Microsoft NAP: NAC for the rest of us?

NAP is a good foundation for policy-based network access control, but lacks granular controls and easy management

Page 3 of 4

You use the Network Policy Server, a component of Windows Server 2008, to configure NAP policies. As with other NAC solutions, the policies use the client posture to determine the arguments for a policy decision. The policy then triggers enforcement in terms of network access granted. Enforcement of the client status is by 802.1X and VLAN assignment or by DHCP lease enforcement.

Policy configuration is simple due to its limited scope. For example, policies can only take into account device posture, without the per-port, time of day, and other fine-grained controls available in other systems. In short, NAP checks the status of anti-virus software, antispyware software, a firewall, and automatic updating.

[ Microsoft NAP can be integrated with Cisco NAC or other NAC products to form a more complete solution. See "When NAC meets NAP." ]

Although the NAP platform is the same for both Windows XP and Windows Vista, Vista offers a few additional capabilities. Vista provides an administration console for local and Group Policy configuration, and the Windows System Health Agent (the built-in "client" piece of NAP) takes advantage of Windows Defender support in the Security Center. Plus, the underlying enforcement technologies include some advanced features, such as authenticated IP for IPSec and single-sign-on support for 802.1X.

Secure or obscure
Client devices are assigned to a VLAN based on their posture, so they may, for instance, be restricted to accessing remediation servers, the Internet, or other limited resources until they are corrected. VLAN assignment is a more secure approach than DHCP leases, but requires the complexity of an 802.1X implementation, which is often onerous for an entire organization.

DHCP enforcement is a mixed bag. By using IP address assignment to move devices around a network, you can expect safe devices to be compliant to your plan -- and rogues to find ways to apply static IP addressing to get around it. Many are likely to be tempted by the relative simplicity of DHCP-based enforcement, especially for smaller deployments, but it is simply the latest version of "security by obscurity," and therefore no security at all.

| 1 2 3 4 Page 3