NAP is a good foundation for policy-based network access control, but lacks granular controls and easy management
Given the sophistication and depth of knowledge exhibited by the malevolent organizations responsible for most malware being developed and deployed today, it should be no surprise that they are able to manipulate IP addresses in order to avoid the IP-assignment enforcement mechanism (not only used by NAP, but also other network access control solutions). True enforcement must leverage the network infrastructure, and therefore requires 802.1X for organizations using NAP. To add injury to insult, 802.1X has proven challenging to define and deploy, even with the aid of excellent companion software such as Cloudpath Networks' XpressConnect and Great Bay Software's Beacon (see "Accelerate your 802.1X rollout").
The NAP gap
Microsoft NAP is likely to be an integral part of your policy-based network, whether or not you deploy a pure NAP solution. Although the software is included with Windows Server 2008, Windows Vista, Windows 7, and Windows XP SP3, the costs of an implementation also include the deployment of 802.1X and VLAN assignment -- or an understanding and acceptance of the limitations of DHCP enforcement.
As is often the case, NAP misses one of the keys to creating a manageable environment, using logging instead of full-fledged reporting to provide information about the environment. Although the information is available, it is difficult to extract and to see anomalies as they occur.
If you are managing a 100 percent Windows environment, NAP could possibly provide the core of your policy-based administration. In the more likely event you're managing a heterogeneous environment with BlackBerrys, Macs, iPhones, printers, and other devices, there's a much higher probability -- due to the need of both additional features and much more robust reporting -- NAP will serve as an integral part of a more complete solution.
Microsoft Network Access Protection
|Pros||Built into Windows client and server. Easy policy configuration. Choice between secure (802.1x) and easy (DHCP) enforcement mechanisms. Excellent support for remote users.|
|Cons||Initial configuration is complex and time consuming. Supports Windows clients only. No on-demand agent to control guest access. Lacks granularity in policy configuration and enforcement. Logging instead of reporting capabilities.|
|Cost||Microsoft Network Access Protection is included as part of Windows Server 2008, Windows XP Service Pack 3, Windows Vista, and Windows 7.|
|Platforms||NAP services support health checks of Windows XP, Windows Vista, and Windows 7 clients.|
You may still be better off sticking with Win7 or Win8.1, given the wide range of ongoing Win10...
With myriad problems now evident, it may be best to skip the Anniversary Update for now
An unlikely combination of two Windows updates can reduce scan times from hours to minutes
These 13 tools and techniques prove that, when it comes to coding, laziness is a virtue
GitLab and Atlassian have GitHub in the cross-hairs among organizations seeking enterprise-grade...
Concurrency and runtime improvements make the JVM language attractive for IoT development
When a core team member bows out, a crucial process hits an insurmountable obstacle -- until IT figures...