NAP is a good foundation for policy-based network access control, but lacks granular controls and easy management
Given the sophistication and depth of knowledge exhibited by the malevolent organizations responsible for most malware being developed and deployed today, it should be no surprise that they are able to manipulate IP addresses in order to avoid the IP-assignment enforcement mechanism (not only used by NAP, but also other network access control solutions). True enforcement must leverage the network infrastructure, and therefore requires 802.1X for organizations using NAP. To add injury to insult, 802.1X has proven challenging to define and deploy, even with the aid of excellent companion software such as Cloudpath Networks' XpressConnect and Great Bay Software's Beacon (see "Accelerate your 802.1X rollout").
The NAP gap
Microsoft NAP is likely to be an integral part of your policy-based network, whether or not you deploy a pure NAP solution. Although the software is included with Windows Server 2008, Windows Vista, Windows 7, and Windows XP SP3, the costs of an implementation also include the deployment of 802.1X and VLAN assignment -- or an understanding and acceptance of the limitations of DHCP enforcement.
As is often the case, NAP misses one of the keys to creating a manageable environment, using logging instead of full-fledged reporting to provide information about the environment. Although the information is available, it is difficult to extract and to see anomalies as they occur.
If you are managing a 100 percent Windows environment, NAP could possibly provide the core of your policy-based administration. In the more likely event you're managing a heterogeneous environment with BlackBerrys, Macs, iPhones, printers, and other devices, there's a much higher probability -- due to the need of both additional features and much more robust reporting -- NAP will serve as an integral part of a more complete solution.
Microsoft Network Access Protection
|Pros||Built into Windows client and server. Easy policy configuration. Choice between secure (802.1x) and easy (DHCP) enforcement mechanisms. Excellent support for remote users.|
|Cons||Initial configuration is complex and time consuming. Supports Windows clients only. No on-demand agent to control guest access. Lacks granularity in policy configuration and enforcement. Logging instead of reporting capabilities.|
|Cost||Microsoft Network Access Protection is included as part of Windows Server 2008, Windows XP Service Pack 3, Windows Vista, and Windows 7.|
|Platforms||NAP services support health checks of Windows XP, Windows Vista, and Windows 7 clients.|
You may still be better off sticking with Win7 or Win8.1, given the wide range of ongoing Win10...
Microsoft buried a Get Windows 10 ad generator inside this month's Internet Explorer security patch for...
Here’s the best of the best for Windows 10. Sometimes good things come in free packages
The creator of Linux talks in depth about the kernel, community, and how computing will change in the...
The latest additions to Google's mobile OS should give you plenty to chew on
The open source operating system celebrates its 25th anniversary this month
Google's gRPC aims to oust JSON for exchanging data between HTTP-connected services