NAP is a good foundation for policy-based network access control, but lacks granular controls and easy management
Given the sophistication and depth of knowledge exhibited by the malevolent organizations responsible for most malware being developed and deployed today, it should be no surprise that they are able to manipulate IP addresses in order to avoid the IP-assignment enforcement mechanism (not only used by NAP, but also other network access control solutions). True enforcement must leverage the network infrastructure, and therefore requires 802.1X for organizations using NAP. To add injury to insult, 802.1X has proven challenging to define and deploy, even with the aid of excellent companion software such as Cloudpath Networks' XpressConnect and Great Bay Software's Beacon (see "Accelerate your 802.1X rollout").
The NAP gap
Microsoft NAP is likely to be an integral part of your policy-based network, whether or not you deploy a pure NAP solution. Although the software is included with Windows Server 2008, Windows Vista, Windows 7, and Windows XP SP3, the costs of an implementation also include the deployment of 802.1X and VLAN assignment -- or an understanding and acceptance of the limitations of DHCP enforcement.
As is often the case, NAP misses one of the keys to creating a manageable environment, using logging instead of full-fledged reporting to provide information about the environment. Although the information is available, it is difficult to extract and to see anomalies as they occur.
If you are managing a 100 percent Windows environment, NAP could possibly provide the core of your policy-based administration. In the more likely event you're managing a heterogeneous environment with BlackBerrys, Macs, iPhones, printers, and other devices, there's a much higher probability -- due to the need of both additional features and much more robust reporting -- NAP will serve as an integral part of a more complete solution.
Microsoft Network Access Protection
|Pros||Built into Windows client and server. Easy policy configuration. Choice between secure (802.1x) and easy (DHCP) enforcement mechanisms. Excellent support for remote users.|
|Cons||Initial configuration is complex and time consuming. Supports Windows clients only. No on-demand agent to control guest access. Lacks granularity in policy configuration and enforcement. Logging instead of reporting capabilities.|
|Cost||Microsoft Network Access Protection is included as part of Windows Server 2008, Windows XP Service Pack 3, Windows Vista, and Windows 7.|
|Platforms||NAP services support health checks of Windows XP, Windows Vista, and Windows 7 clients.|
This weekend's Windows 10 upgrade has users angry, and it's unclear if the ploy will continue
Here’s the best of the best for Windows 10. Sometimes good things come in free packages
Speaking at the O'Reilly Fluent conference, Eich also endorsed the Service Workers mobile app...
Four rich, pretrained machine learning APIs bring the smarts behind Google to your apps
For organizations considering cloud migration, here are nine proactive steps that companies can take to...
The July 29 deadline looms. Here's what you need to know to reserve your free upgrade, even if you're...
The newest version of OpenBSD closes potential security loopholes -- such as its Linux compatibility...