Network Access Protection (NAP) : industry

See NAP at TechEd 2009

MS NAP Team — Tue, 12 May 2009 03:53:00 GMT

Hey NAP Fans!

If you are attending TechEd 2009 in Los Angeles this week, be sure to stop by the NAP booth in the Microsoft Technical Learning Center (TLC). It is a great opportunity to meet and speak with NAP team members and learn about some of the enhancements and new scenarios in Windows® 7 and Windows® Server 2008 R2.

Also there are at least two breakout sessions that would be useful for anyone interested in learning more about NAP deployments. Both are on Friday May 15th:

WSV206 Windows Clients and Windows Server 2008 NAP: Why They Are Better Together

Presenter: Jay Ferron

Fri 5/15 | 9:00 AM-10:15 AM | Room 502A

WSV305 Deploying NAP: Best Practices and Lessons Learned

Presenters: Venkatesh Gopalakrishnan, Lambert Green

Fri 5/15 | 2:45 PM-4:00 PM | Room 403B

Hope to see you there,

The NAP Team

What other networking experts have written about NAP

MS NAP Team — Thu, 29 Jan 2009 00:10:00 GMT

Greg Lindsay, our NAP product documentation writer, and I are not the only ones writing about NAP. NAP is also being described by Thomas Shinder and Brien M. Posey. Check out the following content by these industry experts.

Thomas Shinder’s articles on deploying NAP IPsec

Part 1: http://www.windowsecurity.com/articles/Deploying-IPsec-Server-Domain-Isolation-Windows-Server-2008-Group-Policy-Part1.html

Part 2: http://www.windowsecurity.com/articles/Deploying-IPsec-Server-Domain-Isolation-Windows-Server-2008-Group-Policy-Part2.html

Part 3: http://www.windowsecurity.com/articles/Deploying-IPsec-Server-Domain-Isolation-Windows-Server-2008-Group-Policy-Part3.html

Part 4: http://www.windowsecurity.com/articles/Deploying-IPsec-Server-Domain-Isolation-Windows-Server-2008-Group-Policy-Part4.html

Thomas Shinder’s articles on deploying NAP DHCP

Part 1: http://www.windowsecurity.com/articles/Using-Group-Policy-Filtering-Part1.html

Part 2: http://www.windowsecurity.com/articles/Using-Group-Policy-Filtering-Part2.html

Part 3: http://www.windowsecurity.com/articles/Using-Group-Policy-Filtering-Part3.html

Part 4: http://www.windowsecurity.com/articles/Using-Group-Policy-Filtering-Part4.html

Brien M. Posey’s article series on NAP

Part 1: http://www.windowsnetworking.com/articles_tutorials/Network-Access-Protection-Revisited-Part1.html

Part 2: http://www.windowsnetworking.com/articles_tutorials/Network-Access-Protection-Revisited-Part2.html

Part 3: http://www.windowsnetworking.com/articles_tutorials/Network-Access-Protection-Revisited-Part3.html

Part 4: http://www.windowsnetworking.com/articles_tutorials/Network-Access-Protection-Revisited-Part4.html

Part 5: http://www.windowsnetworking.com/articles_tutorials/Network-Access-Protection-Revisited-Part5.html

Part 6: http://www.windowsnetworking.com/articles_tutorials/Network-Access-Protection-Revisited-Part6.html

Part 7: http://www.windowsnetworking.com/articles_tutorials/Network-Access-Protection-Revisited-Part7.html

Joe Davies
Senior Program Manager

HP ProCurve Open Network Ecosystem (ONE) launches with Microsoft as a key member

MS NAP Team — Tue, 27 Jan 2009 19:29:00 GMT

The Hewlett-Packard (HP) ProCurve Open Network Ecosystem (ONE) is a new partner alliance program for ProCurve, the networking division of HP. Microsoft is a key member in ProCurve ONE and an important element of the alliance is interoperability with NAP.

Here is a quote from the NAP team's very own General Manager, Tim Sinclair:

"HP ProCurve ONE will help customers resolve interoperability concerns by delivering an open standards-based solution that is effective and efficient. The combination of the HP ProCurve ONE initiative and Microsoft Network Access Protection (NAP) will provide customers with enhanced security and policy-based access that helps reduce downtime and boosts return on investment."

For more information, see the Newsfactor.com article at http://www.newsfactor.com/news/HP-Launches-ProCurve-Alliance/story.xhtml?story_id=1230040K3ZM9.

Forrester Wave diagram from Forrester report on the NAC marketplace published

MS NAP Team — Sat, 01 Nov 2008 01:44:00 GMT

Hey NAPolytes!

On September 23, I posted an entry on a new Forrester report on Network Access Control for the third quarter of 2008, which placed Microsoft’s NAP as the leader of the top four network access control (NAC) vendors. Click here for details.

The Forrester Wave diagram from the report showing the vendors in the NAC marketplace and their relative strengths in terms of their current offerings and strategy is now published on the NAP Overview page of the NAP product information site at http://www.microsoft.com/windowsserver2008/en/us/nap-product-home.aspx.

Check it out!

Joe Davies
Senior Program Manager

Standing room only for the NAP and Unified Secure Access presentation at McAfee’s Focus 08

MS NAP Team — Thu, 23 Oct 2008 19:14:00 GMT

On Tuesday, Dan Wolff, George Younan, and I delivered the “Microsoft and McAfee: Implementing Network Access Control in Microsoft Environments” breakout session at McAfee’s Focus 08 Security Conference. Dan Wolff is a Group Solution Marketing Manager and George Younan is a Senior Security Consultant with McAfee.

The room filled up quickly and even after bringing in more chairs, there were people standing at the back. I spent about 35 minutes presenting a technical overview of NAP and how McAfee’s Network Access Control 3.0 product fit into the NAP architecture. Dan finished the presentation with information about the joint solution using NAP with McAfee’s Unified Secure Access and George gave a great demo showing virtualized DHCP enforcement using the McAfee SHA and SHV.

All in all, a well–presented and received session and an indication of the rising interest in NAC solutions using third-party products for health assessment capabilities and NAP as the enforcement mechanism.

Thanks Dan and George for the assist!

Joe Davies
Program Manager

My review of Information Week’s “Rolling Review: Microsoft NAP”

MS NAP Team — Fri, 26 Sep 2008 21:56:00 GMT

Greetings, keepers of the NAP flame!

On August 2, Information Week published an article titled “Rolling Review: Microsoft NAP.” I would like to comment on it on behalf of the NAP product team and add technical clarity where I can.

1. Opening paragraph:

“it's to Microsoft (NSDQ: MSFT)'s credit that early on the company moved away from trying to develop a proprietary system. Instead, it built a framework; developed a set of APIs for third-party integration; and, most important, aligned itself with the most widely accepted standards body in the NAC space, the Trusted Computing Group.”

We heartily agree with this statement. We decided to create NAP as a platform in conjunction with industry standards, rather than provide a proprietary solution that attempts to address every kind of system health check and every kind of enforcement method.

2. 4^th paragraph

“the Cisco NAC agent provides the administrator with the ability to scan for specific registry keys or other system values, and make policy decisions based on those values. The NAP agent does not.”

The built-in Windows Security Health Agent (WSHA) does not provide these abilities. The NAP Agent service running on a NAP client can host multiple system health agents (SHAs) and third-party vendors can supply additional SHAs to extend the set of health checks. The more accurate statement for the last sentence in this quote is: “The NAP agent with the built-in WSHA does not.”

3. Explanation of DHCP enforcement

“Clients that fail a health check are provided with an IP address and subnet mask, but no default gateway. However, these clients are provided with host routes to remediation servers, where updates can be downloaded and installed automatically or manually.”

Clients that fail system health evaluation are allocated an IPv4 address with a subnet mask of 255.255.255.255, which means that they will not be able to reach other locations on their subnet.

Whether updates are downloaded and installed automatically or manually is a function of the SHAs and related system software that is running on the NAP client. With the correct logic within the SHA and access to remediation servers, SHAs can automatically install and configure components and updates.

4. Explanation of IPsec enforcement

“If a system that lacks a valid health certificate tries to connect to a network that requires one for access, the connection will be dropped.”

IPsec enforcement is combination of health certificates and IPsec policy that requires protected communication with health certificates for authentication. The enforcement is done end-to-end between two communicating nodes, rather than at a connection point to the network.

5. Explanation of VPN enforcement

“VPN enforcement is most easily achieved through the use of Microsoft's Routing and Remote Access server, but third-party VPNs can be made to work with NAP.”

The exact details and requirements for using a third-party VPN server or concentrator with NAP and the VPN enforcement method is something that I am investigating. I will publish the results in a future NAP blog post.

6. Explanation of 802.1X enforcement

“When a system attempts to log on, the NAP client packages its Statement of Health and logon credentials into an EAP authentication request.”

Actually, there are separate EAP authentication methods and message exchanges for authentication and the passing of system health information.

7. Factors for system health

“Out of the box, you can check for the status of Windows firewall and antivirus/anti-spyware software, as well as Windows Updates and the update policy.”

The built-in WSHA monitors the services and components of the Windows Security Center (WSC), which provides system health checks for the following:

· Whether a host-based firewall that is registered with the WSC is enabled. This includes the built-in Windows Firewall and third-party firewall products.

· Whether an antivirus application that is registered with WSC is enabled and up to date. This includes third-party antivirus products.

· Whether an antispyware application that is registered with WSC is enabled and up to date. This includes the built-in Windows Defender for Windows Vista and third-party antispyware products.

· Whether automatic updating is enabled.

· Whether security updates of a specified level have been installed, the time interval within which the client must check for new security updates, and the sources of the updates (Windows Update or Windows Server Update Services).

8. How strict your policies are

“Microsoft recommends a phased implementation where NAP is initially deployed in a reporting-only mode. Once you're comfortable that enforcing health standards won't grind business to a halt, you can move gradually to an auto-remediated enforcement policy.”

NAP can be used to determine the overall system health compliance of your network (reporting mode) and to enforce system health requirements by restricting the access of noncompliant computers (full enforcement mode). Depending on the needs of your organization, either of these modes are acceptable destinations for a NAP deployment. Additionally, autoremediation can be enabled for either deployment mode.

9. The “Two Microsoft NAP Deployment Scenarios” figure

Two points of technical clarification:

· For DHCP enforcement, the NAP client requests an IPv4 address, not access. Therefore, the labels on the arrows between the NAP client and the DHCP server should be “Address requested” and “Address granted.”

· The interaction between NPS and Active Directory for DHCP enforcement is only to verify security group membership. For 802.1X enforcement, NPS uses Active Directory to also validate the credentials of the 802.1X client.

10. “Out for a Spin” section

A. “That's because DHCP in Windows 2008 is NAP-aware and includes the additional user classes and scope options necessary to dynamically black-hole clients that fail health checks.”

I would replace the term “black hole” with “restrict the access of”. The term “black hole” in my mind implies no access, whereas typical NAP deployments contain remediation servers that noncompliant clients must access to correct their system health.

B. “Only Windows XP SP3 and Vista have built-in NAP clients”

Windows Server 2008 also has a built-in NAP client, although it does not include the WSHA.

C. “we had to configure a group policy to get clients to start up the service automatically and participate in DHCP enforcement.”

The location of the Group Policy setting to automatically start the NAP Agent service is Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Network Access Protection Agent.

D. “To our surprise, these non-NAP-capable PCs were quarantined, as though they had failed a health check.”

This behavior is based on the default settings of the Define NAP Health Policy page of the Configure NAP wizard. To prevent non-NAP capable computers from having their access limited, select Allow full network access to NAP-ineligible client computers on the Define NAP Health Policy page.

11. Bottom line paragraph

A. “NAP is a great value for organizations that have yet to invest in NAC”

We agree! :> NAP deployments require NAP infrastructure servers that are running Windows Server 2008 and client computers running a version of Windows that includes a NAP client. For most organizations, this means upgrading your user computers to Windows Vista or Windows XP with Service Pack 3.

B. “Microsoft Network Access Protection is difficult to configure, even for simple enforcement methods.”

The areas of configuration for NAP consist of the following:

· NAP clients: Specific NAP enforcement clients must be enabled and, in the case of Windows XP with SP3, the NAP Agent service must be configured to start automatically. Both of these elements of configuration can be done with Group Policy or a script.

· NAP enforcement points: Depending on the NAP enforcement method, you must enable and configure NAP or restricted access functionality.

· NAP health policy servers: The set of policies for a given enforcement method can be automatically created with the Configure NAP wizard in the Network Policy Server snap-in.

Although we respectfully disagree with their blanket statement about NAP configuration, especially relative to other NAC solutions in the marketplace, we agree that there is room for improvement to investigate in future updates for NAP.

C. “We'd like to see a more intuitive auto-install process for an antivirus or anti-spyware client as part of the auto-remediation process”

As described previously, automatic installation of system health software is a function of the SHA, not the NAP platform. The WSHA does not perform this function, but third-party SHAs can.

Joe Davies
Senior Program Manager

Microsoft leads the pack in Forrester WAVE report on network access control technologies

MS NAP Team — Tue, 23 Sep 2008 18:11:00 GMT

Hey NAP fans!

The Network Access Protection (NAP) product team is proud to announce the publication of a new Forrester WAVE report on Network Access Control for the third quarter of 2008, which places Microsoft’s NAP as the leader of the top four network access control (NAC) vendors!

From the report’s abstract:

In Forrester's 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft's NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base.

This is a wonderful confirmation from an industry expert that NAP is a great NAC solution for Windows-based networks. For some quotes from the report, click here.

Joe Davies
Senior Program Manager