Why Network Access Protection is important to an SME

Network Access Protection (NAP) is a new feature in Windows Server 2008 (and possibly Windows Server 2003 with an update which is still in testing) for checking if devices pass a number of tests before being allowed onto a network – this is known as Health State Validation (HSV) and is similar to being stopped at a checkpoint by security guards when you try and enter a secured facility. NAP is a mechanism whereupon attempting to log onto a network a check is made on the client (called a Challenge) to ensure that certain security requirements are met. These compliance checks can include ensuring latest anti-virus, anti-spyware or windows patches are installed. If the requirements are not met then a number of options are available including offering restricted access, redirecting to a remediation area or disallowing logon. The purpose of this is to try and prevent “unhealthy” devices accessing the network and placing others at risk.

Many network protection tools work at the edge level, checking traffic as it either comes into or goes out of the network at the border. The problems start when unmanaged computers are used internally on the network – for example when visitors to a company bring their own device or employees bring uncontrolled devices (remote VPN users may also pose a risk if they are using their own computer). It may be necessary to use these devices but without knowing whether the software they contain and their security measures are available and up to date then it is possible they may pose a security risk. It’s a bit like a having a large secure building that is alarmed and has locks at all the exits – but if someone is allowed in to the building without any additional security checks then those locks and alarms may be compromised.

So how does it work? Here is the technical stuff – an SHA (Security Health Agent) runs on the client computer which produces a SoH (Statement of Health) which is then checked against the SHV (Security Health Validator) on the Health Policy Server. The Health Policy has a number of different scenarios (enforcement technologies) that can be configured:

· IPSec – Internet Protocol Security

· 802.1 – Wireless network connections

· VPN – Virtual Private Networks

· DHCP – Most typical for onsite computers

· RADIUS – Typically dial-in users

The NAP system requires a component on a server and supported client operating systems which are currently Windows Vista and soon to be Windows XP with Service Pack 3 installed. Security checks can be made for Firewall, Anti-Virus, Anti-Spyware, Automatic Updates and an included API allows software developers to add compliance checks for their own software thus providing further scope for additional safety checks to be made.

An important point that is made in the Introduction to Network Access Protection Whitepaper is that even though a device may pass all the tests for compliance and therefore be allowed full access to the network it does not protect the network from malicious attack.

From an SME point of view it can be quite a time consuming and difficult task tracking and maintaining software updates, patches and security to ensure they all meet a standard requirement. Group Policy already offers some protection whilst on the network by locking down options whilst users are connected and network access protection should complement this activity. Being able to set-up policies to ensure that devices are compliant prior to connection will be useful however it will need other clients to be available such as Mac and Linux clients. Also, a number of mobile devices are now appearing with built-in Wi-Fi connections and in time these are also likely to pose security risks which will need compliance testing in order to offer the necessary security. Unless all platforms are supported then – using the example of the secured facility – it would similar to enforcing compliance of all people wearing blue suits but allowing anyone with a t-shirt in to the building.

A useful facility is the restricted access configuration so we can deal with those times when a visitor comes on site with their laptop and simply needs Internet access so all their traffic can be redirected to the firewall. It will also be useful for field based personnel who visit site infrequently – so when they log on to the network remotely their computer can be checked to ensure that important security updates are in place.

Microsoft have an Introduction to Network Access Protection at their website: http://www.microsoft.com/technet/network/nap/napoverview.mspx.

You can also view the Microsoft Webcast at http://support.microsoft.com/kb/921070

Wikipedia has an entry at http://en.wikipedia.org/wiki/Network_Access_Protection

4Sysops also talk about Microsoft NAP on their Blog at Windows Server 2008 NAP (Network Access Protection) infrastructure

This post was brought to you by Jason Slater Weblog

Related

• Who is on your Network?
• Re-engineering the network continued
• Implementing ActivIdentity Secure Remote Access on a Sonicwall Firewall
• Monitoring the Network
• Remote access trouble with OWA