"Don't put that in your mouth! You don't know where it's been!" You can't always prevent a child from trying to eat a piece of candy that has fallen on the floor. But you can reach out and grab the candy before it goes into the child's mouth. And despite your best intentions, children will sometimes manage to swallow something unsavory and end up sick, so you have to put them to bed and give them medicine until they're well. Like kids who are innocently oblivious to the dangers of unclean food, computer users attach their laptops and mobile devices to your network after taking them from the office and working with them on unsecured networks. It's enough to make you want to yell: "Don't let that on my network! I don't know where it's been!"
That unappetizing analogy came to me during a recent briefing on Microsoft's Network Access Protection (NAP) technology, which is part of Windows Server 2008 (formerly code-named Longhorn) and Windows Vista. If you have policies about what requirements make a machine safe to access your network, NAP gives you a way to enforce those policies and remediate non-compliant machines so that they can come back onto the network once they meet your policy requirements again. If a machine doesn't have the correct level of security patch or the latest antivirus definitions or doesn't meet your other policy requirements, NAP catches the machine before it accesses network assets and keeps the machine isolated until the problem has been fixed.
Early NAP Adopters
Microsoft's Mike Schutz told me that early adopters are already using NAP in
industries such as education, financial services, and professional services.
In education, for example, Mike said, "especially with lots of students coming
back on campuses with their laptops, administrators want to be able to set policies
so that these laptops come back on the network and don't infect it. One of our
early beta customers is Louisiana State University—LSU—which has
already deployed NAP across part of the campus and is currently enforcing NAP
using DHCP. Even internally at Microsoft we have over 75,000 clients that are
enforced using NAP at the Redmond campus and parts of Latin America and parts
of EMEA \[Europe, the Middle East, and Africa\], all centrally managed in Redmond."
NAP and Interoperability
Education environments make perfect sense as early adopters of NAP, and Microsoft's
recent announcements about NAP interoperability also seem relevant for universities,
which tend to have a lot of non-Windows systems. And Microsoft's NAP solution
is not the only player on this field. Microsoft's Henry Sanders (a Microsoft
Distinguished Engineer and the general manager of the Core Networking and Collaboration
group in Windows Networking), explained, "\[T\]here are three primary NAC architectures:
Microsoft's NAP, the Trusted Computing Group's Trusted Network Connect (TNC),
and Cisco's Network Admission Control, or C-NAC. In September, Microsoft announced
an interoperability agreement with Cisco's NAC solution. At the \[recent\] Interop
trade show, Microsoft announced that NAP would now be interoperable with the
Trusted Computing Group's TNC. The TNC agreement makes NAP's Statement of Health
(SoH) protocol, included in Windows Vista, the standard client-server communication
protocol within TNC. We are very excited because, with this announcement, Microsoft's
NAP is now interoperable with the two other primary NAC architecture solutions,
TNC and Cisco's NAC."
Sanders continued, "\[O\]rganizations can now standardize on the (SoH) client protocol, regardless of their NAC infrastructure. The SoH client is available in Windows Vista, will be available in the next service pack of Windows XP, and through NAP partners for non-Microsoft operating systems. One of our NAP partners, Avenda Systems, is releasing a NAP client for the Linux operating system. The broad level of interoperability removes a major adoption barrier by providing investment protection, because organizations can deploy NAP into their existing infrastructure without having to rip and replace their existing investments."
Security: People and Machines
To keep your network secure, you need to know not only who is accessing
your resources but also the health of their machines. NAP is designed to keep
your network safe no matter where your users have taken their devices, but you
need to do your part by devising the appropriate policy requirements that determine
what NAP is looking for. As Mike put it, you have to know "what healthy means
to you. That changes for each organization, so you have to define a security
policy. That's not a statement about technology; it's people and processes.
Then, you think about how to enforce that policy, and that's where NAP comes
in."