Steve Lamb's Blog

Security Matters

Blogs

Over the next few week's I'll teach you all about Network Access Protection

  • Comments 4
  • Likes

Over the coming weeks I'm embarking on a journey through the wonders and mysteries of Windows Vista's Network Access Protection (NAP).

All of the content for this journey will be tagged as "JourneyThrough: Network Access Protection".

Through a series of blog posts I'll share with you details of what's possible with Windows XP and Server 2003 to reduce the risk of machine that fail to comply with corporate security policy through Network Quarantine (a feature of Windows Server 2003) and IPsec.

I'll share with you the background and context for this important new technology. I'm writing the content myself and linking to interesting documents as well providing my own commentary and suggestions.

This material is grounded in reality rather than marketing spin; it’s a technical guide which will help you learn about how to secure network access by asserting and enforcing the security policy compliance (health) of client machines BEFORE granting them access to sensitive “internal” networks.

Modern information workers typically take advantage of seamless access to whatever internet access is available to them. Think about your daily use of network resources. I use a 3Mb/sec DSL (Digital Subscriber Line) connection at home, the corporate wireless and wired connections when I’m in the office and cyber café wireless access when I’m out and about. Sometimes I also use hotel and customer/partner network access too. No longer is it safe to assume that “the network protects me” from all ills. In fact it’s often “the network” that carries the malicious software from other peoples’ poorly configured / poorly patched systems. Consider what happens when you return from holiday. Often a security update (formerly referred to as a patch) is released while you’re away. When you return (either remotely or in the office) your system is susceptible to exploitation via the vulnerability until you update it. Both quarantine (for VPN connections) and NAP (for all connections) will reject connection requests (if so configured to do so) for un-patched systems thereby saving other members of the network from infection. These technologies work in conjunction with personal firewalls (such as the one built into XP SP2) which reject unsolicited incoming connection requests from other hosts. Theoretically this will prevent worms infecting such un-patched systems. Defense in depth best practice dictates that both quarantine/NAP AND personal firewalls should BOTH be used to provide effective security.

The quarantine feature in Windows Server 2003 is a “no additional charge” (free) feature of the operating system that enables us to force VPN (Routing and Remote Access – RRAS) clients to prove that they comply with the prime aspects of our information security policy BEFORE granting them access to the internal network. If you’ve ever worked from home and established a full network connection (Virtual Private Network – VPN) to corpnet then you’ve used our quarantine implementation. The Connection Manager Administration Kit (CMAK) is used in conjunction with Remote Quarantine Client (RQC) and Remote Quarantine Server (RQS) to implement quarantine. Microsoft employees (who work remotely) run “Connection Manager” to initiate the VPN client and integrated Quarantine functionality. Remediation is a unique benefit of both Quarantine and NAP which enables users to bring their systems into policy compliance if they are initially denied access.

NAP is essentially a next generation of quarantine bringing in support for IPsec, DHCP, 802.1X (port based authentication), RRAS (VPN) enforcement points. Client machines must prove that they comply with corporate policy (i.e. are “healthy”) BEFORE connecting to corporate resources by wired, wireless and remote access. 

Stay tuned and please provide your feedback in the customary "comment" manner.

Comments
  • Just a brief comment about the lmauriayp feature (free).
    I've worked a bit with the RQC client, when I did setup an ISA server 2004 wtih VPN and used the quarantine network. I can see the idee and the use for it, but as an administrator, and not a programmer I had some serius problems actually implementing the features I would like to check for.
    I know it can't all be "click" and use, but still I hope that the Quarantine access implementing in the feature will be made a bit easy'er.
    It's difficult for an administrator to make a small user interface, so the user know if they get access or what they need to comply with the company security policy.

    So perhabs it could come with a default script using windows XP SP2 security center which can check for the antivirus is uptodate parameter.

    I personal check for Antivirus (uptodate), Firewall enabled, ICS disabled and then SP2.

    Looking forward to the rest of the journey and thanks alot for spending some time on these topisc :-)

  • I agree Benjamin, RQS/RQC wasn't written with the IT guy in mind. We thought more of the IT-Dev, who needed a solution *today*. There was a ton of pressure to supply it, even from our own internal IT group.

    We hope to solve this in Longhorn Server with NAP, and give complete policy based control to the admin (through NPS, formally IAS/RADIUS).

    I am curious about the experience Steve is going to have setting it all up. I will come back here to check it out. :->

    I am going to be posting Beta 2 screen shots this week from my NAP demo rig. I also really want to web cast a live demo of NAP in action. This stuff is real!

    Jeff Sigman [MSFT]
    NAP Release Manager
    jeff.sigman@online.microsoft.com


  • "JourneyThrough" is a term I made up last week to signify a way of linking a series of blog entries...

  • Hi Jeff,

    Thanks for the answer :-)
    Actually I think I forgot to mention in my replay, that I was looking forward to NAP since (from the NAP teams blog) it looks like it will have some user friendly graphic. Only question is if it will be integrated with the ISA VPN (I guess so) *Grins* But I will follow this blog and the NAP teams blog closely, since this seems like a great way to handle security on the LAN in a company and something that we for sure can use.

    Keep up the good work :-)

    Yours Sincerely,
    Benjamin

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment