying eAgents in a network (especially for educational institutions, companies that are merging, call centers, etc.), it is important for the agent to support and expect to encounter anti-malware products from multiple vendors. Avenda’s eAgents ship with support for all major anti-malware vendors.

Comments
  • Five Ways to Draw More Value from Microsoft NAP Deployments Feed: Network Access Protection (NAP) Posted

  • Here is a follow-up guest posting from our NAP Partner Avenda Systems . Due to the interest in our recent

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment