InfoWorld Home / Security Central / Test Center / Microsoft NAP: NAC for the rest of us?
May 14, 2009

Microsoft NAP: NAC for the rest of us?

NAP is a good foundation for policy-based network access control, but lacks granular controls and easy management

By InfoWorld staff, Stephen Hultquist | InfoWorld
| Print | 4 comments|
134 Recommendations
Bottom Line
Microsoft NAP is an effective network gatekeeper for Windows endpoints, but initial configuration is complex, policies are basic, and reporting is absent. NAP is best used as a core technology deployed in combination with others for a more complete, manageable, and scalable solution.

The universe of policy-based networking and systems management has evolved over the past few years, and the standards first created by the Trusted Computing Group, Cisco, and Microsoft have merged to create a generalized view of managing and enforcing policy. Although more capable and more polished solutions are available, Microsoft's Network Access Protection (NAP) will undoubtedly be the primary such technology in use in all-Windows environments, even with its limitations.

NAP comprises client and server subsystems with an enforcement architecture based on 802.1X, DHCP, or VPNs together with VLAN assignment within the network to isolate devices when appropriate. NAP services are provided in Windows Server 2008, with Windows Server 2008 R2 adding a few capabilities to the NAP support.

[ The Napera N24 network access control appliance brings NAP services to Windows and Mac endpoints -- sans Windows Server 2008 -- and it couldn't be easier to deploy. See the Test Center's review. ]

Client support is included in Windows Vista, Windows XP Service Pack 3 (SP3), and the Windows 7 Release Candidate. These client services provide posture gathering and reporting to Windows Server 2008 for enforcement and remediation decisions. The NAP components include the posture of the device in a way similar to Windows Security Center, with system update, anti-virus, firewall, and other security status reported back.

The NAP services then analyze the overall posture of each device, match that posture to the NAP policies in the Network Policy Server (NPS), and facilitate enforcement as outlined by those policies. NAP provides roughly the same access control services as third-party NAC solutions we've tested, but without many of the bells and whistles those solutions provide.

NAP in R2
Microsoft continues to develop new features for NAP and related security functions. A number of the improvements in Windows Server 2008 R2 make NAP deployment smoother: specifically the automated setup of the logging database, and multiple out-of-the-box configurations for the System Health Validator (SHV).

Test Center Scorecard
 
 20%20%20%15%15%10% 
Microsoft Network Access Protection768568
6.7
Fair

Close

On Twitter now

Network access control

Powered by Twitter
Refresh results
Related Content...

White Paper

D2D Virtual Tape Library Replication Primer

This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.

Download now »

White Paper

An Alternative to Virtualization for Datacenter Cost Savings

Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.

Download now »

White Paper

Why Your Firewall, VPN, and IEEE 802.11i Aren't Enough to Protect Your Network

The emergence of WLANs has created a new breed of security threats to enterprise networks.

Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation

Download now »

White Paper

Bringing the Edge to the Data Center

Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.

Download now »
3 of 4 comments
Sign In or Register to comment
cmaurand 14-May-09 9:53am
1 reply
So not worth the effore, when most of this work can be done by a decent network admin at the switch. Its just another gimmick that will rob systems of performance.
Stephen Hultquist 14-May-09 5:43pm
Thank you for your comment, cmaurand! I see your points, but I wouldn't go that far. Checking the posture of a device at the switch isn't actually possible. You need to have an agent (or a scan) on the device itself, then check the results of that against a policy, then decide what to do. At the basic level, NAP does this. However, there aren't many knobs to turn or visibility into what's happening without some third-party add-ins. Compare this to the review of the Napera N-24 and hopefully some of that will come clear.
cmaurand 15-May-09 7:44am
1 reply
Yes, but Cisco IOS has policy routing built into its VLAN code. It even has policy routing built into its IP code. I'm just not sure that NAP is worth the trouble, especially when the end user running Vista or XP can even understand it, much less configure it on a single machine. I'm not sure what one gains from it, either. Its just another nice to have and I can't uninstall it. Linux also has policy routing (iproute2) and its configurable and I don't have to have it on the machine if I don't need it. Worse, in a Windows Service Pack, it gets installed without my knowledge.
View ALL Comments

Sign up to receive InfoWorld Resource Alerts

Subscribe to the Security Central Newsletter

Stay informed of the latest security threats and fixes.

White paper

Log Management: How to Develop the Right Strategy for Business and Compliance

This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.

Download now! »

White paper

The Essential Series: Security Information Management

Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.

Download now! »

White paper

Aberdeen: Choosing and Consuming Managed Security Services

Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.

Download now! »
©1994-2009 Infoworld, Inc.