Can you rely on MS Network Access Protection?

Viruses and malware are often stopped by software defenses than run on the desktop; in fact, the antivirus, antispyware and other security suite software business has rapidly become a very lucrative industry. As useful as those protections are, however, the best solution would be such threats never getting a chance to access the network -- like the old saying goes, "The quickest way out of something is to never have been in it."

In Longhorn Server, Microsoft has crafted a technology that allows computers to be examined against a baseline set by an administrator, and if a machine doesn't stack up in any way against that baseline, the system can be prevented from accessing the network -- quarantined, as it were, from the healthy systems until the user fixes his broken machine. This functionality is called Network Access Protection (NAP).

You might know of NAP's predecessor, Network Access Quarantine Control (NAQC). It debuted in Windows Server 2003 as a more limited form of quarantine protection. NAQC is limited to protecting your corporate network against remote users: It prevents unhindered access to a network for a remote user until after his computer has been verified as meeting a certain set of baselines that a network administrator sets.

Under NAQC, when a client establishes a connection to a remote network's endpoint, the client will receive an IP address, but Internet Authentication Service establishes a quarantine mode that is lifted only after health verification is complete. While NAQC is useful, it requires programming a baseline script to set up; its management facilities are next to none; and most critically, it offers no safeguards against infected machines inside the corporate campus.

How it works

NAP addresses these weaknesses and builds on the solid premise of NAQC -- that stopping spyware and viruses dead, before they can ever reach the network, is the best line of defense. NAP in Longhorn Server (which may be called Windows Server 2007) can be considered in three different parts:

-- Health policy validation. Validation is the process where the machine attempting to connect to the network is examined and checked against certain health criteria that an administrator sets. This criteria can include patch state, service-pack level, presence of AV software and so on.

-- Health policy compliance. Compliance policies can be set so that managed computers that fail the validation process can be automatically updated or fixed via Systems Management Server or some other management software. This is an optional, but very useful, part of NAP.

-- Limited access. Access limiting can be the enforcement mechanism for NAP. It's possible to run NAP in monitoring-only mode, which logs the compliance and validation state of computers connecting to the network. But in active mode, computers that fail validations are put into a limited-access area of the network, which typically blocks almost all network access and restricts traffic to a set of specially hardened servers that contain the tools most commonly needed to get machines up to snuff.

Here's the basic process for a NAP session and the various bits and pieces that are involved:

1. A client asks for access to the network and presents its current state of health to the Dynamic Host Configuration Protocol (DHCP) server, virtual private network (VPN) server or a compatible switch or router.

2. The DHCP/VPN server or router/switch sends the health status, as presented by the client, to the Microsoft Network Policy Server, which is a machine based on the RADIUS protocol.

3. The Network Policy Server checks the health status against the criteria that the administrator sets and, based on the results of the check, does one of the following:

-- If the machine does not comply with the IT policy, the client is put into a restricted virtual LAN, is disallowed via IPsec rules or via 802.1x wire-level protection from talking with healthy machines, or is given a very limited set of routes via DHCP. Regardless of the method of restriction, the unhealthy client can access a few (presumably specially hardened) servers that have the resources needed for a client to fix itself. Steps 1 through 3 are then repeated.

-- If the machine complies with policy, the client is granted full access to the network.

On the client side, system health agents (SHA) and system health validators (SHV) are small pieces of code that ensure the checks and validations are made on each individual client machine as necessary, as mentioned in Step 1 above. Windows Vista will include default SHAs and SHVs that can be customized upon its release.

Benefits and drawbacks

NAP is a truly great addition to Longhorn Server. The advantages are numerous. You get very effective protection against malware before it can infiltrate your network, it is included in the licensing cost of the server product, and it presents another way for your users to take security seriously. If their systems aren't up to snuff, they can't get their work done, so system integrity becomes a unified priority across both IT and the user community alike.

That's not to say NAP is a golden ticket to security nirvana; there are indeed some disadvantages. One is that there are deployment scenarios that jeopardize the effectiveness of NAP. For example, DHCP-based protection (where few routes are assigned before health verification) is easily bypassed on the client -- by users who know what they're doing -- by simply entering a static IP address and DNS/router information.

Two, the element of detection of network devices coming online can be difficult to implement securely, particularly solutions that rely on detecting broadcast packets. And finally, the best deployment method -- 802.1x protection with compatible switch or router hardware -- is expensive and requires a lot of time to test and bring online.

The verdict

Can you rely on NAP? I think you certainly can, so long as it is deployed correctly and as part of a multilayered solution to security. Defense in depth still applies -- NAP is not an end-all, be-all answer to your problems, in my opinion. But NAP can and should play a very central role to your approach to security.

Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include RADIUS, Hardening Windows, Using Windows Small Business Server 2003 and Learning Windows Server 2003. His work appears regularly in such periodicals as Windows IT Pro, PC Pro and TechNet Magazine. He also speaks worldwide on topics ranging from networking and security to Windows administration. He is currently an editor at Apress, a publishing company specializing in books for programmers and IT professionals.

Join the newsletter!

Error: Please check your email address.

More about HISMicrosoftVIA

Show Comments