May 14, 2009, 4:53 PM — Microsoft NAP is an effective network gatekeeper for Windows endpoints, but initial configuration is complex, policies are basic, and reporting is absent. NAP is best used as a core technology deployed in combination with others for a more complete, manageable, and scalable solution.
The universe of policy-based networking and systems management has evolved over the past few years, and the standards first created by the Trusted Computing Group, Cisco, and Microsoft have merged to create a generalized view of managing and enforcing policy. Although more capable and more polished solutions are available, Microsoft's Network Access Protection (NAP) will undoubtedly be the primary such technology in use in all-Windows environments, even with its limitations.
NAP comprises client and server subsystems with an enforcement architecture based on 802.1X, DHCP, or VPNs together with VLAN assignment within the network to isolate devices when appropriate. NAP services are provided in Windows Server 2008, with Windows Server 2008 R2 adding a few capabilities to the NAP support.
[ The Napera N24 network access control appliance brings NAP services to Windows and Mac endpoints -- sans Windows Server 2008 -- and it couldn't be easier to deploy. See the Test Center's review. ]
Client support is included in Windows Vista, Windows XP Service Pack 3 (SP3), and the Windows 7 Release Candidate. These client services provide posture gathering and reporting to Windows Server 2008 for enforcement and remediation decisions. The NAP components include the posture of the device in a way similar to Windows Security Center, with system update, anti-virus, firewall, and other security status reported back.
The NAP services then analyze the overall posture of each device, match that posture to the NAP policies in the Network Policy Server (NPS), and facilitate enforcement as outlined by those policies. NAP provides roughly the same access control services as third-party NAC solutions we've tested, but without many of the bells and whistles those solutions provide.
NAP in R2
Microsoft continues to develop new features for NAP and related security functions. A number of the improvements in Windows Server 2008 R2 make NAP deployment smoother: specifically the automated setup of the logging database, and multiple out-of-the-box configurations for the System Health Validator (SHV).
NAP requires the setup of multiple databases for administration and management of the overall system, one of which is the logging database. Prior to Windows Server 2008 R2, the logging database required extensive SQL-based configuration. This setup has been automated in R2, completely relieving the administrator of an onerous task.
Similarly, prior to R2, Windows Server 2008 provided only one SHV configuration, meaning that wholesale changes to the system health requirements had to be made universally. Now you can apply different policies based on a specific configuration of the SHV. For example, systems internal to your network may require that only the anti-virus component is current, while systems connected via VPN may require both anti-virus and antispyware be active.
In addition, when used with Windows 7, R2 provides a streamlined remote access facility, simplifying remote connectivity and securing Remote Workspace, Presentation Virtualization, and Remote Desktop Services Gateway sessions.
NAP in the lab
As for previous reviews (see "NAC smorgasbord: Four ways to police the nework " and "Sophos NAC is a good start "), we examined NAP's ability to handle typical scenarios, including guest access, rogue devices, and non-Windows devices. We also examined the enforcement methods available natively with NAP. We installed Windows Server 2008 as the network core and configured both Windows Vista and Windows XP SP3 devices on the network. Our network also included a Mac OS X client and a printer, though NAP does nothing with non-Windows devices. It only tests the posture, or "health status," of Windows systems.
While configuring NAP was straightforward, it was also complex, requiring a long list of supporting services to be installed and configured. Even my simple deployment required several hours to configure, due to the prerequisites for 802.1X on Windows Server 2008, including the RADIUS server, certificates, and the enforcement clients.
You use the Network Policy Server, a component of Windows Server 2008, to configure NAP policies. As with other NAC solutions, the policies use the client posture to determine the arguments for a policy decision. The policy then triggers enforcement in terms of network access granted. Enforcement of the client status is by 802.1X and VLAN assignment or by DHCP lease enforcement.
Policy configuration is simple due to its limited scope. For example, policies can only take into account device posture, without the per-port, time of day, and other fine-grained controls available in other systems. In short, NAP checks the status of anti-virus software, antispyware software, a firewall, and automatic updating.
[ Microsoft NAP can be integrated with Cisco NAC or other NAC products to form a more complete solution. See "When NAC meets NAP." ]
Although the NAP platform is the same for both Windows XP and Windows Vista, Vista offers a few additional capabilities. Vista provides an administration console for local and Group Policy configuration, and the Windows System Health Agent (the built-in "client" piece of NAP) takes advantage of Windows Defender support in the Security Center. Plus, the underlying enforcement technologies include some advanced features, such as authenticated IP for IPSec and single-sign-on support for 802.1X.
Secure or obscure
Client devices are assigned to a VLAN based on their posture, so they may, for instance, be restricted to accessing remediation servers, the Internet, or other limited resources until they are corrected. VLAN assignment is a more secure approach than DHCP leases, but requires the complexity of an 802.1X implementation, which is often onerous for an entire organization.
DHCP enforcement is a mixed bag. By using IP address assignment to move devices around a network, you can expect safe devices to be compliant to your plan -- and rogues to find ways to apply static IP addressing to get around it. Many are likely to be tempted by the relative simplicity of DHCP-based enforcement, especially for smaller deployments, but it is simply the latest version of "security by obscurity," and therefore no security at all.
Given the sophistication and depth of knowledge exhibited by the malevolent organizations responsible for most malware being developed and deployed today, it should be no surprise that they are able to manipulate IP addresses in order to avoid the IP-assignment enforcement mechanism (not only used by NAP, but also other network access control solutions). True enforcement must leverage the network infrastructure, and therefore requires 802.1X for organizations using NAP. To add injury to insult, 802.1X has proven challenging to define and deploy, even with the aid of excellent companion software such as Cloudpath Networks' XpressConnect and Great Bay Software's Beacon (see "Accelerate your 802.1X rollout").
The NAP gap
Microsoft NAP is likely to be an integral part of your policy-based network, whether or not you deploy a pure NAP solution. Although the software is included with Windows Server 2008, Windows Vista, Windows 7, and Windows XP SP3, the costs of an implementation also include the deployment of 802.1X and VLAN assignment -- or an understanding and acceptance of the limitations of DHCP enforcement.
As is often the case, NAP misses one of the keys to creating a manageable environment, using logging instead of full-fledged reporting to provide information about the environment. Although the information is available, it is difficult to extract and to see anomalies as they occur.
If you are managing a 100 percent Windows environment, NAP could possibly provide the core of your policy-based administration. In the more likely event you're managing a heterogeneous environment with BlackBerrys, Macs, iPhones, printers, and other devices, there's a much higher probability -- due to the need of both additional features and much more robust reporting -- NAP will serve as an integral part of a more complete solution.
Microsoft Network Access Protection
Pros Built into Windows client and server. Easy policy configuration. Choice between secure (802.1x) and easy (DHCP) enforcement mechanisms. Excellent support for remote users.
Cons Initial configuration is complex and time consuming. Supports Windows clients only. No on-demand agent to control guest access. Lacks granularity in policy configuration and enforcement. Logging instead of reporting capabilities.
Cost Microsoft Network Access Protection is included as part of Windows Server 2008, Windows XP Service Pack 3, Windows Vista, and Windows 7.
Platforms NAP services support health checks of Windows XP, Windows Vista, and Windows 7 clients.