ISP Planet - Technology - Bolting the Back Door with NAC - Part 3: Comparing the alternatives

Sections

• Best of the Lists
• Business
• CLEC-Planet
• Equipment
• Executive
Perspectives
• Fixed Wireless
• Investor
• Marketing
• Market Research
• News
• Notable Quotes
• Politics
• Profiles
• Resources
• Technology
• Value-Added
Services
• Webhosting
Also ...
• About Us
• Authors
• ISP-Planet Blog
• Letters
• Site Map
• Technology Jobs

ISP Resources

ISP-Lists
ISP Glossary
ISP News
The List
ISPCON Events
Free Newsletters

internet.com

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet.commerce

Partner With Us

General

Bolting the Back Door with NAC
Part 3: Comparing the alternatives — page three

by Lisa Phifer
VP Core Competence, Inc.
[June 22, 2007]

Microsoft Network Access Protection
Microsoft's NAP is another proprietary architecture, designed to promote endpoint health and policy compliance in networks composed largely of Windows clients and servers—specifically, Windows Vista and Windows Server 2008 ("Longhorn").

At left is a host attempting network access. Today, NAP Agents are only available as an embedded feature of Microsoft Windows Vista or XP SP3 (beta). NAP Agents consult with Vista's native Microsoft System Health Agent (SHA) and/or third-party security programs that implement Microsoft's API. SHAs supply Statements of Health (SoHs) to the NAP Agent, which passes a consolidated SoH to a NAP Enforcement Client (EC).

Each NAP EC initiates access via 802.1X, VPN, DHCP, or IPsec through a NAP Enforcement Server. For example, 802.1X supplicant ECs exchange PEAP with any 802.1X Ethernet switch or AP. VPN client ECs connect to a VPN gateway. DHCP client ECs request an IP address from a DHCP server. Or a NAP Agent can request a Health Certificate from a Microsoft Server 2008 Health Registration Authority (HRA), using that certificate as a substitute SoH to speed up later connect requests.

Microsoft does not make network equipment, so NAP's ability to restrict access varies, depending on the Enforcement Server. For example, ECs connected to 802.1X switches can be controlled through standard RADIUS response attributes like VLAN tags. But ECs that send SoHs to a Microsoft DHCP server can only be limited only by their assigned IP address—a very weak form of access control.

All NAP Enforcement Servers forward RADIUS Access Requests to a Microsoft Network Policy Server (NPS). NPS (the Windows Server 2008 replacement for IAS) consults Active Directory and checks health before returning a response. NPS uses an Administration Server to coordinate with one or more System Health Validators (SHVs). Each SHV decides whether the SoH sent by the matching SHA complies with health status and policy requirements, then returns a Statement of Health Response (SoHR) that indicates compliance or supplies remediation instructions.

NAP can use the native Windows SHV found in Windows Server 2008 and/or third-party security policy programs that implement Microsoft's API. A list of 100+ network equipment and security software vendors that intend to support NAP can be found on Microsoft's website. But NPS is still in beta, so any NAP interfaces being tested now cannot be finalized until Windows Server 2008 is released next year.

Can't we all just get along?
NAP is more network-neutral than CNAC, but it still requires gear that can use standard 802.1X and RADIUS to relay Microsoft SoH/SoHR messages and enforce the outcome. Moreover, NAP is a primarily a Windows Server 2008/Vista/XP SP3 feature; it cannot currently be used to control access by any other endpoints.

Last September, Microsoft and Cisco announced an integration plan (.pdf) to let Microsoft's NAP Agent use selected portions of Cisco's Trust Agent—specifically, Cisco's proprietary EAP-FAST and EAPoUDP—when connecting to Cisco NADs. Those NADs must still send Access Requests to Cisco ACS, but ACS can use HCAP to treat Microsoft NPS like a Policy Validation Server. This does not eliminate any Cisco or Microsoft dependencies, but it does explain how to use both concurrently.

This May, Microsoft and TCG announced that the NAP Statement of Health protocol had been added to the TNC architecture as a standard client-server interface (.pdf). This lets Vista/XP NAP Agents be used in TNC deployments, avoiding TNC client installation on those hosts. It also makes it possible to bolt NAP SHA/SHV programs onto the TNC network access layer and use the same server to support both TNC and NAP.

TNC/NAP interoperability could simplify deployment, but it doesn't change the fact that NAP itself depends on Windows Server 2008. The bottom line: If you're not a Windows shop planning to upgrade to Redmond's latest and greatest, keep reading...

Page one: Introduction

Page two: Cisco Network Admission Control

Page three: Microsoft Network Access Protection

>Page four: TCG Trusted Network Connect

Page five: IETF Network Endpoint Assessment

ISP News

•IDC: Microsoft's Yahoo Deal Could be a Big Hit
•Ballmer Fills in 'Software-Plus-Services' Plan
•Report: Enterprise Search Will Top $1 Billion by 2010

More >

Best of ISP-Planet

ISP-Planet Guide

ISP-Planet's
Principal Studies

Directories:
• Anti-Spam
• Backbone Providers
• Billing Services
• Customer Support
• IDS
• ISP Associations
• Registrar
• Trouble Ticketing
• Webmail
• Wholesale Dialup
• Wireless Equipment

Q1 2008
Top U.S. ISPs
by Subscriber
(Updated 07/22/2008)

VoIP Ranking by Subscriber (Updated 07/28/2008)

ISP-Planet's
Blogroll

Feedback

ISP-Planet's RSS feed

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info

Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Solutions

Whitepapers and eBooks
Symantec eBook: The Guide to E-Mail Archiving and Management Microsoft Article: RODCs Transform Branch Office Security Go Parallel Article: James Reinders on the Intel Parallel Studio Beta Program Avaya Article: Advancing the State of the Art in Customer Service Microsoft Article: Security Enhancements Abound in Windows Server 2008		Adobe Acrobat Connect Pro: Web Conferencing and eLearning Whitepapers Avaya Article: Avaya AE Services Provide Rapid Telephony Integration with Facebook Go Parallel Article: Getting Started with TBB on Windows HP eBook: Storage Networking , Part 1 MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts
HP Webcast: Disaster Recovery Planning Go Parallel Video: Performance and Threading Tools for Game Developers HP Video: StorageWorks EVA4400 and Oracle		HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits
IBM TCO eKIT: Your IT Budget is Under Attack, Get in Control IBM Energy Efficiency eKIT: Learn How to Reduce Costs 30-Day Trial: SPAMfighter Exchange Module		Red Gate Download: SQL Toolbelt and free High-Performance SQL Code eBook Iron Speed Designer Application Generator MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos
Microsoft Article: Silverlight Streaming--Free Video Hosting for All Featured Algorithm: Intel Threading Building Blocks - parallel_reduce		HP Demo: StorageWorks EVA4400 MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES