Ian Hameroff : Network Access Protection

Article Alert: Policy-Driven Network Access with Windows Server 2008

ianhamer — Sun, 16 Mar 2008 04:41:35 GMT

While it has been nearly three months since I moved from the role as product manager for Windows Server networking to the Exchange Server team, I still get the occasional opportunity to strut my old networking stuff.

One such example is a recent article I co-authored with Amith Krishnan (product manager for Network Access Protection) on creating a policy-driven network access solution using a bunch of the new features of Windows Server 2008. The article -- entitled Policy-Driven Network Access with Windows Server 2008 -- appears in the March edition of Microsoft's TechNet Magazine.

Here's the article synopsis:

How do you allow network access to those who need it without sacrificing security? See how new technologies in Windows Server 2008, such as Windows Firewall with Advanced Security and Network Access Protection, let you implement a policy-based approach to help you achieve this goal.

Unfortunately, the online version of article doesn't offer you the opportunity to make comments on the article. So, please feel free to post your thoughts or feedback to this blog posting.

Okay, back to Exchange for me. I'm currently completely week 2 of 3 on the road doing focus groups around our future plans for Exchange Server. Good stuff; albeit exhausting to be traveling across the US, Asia (currently in Tokyo) and then Europe. Yahoo!

-- hama

Broadcom Takes IPsec to Task (Offload That Is)!

ianhamer — Thu, 08 Nov 2007 05:49:03 GMT

Our friends over at Broadcom announced on Tuesday (November 6th) a new super cool, 65nm Gigabit Ethernet controller that will incorporate support for Window Vista's IPsec Task Offload functionality!

As my boss' boss said in the press release:

"Thanks to Broadcom's inclusion of IPsec task offload support, our mutual customers will have even greater flexibility when implementing the IPsec features of Windows Vista and Windows Server® 2008," said Mike Schutz, Director of Security and Access Product Management at Microsoft. "By easing any potential performance tradeoffs, these latest NetXtreme security features will help further the adoption of such advanced Microsoft Windows security solutions as Server and Domain Isolation and Network Access Protection."

Effectively, with IPsec task offload support, many of the CPU intensive work required for hashing packets or encryption (if you're using the encryption options) can be moved to the NIC. This frees up the many CPU(s) for more interesting tasks, like running applications or surfing the web for stuff.

This means there'll be one less reason to not consider using IPsec as the great network security tool I've written about for sometime now!

-- hama

Now You Can Receive Me In Stereo!

ianhamer — Fri, 26 Oct 2007 23:20:59 GMT

As an FYI, I'm now also blogging on the recently launched Forefront Team Blog on another part of the TechNet blog-o-sphere-o-rama. I posted one that's very relevant to the networking and network security themes of this blog, and thought it would be worth a quasi-cost post plug here:

Happy Birthday Windows Networking!

Enjoy!

- hama

Greetings from the Future (Or, At Least GMT+8)

ianhamer — Sat, 15 Sep 2007 06:41:31 GMT

It's the Saturday following my week here in Kuala Lumpur (aka KL) and TechEd 2007 SEA (aka South East Asia). The week was a good time, and it was great to connect with the local 'softies, MVPs, partners, and of course, the regional customers.

I delivered two sessions, both basically repeats of my sessions at TechEd 2007 USA:

Implementing the IPsec Simple Policy Update for Windows XP and Windows Server 2003
Enabling Policy-Driven Network Access

The second of the two was based on my TLC interactive theater session by the same name. However, I re-worked the slides and introduce a pretty neat demo.

The demo illustrates a few of the Policy-Driven Network Access features of Windows Server 2008 and Windows Vista. In particular, Network Access Protection (using IPsec enforcement), and the Windows Firewall with Advanced Security.

Here's a snap-shot of my demo environment:

The actual physical setup included two laptops and simple switch. My trusty ThinkPad T60p booted the client side (Windows Vista Enterprise) off of my second hard disk in the UltraBay, and my Acer Ferrari ran the three Windows Server 2008 servers as VMs via Virtual Server 2005 R2 SP1. I'm looking forward to trying these out on Windows Server virtualization!

I had also planned on showing our Secure Wireless LAN solution (aka using the built in 802.1X supplicant in Windows Vista, the WS08 Network Policy Server/RADIUS, and EAP-TLS), but the Linksys wireless access point I brought along was only rated for 120V/60Hz. This certainly a disappointment. I mean, no offense to our friends at Cisco, but come on! Almost every piece of technology I own can handle, at the very least 100-240V. Well, thanks to a local colleague, I was able to re-work the demo with a borrowed switch.

The demo was a bit of a re-work of the Security and Policy Enforcement demo I showed at WinHEC. I cut the bits about how AD Rights Management Services integrates with MOSS, blah blah, and focused more on the network controls. Like being able to perform network layer authentications using health (aka NAP Health Certifications) and User credentials (via the Windows Firewall with Advanced Security's "Allow if Secure" filters in conjunction with Connection Security Rules). I plan on expanding the demo even further to include a few more bells and whistles (and a little more time spent on the back-end policy creation).

I'll be speaking to an SBS User Group in Singapore on Tuesday, and I hope to re-run the demo there with these additional bells and whistles.

To close: We had our company meeting on September 6th. This happened to coincide with flight from Seattle to Singapore. Nevertheless, I attempted to get into the spirit of the Company Meeting, by wearing the bright orange (wow!) long sleeved T-shirt our entire team had planned on showing off at the big show, but for me on the airplane:

You can almost see the flag from the Windows Server 2008 logo on my left arm. I attempted to capture the whole of the sleeve by flexing it a bit while using my Palm Treo 750's built-in camera to snap the shot. At the same time, I was trying to avoid making it looking I was trying to show off my "guns" (even though I have been working out at the Pro Club and it would be nice if you did notice!). Talk about team pride!

-- hama

Tech·Ed 2007 - Day 4: TLC Fun! (Recap)

ianhamer — Thu, 07 Jun 2007 17:42:45 GMT

Once more, I'm plagued by horrifically poor bandwidth on the hotel network.

After having dinner with Sean (aka Seanv6) at the Bahama Breeze, and dodging some hardcore downpours with lots of loud thunder and nearby lightening to boot, I returned to my humble temporary abode to check email, surf for interesting tidbits to kick-off my Thursday afternoon IPsec session with, and -- YIKES! -- discover 89 kbps download rates.

I normally travel with one of them Linksys Wireless-G Travel Routers, which provides a bit of wireless freedom even if the hotel doesn't offer such. Turns out that the hotel has both wired (including a "bank pen like attached CAT-5 cable -- see picture below) and wireless.

I went through every possible iteration of connectivity options, and actually discovered that my private WLAN yielded better transfer rates than being plugged in directly on the hotel's copper, or using their WLAN.

Amazing!

Sean shared similar frustration, and we both wondered why a conference town like Orlando doesn't have more than "two-cans with string" type network access to the "Internets".

This morning was a little bit better:

Anyhow.

Yesterday afternoon I delivered my "Enabling Policy-Driven Network Access" TLC Interactive Theater session (formerly known as Chalk Talks), to a great audience. The session was (more or less) a mini-breakout, and it appeared to be well received. We talked about a long list of built-in Windows Server 2008 and Windows Vista network security functionality that can help you embrace more policy-driven network access.

The topics included:

Windows Firewall with Advanced Security (aka the new Windows Firewall)
IPsec enhancements
Server and Domain Isolation
Secure Wireless LAN
Network Access Protection

If you attended the session, but would like a copy of the presentation deck (which is not up on CommNet) please contact me.

We also had a little fun yesterday with the Virtual TechEd Security Track folks. Brian Seitz shot a video of (approx. 10 minutes) me and Rodrigo (our MVP) talking about Server and Domain Isolation on the show floor, and Rodrigo's experience deploying the solution at his university in Brazil.

Check it out:

Video: Ian Hameroff at TechEd

You can see more cool stuff like this up on Brian's blog at: http://brianseitz.spaces.live.com.

For fans of my session from the Tuesday (SRV310 - Deploying High Performance and Scalable Networking with Windows Server 2008), here's an article that talks about the Tolly Group performance report that will be posted to MSCOM very shortly (I promise!) that John Fontana from Network World posted yesterday afternoon:

Microsoft-sponsored study says Vista improves TCP/IP performance

Okay, time to get sorted and over to The O.C.C.C.! I have one more session this afternoon SEC309 - Implementing the IPsec Simple Policy Update for Microsoft Windows Server 2003 and Windows XP. Here's the abstract:

Common IPsec-based scenarios, like Server and Domain Isolation, require the configuration of an IPsec policy that contains rules for protected and permitted traffic. For some enterprise deployments, the IPsec policy rules can require hundreds of IP filter definitions that must be maintained over time. The Simple Policy Update for Microsoft Windows XP and Windows Server 2003 changes the behavior of IPsec negotiation so that the IPsec policy rules can be simplified, in some cases drastically reducing the number of required IP filters and their ongoing maintenance. This session dives into what these changes are and how they can be applied to both existing and new deployments of Server and Domain Isolation.

Don't forget to stop by the show floor (aka the Yellow TLC) and say hello!

-- hama

TechEd 2007 Security Track Goes On-line

ianhamer — Wed, 30 May 2007 02:20:55 GMT

Guess what?

TechEd 2007 is next week!

Yup.

And, to help make your TechEd experience even better, my pals over in the Trustworthy Computing Group have launched a brand new "TechEd Security Track 2007" site off of Microsoft.com. Check it out at: http://www.microsoft.com/security/teched/default.mspx

What's neat is you can listen to me blather on about the BillG keynote at WinHEC, the recent NAP/TNC announcement, and a preview of what to expect at TechEd from the networking and network security folks (like me). Check out my little "In Their Own Words" podcast...I'm the one right between Ali Parker and Mike Howard.

Back here at the Redmond Ranch we're prepping all systems for TechEd and also enjoying 74+ degree weather. And yes, the sky is sunny and the clouds are far and few between. What a day!

Anyhow, I hope to see you at the big show next week! You can find us in the Yellow TLC in the security section.

If the opportunity to meet me isn't thrilling enough, perhaps having a chance to rap with one of our leading network security MVPs, Rodrigo Immaginario from Brazil, is the deal maker. Rodrigo has extensive experience with our Server and Domain Isolation solution, and is working to deploy Network Access Protection (NAP). He's also worked with the full range of new networking functionality in Windows Vista and Windows Server 2008.

-- hama

Windows Server 2008 Network Security Webcast

ianhamer — Sat, 26 May 2007 01:07:37 GMT

The next few days in the US is Memorial Day weekend, also known as the unofficial start to summer. The means there will be plenty of barbeques, parties, and a Monday off.

Well, if you find yourself without something to done during this extended weekend, why not checkout this 90 minute TechNet webcast Amith Krishnan (NAP product manager) and I recorded back on May 17th:

TechNet Webcast: Windows Server 2008: Advancing Network Security (Level 300)

Here's the abstract of what was covered:

Among the long list of enhancements and innovations coming in Windows Server 2008 are a number of networking advancements and policy-driven network security features. In this webcast, we discuss the next generation of networking features in Windows Server 2008 and the network security solution scenarios these features enable. We examine the new Windows Firewall with Advanced Security, Server and Domain Isolation, and Network Access Protection (NAP). Discover how you can use these new networking innovations to provide your users with a more secure, reliable, and cost-effective connection experience.

We answered a bunch of questions on the call, but happy to answer any more you might have after watching the replay.

Enjoy, and have a great extended weekend!

-- hama

The 2007 Tour: From SecMan to WinHEC to Interop and on to TechEd

ianhamer — Wed, 23 May 2007 21:36:07 GMT

May.

What a crazy month!

What is it that they say?

"May comes in with a joint launch for Forefront and System Center, and goes out with a Windows Server 2008 demo for a BillG keynote at WinHEC in LA"

Maybe I'm confusing the old adage about the month of March.

Anyhow, here's a quick recap.

On May 15th, I had the distinct honor of delivering a Windows Server 2008 Security and Policy-Enforcement demo in Bill Gates' final WinHEC keynote. I already blogged about the experience, et al on the Windows Server Division's blog, but here's a real neat one:

That guy in the red circle (which I added) is me! This was the WinHEC 2007 home page on Tuesday, May 15th. I didn't even know about it until a colleague over in the Windows Server launch team sent an email blast out to the whole world.

This was followed by lots of jibs and jibes and photo doctoring.

Anyhow...it was really cool to meet the big man and show off the sweet security stuff (like NAP) in Windows Server 2008.

Well, right after WinHEC comes Interop.

Yeah, that Las Vegas conference has managed to survive.

At this year's shindig, Microsoft and TCG (Trusted Computing Group) announced that TNC (Trusted Network Connect) -- the third of the three main NAC solutions on the market -- will standardize on NAP's Statement of Health (SoH) protocol, extending NAP interop with Juniper Networks and the rest of the TCG-TNC ecosystem.

You can learn more about this in this new white paper:
Standardizing Network Access Control: TNC and Microsoft NAP to Interoperate

Next: I'm making an appearance on an upcoming Scalable Networking webcast that's being sponsored by Alacritech. We'll be chatting about TCP Chimney Offload with Alacritech's Scalable Network Accelerator line of TOE NICs.

You can learn more about this Wednesday, May 30th webcast and how to register at the following link: Enhancing Your Data Center Performance with Microsoft TCP Chimney Offload

Okay.

After all this is TechEd 2007 in sunny (and humid) Orlando, Florida.

Among the normal stuff we do at this annual company confab, I'm delivering three sessions:

SVR310 - Deploying High Performance and Scalable Networking with Windows Server 2008
Tuesday, June 5th at 2:45PM-4:00PM (Eastern) in room S220 D

SEC08-TLC - Enabling Policy-Driven Network Access
Wednesday, June 6th at 2:00PM-3:15PM (Eastern) in the Theater #2 in the Yellow TLC

SEC309 - Implementing the IPsec Simple Policy Update for Microsoft Windows Server 2003 and Windows XP
Thursday, June 7th at 2:45PM-4:00PM (Eastern) in room N220 E

Following TechEd, who knows?

At least I (mostly) know what's going on between now and then!

Get Your NAP (Step-by-Step) On!

ianhamer — Fri, 27 Apr 2007 20:11:45 GMT

A great thing about reaching the B3 milestone for Windows Server "Longhorn" is all the new (and improved) documentation that we get to publish. One such example is a set of new Network Access Protection (aka NAP) "step-by-step" guides to help you setup and test your favorite NAP scenario.

For your perusal, we have four new guides to match the four flavors of NAP enforcement:

DHCP
VPN
802.1X
IPsec (my personal fav)

This is quite timely -- not only because we just release Beta 3 of Windows Server "Longhorn" -- because just yesterday afternoon I spoke on a panel about securing data in a highly mobile environment as part of the CSO Summit going on here on campus. After the panel chatted about such new and updated data security features like BitLocker and RMS, we switched gears to talk about data in motion.

I was not surprised to see that most people (including CSOs in the communications sector) were mostly concerned about the impact of "guest workers" on their network leading to information compromise and leakage. About 3/4 of the folks in attendance indicated that was their primary motivator for evaling such things as end-point auth and network access control solutions.

When I started to talk about what were doing with NAP and other type solutions (read: Server and Domain Isolation) many wanted to know both what they could do now (like with Server and Domain Isolation -- which is available from Windows 2000 through Windows Server "Longhorn") and how they could "kick the tires"

Well.

These step-by-step guides are a great way to get things rolling. Simply download Beta 3, install our kick arse Virtual PC 2007 (available at no cost) and pick your favorite step-by-step. Clearly the 802.1X scenario will present some challenges since you really can't virtualize a switch (easily).

Check this stuff out and I'd enjoy hearing what you're feedback!

WinServer "Longhorn" B3: This time it's "Ready, Set, (Download), and Evaluate!"

ianhamer — Thu, 26 Apr 2007 04:01:00 GMT

That's right Windows Server "Longhorn" fans, Beta 3 is ready for your evaluation!

Simply visit http://www.microsoft.com/getbeta3, and you're halfway there to trying out the first major public preview of our next generation of Windows Server.

As our press release touts:

"[With] Beta 3, customers will see new features and enhancements that include stronger security, better performance, new server roles and features, and additional server management and remote administration tools."

What that translates to is, well, a lot of new features and functionality that are ready for "tire kicking."

Heck, we even provided a little cheat sheet to help you zero in on some of the key new features:

New and improved features in Beta 3 include the following:

Windows PowerShell is now included in the product.

Active Directory Federation Services improvements allow customers to implement new policies and make it easier to set up a relationship between trusted partners.

The Server Core installation option now comes with additional roles and enhanced functionality, such as print services and Active Directory Lightweight Directory Services.

The Server Manager console includes additional remote administration tools to provide a more integrated management environment.

Windows Firewall with Advanced Security, now on by default, provides a persistent and more secure environment beginning at installation.

NAP is integrated with Microsoft Update and Windows Update to enable administrators to decide which updates are critical and set policies accordingly. It also has a new administrative interface for simplified setup, scalability and better performance.

Hey, there are two key features of mine on that list! NAP and the Windows Firewall with Advanced Security.

Now, there's been enough written about that NAP thingy, so I'll concentrate on the Windows Firewall instead. You didn't misread the bullet above -- we have switched it on by default to help further the defense-in-depth security controls for Windows Server as well as help reduce attack surface area right out of the gate.

We started down this road with the "Post -Setup Security Update" feature in Windows Server 2003 Service Pack 1 that switched on the newly added Windows Firewall right after install so you could safely venture on to the Internet to retrieve latest updates without increasing the risk of an unpatched vuln being exploited over the network. As you might recall, this feature was described as follows:

"Windows Firewall provides network protection after install while users update their system with the latest patches using the new Post-Setup Security Updates feature.

[Post-Setup Security Updates was] designed to protect the server from the risk of infection between the time the server is first started and the application of the most recent security updates are applied from Windows Update. If Windows Firewall is enabled and the administrator did not explicitly enable Windows Firewall using an unattended-setup script or Group Policy, Post-Setup Security Updates opens the first time an administrator logs on."

The team has been working diligently to test all the major Windows Server scenarios/workloads/roles/etc under this new "on by default" model to ensure we were able to map out the key IP service ports and related communication parameters. We've also done some neat stuff with Server Manager feature (cool stuff!) to help apply the appropriate firewall policies per the role(s)/workload(s) you enable.

I strongly encourage you to check this feature out, and learn about how this default to on works with the applications you run on top of Windows Server!

Well, my battery is just about to die (I'm at SFO getting ready to head back to SEA from the Gartner Symposium/ITxpo event here this week -- more on that later), so I better stop here so I can get this thing posted!

That's Right...You're In Control!

ianhamer — Thu, 19 Apr 2007 21:41:04 GMT

This ain't no joke.

It's the global launch of Forefront and System Center, and it's a little less than two weeks away.

What?

You don't already have your calendars marked for May 2nd?

You haven't booked your flight to the land of 90210?

Well, here's your chance to not only experience the shock and awe of a large Microsoft launch, you also get a chance to see yours truly live and in action.

"Are you keynoting?"
Er, no.

"Do you have a session?"
Not really...well...actually no.

"Are you parking cars?"
Come on, let's be serious!

"What the @#$% are you doing there then?"
I'm glad you asked!

Me and me colleague Amith Krishnan (product manager for NAP) will be manning a booth in the solutions showcase that demos Network Access Protection working with some of the very Forefront and System Center technologies being featured this upcoming May 2nd at the Beverly Hilton in LA-LA land Los Angeles.

You can learn more about this launch event (including the details around the chance to receive free software* valued at over $3000, including Microsoft SQL Server Standard Edition and other Microsoft infrastructure software [NOTE: You can also learn more about what disclaimer that asterisk (aka '*') next to "free software" means]) by visiting the "You're In Control" Internetter-site at http://www.microsoft.com/infrastructure

"That's great and all Hameroff, but I live in Singapore and I just can't fly to LA just because you said there is a chance for $3,000 in free software (while supplies last and limited one gift per person) and possibly popcorn!"
I dig it. You also have a nice list of regional launch events happening in and around the same time. Check out http://www.microsoft.com/infrastructure/events.mspx to learn more about the one that's closest to you.

Well, if the allure of meeting me in person (I'll even sign your free software* gift!) doesn't tip the scales for you, at least check out the great stuff around Forefront Client Security and the latest in System Center products. There's some trial software you can download and kick the tires for yourself today!

Heck, have your own "You're in Control" launch event.

My schedule is fairly flexible, so let me know if you need me to work your solutions showcase.

I'll even bring the popcorn.

Networkin' Forums-o-Plenty!

ianhamer — Thu, 19 Apr 2007 01:30:10 GMT

Great news networking fans, we've doubled the number of of Windows Server "Longhorn" focused TechNet forums focused on networking related workloads and features. In addition to the Platform Networking forum launched a number of months back, we really kicked off a new Network Infrastructure Servers forum to focus on our four main networking server roles:

DHCP
DNS
RRAS
NPS (formerly known as IAS Server, and more commonly called RADIUS by the masses)

The beauty of these forums is they are a great way to connect with folks like me (if you think that's a great deal and all) and members of the Windows networking engineering team. Oh yeah, we've got a lot of non-Softies logging hours on the forums help address question you may have while checking out all the new networking features in Windows Server "Longhorn" and Windows Vista.

Oh.

Yeah.

Don't forget the Network Access Protection and Terminal Services forums either.

Come to think of it, just check'em all out at:
http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17

Dodging Silver Bullet Syndrome or: How I Learned to Stop Worrying and Prepared for NAP (Part 1)

ianhamer — Sat, 14 Apr 2007 00:24:18 GMT

I find it both interesting and exciting to see all the continued industry buzz around the whole network access control space (read: the long list of acronyms like Microsoft NAP (MNAP), Cisco NAC (CNAC), TCG's TNC (TNC), et al). Perhaps one of the interesting twists to this space is the combined industry effort to define such "nac" solutions as a simple, single silver bullets for what ills today's highly interconnected networks rife with mobile workers, network guests, and those evil doers - the malicious attacker.

Granted, I'm not attempting to cast a stone within a glass house (i.e. Microsoft is marketing NAP as a solution offering in this space), but instead hope to reset the reality versus marketing that is potentially being put into the market place. (read: your humble blogger is attempting to "stir the pot", not "kick-up of storm"...I think).

First and foremost, no offering, from any vendor should be viewed as the single, one stop solution for improving the security of your network. Instead, I strongly suggest you view these various solutions/products -- from end-point products, to appliances, to full-network overlays -- as tools in your arsenal to enforce the policies you already have.

Wait.

You have policies, right?

No, not those "No Smoking" or "Don't Surf Porn" policies.

I mean the policies that outline what a healthy computer looks like. Like, what does it mean to be or what does it take to get in compliance.

I like to call these your pile of paper policies (or PPP -- not that point-to-point protocol). Many of you have already (hopefully) created a basic set of requirements for what it means to be in compliance. This was likely driven by a malware outbreak (i.e "dang, if only we installed that patch or actually made people turn on AV") and/or as the result of an external audit.

Good. You've got those.

Next, you need to revisit them to make sure they are not only up to date, but comprehensive enough to be meaningful. For example, it's not just good enough to say you need antivirus and some patches here and there. You'll need to think about how you'll treat, for example, guest workers. What about the latest versions of LOB applications?

Yes. You're right that we don't want to run before we can walk, but it is both good and important to build in a process that enables your organization to revisit these PPP on a regular basis and update as needed (especially as threats change). For example, it's no longer enough to just switch on Automatic Updates since attackers have been working their way up the application stack now, and the result are attacks that target things like licensing mechanisms for the applications you may have installed en masse (a la CA's "calic" vulnerability a few years back).

My recommendation is you take a look at some of my favorite bits of Microsoft guidance and industry best practices to help support these efforts. You don't necessarily need to reinvent the wheel. Instead, you can add some of those neat Aquatreds to provide some more agility.

Some of my fav's and great places to start include:

Microsoft Security Risk Management Guide (which we did a Security360 on way back a few years ago)
Microsoft Threats and Countermeasures Guide
Microsoft Windows Vista Security Guide

Once you have your health policies in order, you'll need to next look at how you want your logical network to defined. Yup, the logical network. A key mindset you'll need to adopt is around shifting the way you think of your network from what is today defined by the physical topology (i.e. the wires, radio waves, and routing gear) to one that is based on and driven by policy.

We like to call this policy-driven (network) access. I added the "network" there to help scope what we're talking about.

My next posting will look at how to start modeling your network, and what tools/solutions are available to you today (like Server and Domain Isolation and Secure Wireless LAN with IAS).

Post Script

So, just yesterday morning we were meeting with some representatives of a large OEM of Microsoft's, and was quite surprised by the fact they were not hearing a lot of buzz from their customers around the whole NAC space.

"Wow!" I said. "This is one of the hottest areas of buzz and discussion in the network security space."

Still. No dice.

"Back your statement with data," was a very appropriate response from the OEM's relationship manager to me. Granted, it was early, so I couldn't pull any great stats out.

Well, groups like TheInfoPro have shown that NAC is a hot space, as detailed in this January 2007 article posted to IT Security:

"A recent survey by TheInfoPro shows that 30 percent of the Fortune 1000 companies polled already have NAC in use. That installed base appears poised to grow. More than half of TheInfoPro’s survey participants had NAC somewhere in their technology adoption plans. Fourteen percent of the respondents reported piloting or evaluating NAC technology, 12 percent cited NAC in their near-term plans, and 27 percent considered NAC a long-term implementation item."

It's just one set of data points, but there is certainly a lot of buzz out there!

It's NAP Chat Time Again (March 13th)!

ianhamer — Tue, 13 Mar 2007 02:51:07 GMT

Don't miss your chance to "hang with" the Enterprise Networking team in cyberspace as they lead a chat on "Deploying NAP end to end in your Enterprise"!

If you're unfamiliar with TechNet chats, this is a great opportunity to check one out. Here are the details:

Date: Tuesday, March 13, 2007

Time: 11am Pacific Daylight Time

Length: 60 minutes

Abstract:
This web chat will focus on what's involved in implementing NAP in an organization, as well as updating everyone on NAP's development status. There will be the opportunity to ask questions of the developers, tests and program managers working on NAP.

Link: www.microsoft.com/technet/community/chats/chatroom.aspx

You can find more of these chats here:
http://www.microsoft.com/technet/community/chats/default.mspx

Enjoy!

WinServer Longhorn and WinVista: Like to Two Peas in a Pod...er...On a Network

ianhamer — Wed, 07 Mar 2007 03:16:35 GMT

Your humble blogger returns after surviving a cross-country trip to ol' New York on "vacation". Vacation is in quotes because, well, I need one now that I'm back.

On to business!

While I was out, J. Nicholas Hoover of InformationWeek published a "Top Seven" (Letterman fans unite) on Windows Vista features that need a little help from Windows Server "Longhorn" to light up:

Seven Windows Vista Features That Depend On Longhorn Server

This is pretty cool because it highlights things like:

Network Access Protection:
"Microsoft's access control method--network access protection--is built into Vista and Longhorn. NAP lets administrators define policies that, for example, require that anyone who wants to connect to a network run Vista with the latest patches plus valid anti-spyware and anti-spam applications, or be denied access."
Policy-based Quality of Service:
"Microsoft mostly left quality of service--controlling bandwidth priority for certain apps and users--to networking vendors. Now it's making that better with Vista and Longhorn via an upgraded network protocol stack."
IPv6:
"IPv6 is an Internet Protocol upgrade that promises to dramatically increase the number of viable addresses, and it's native in Vista and Longhorn."

The article (in the short space of 985 words) does generalize a bit. Like the comment that NAP for XP doesn't necessarily "interoperate with some popular enforcement mechanisms and won't work without Longhorn." So, it's important to check out the links I provided above for some additional, deeper details on these technologies and features.

Going back to my example, NAP "technically" only requires a single WinServer "Longhorn" server running the Network Policy Server (NPS) role. You'd likely have a few more of these around for fault tolerance and to scale out across large networks. Secondly, we're doing a lot to ensure the XP NAP add-on client will provide a good deal of parity to the built-in client for Windows Vista.

One other reference that is worth a deeper review is related to the work we've done with Policy-based Quality of Service (QoS). Hoover generalizes about how "Longhorn will assign priority and bandwidth limits to applications on a network" and that it only works "if there's a Vista client on the other end."

Well, that's mostly true.

Here's the scoop. Yes, we now have mechanisms within Windows Vista and Windows Server "Longhorn" to provide centralized management of QoS policies. We call that bit Policy-based QoS. As the link above details, this provides a means to "stamp" outgoing packets with a DiffServ (DSCP) value (one of them Internet standards) so your routing fabric knows how to manage the priority of this traffic using it's existing QoS queues. For this "stamping" to occur, the host needs to be either a Windows Vista client or a Windows Server "Longhorn" server (no current plans for down-level support). If the host on the other end is not one of these (or even Windows) this will have no impact on the QoS policy. The routers just need to support DSCP (which is quite common since this was outlined in RFC 2474 in 1998).

As for the bandwidth throttling, this do not require a specific host or router/switch on the other end either. The client (or server) will simply slow the pace based on the policy created (see below for an example) for the application or network address/port/service you define.

There are a bunch of other things we do to improve network performance and scalability that improve even further when you have Windows Vista on the client and Windows Server "Longhorn" on the back end. Check out the webcast I did back in October 2006 that covers off these "better together" networking scenarios.

Overall, it is super cool to have these numerous networking features highlighted in this top seven list. Thanks Nick! I just wanted to make sure you had all the details at your disposal.