Given the sophistication and depth of knowledge exhibited by the malevolent organizations responsible for most malware being developed and deployed today, it should be no surprise that they are able to manipulate IP addresses in order to avoid the IP-assignment enforcement mechanism (not only used by NAP, but also other network access control solutions). True enforcement must leverage the network infrastructure, and therefore requires 802.1X for organizations using NAP. To add injury to insult, 802.1X has proven challenging to define and deploy, even with the aid of excellent companion software such as Cloudpath Networks' XpressConnect and Great Bay Software's Beacon (see "Accelerate your 802.1X rollout").
The NAP gap
Microsoft NAP is likely to be an integral part of your policy-based network, whether or not you deploy a pure NAP solution. Although the software is included with Windows Server 2008, Windows Vista, Windows 7, and Windows XP SP3, the costs of an implementation also include the deployment of 802.1X and VLAN assignment -- or an understanding and acceptance of the limitations of DHCP enforcement.
As is often the case, NAP misses one of the keys to creating a manageable environment, using logging instead of full-fledged reporting to provide information about the environment. Although the information is available, it is difficult to extract and to see anomalies as they occur.
If you are managing a 100 percent Windows environment, NAP could possibly provide the core of your policy-based administration. In the more likely event you're managing a heterogeneous environment with BlackBerrys, Macs, iPhones, printers, and other devices, there's a much higher probability -- due to the need of both additional features and much more robust reporting -- NAP will serve as an integral part of a more complete solution.
Microsoft Network Access Protection
|Pros||Built into Windows client and server. Easy policy configuration. Choice between secure (802.1x) and easy (DHCP) enforcement mechanisms. Excellent support for remote users.|
|Cons||Initial configuration is complex and time consuming. Supports Windows clients only. No on-demand agent to control guest access. Lacks granularity in policy configuration and enforcement. Logging instead of reporting capabilities.|
|Cost||Microsoft Network Access Protection is included as part of Windows Server 2008, Windows XP Service Pack 3, Windows Vista, and Windows 7.|
|Platforms||NAP services support health checks of Windows XP, Windows Vista, and Windows 7 clients.|
Having trouble installing and setting up Win10? You aren’t alone. Here are many of the most common...
Win7 Update scans got you fuming? Here’s how to make the most of Microsoft’s 'magic' speed-up patch
Picking an Android phone can be difficult, but we're here to help. These are the top Android phones you...
In fact, wait as long as Microsoft will let you, since this is mostly a minor upgrade
The demise of Visual Studio LightSwitch shouldn’t prevent power users from building line-of-business...
Google's container orchestration platform can now scale to massive clusters
IT expertise is no match for execs' stubbornness and agendas, even under dire circumstances