NAQC and NAP: A comparison

The topic of network quarantining grows in importance each day. The giants in networking and software realize it and have begun releasing products and services that automatically defend your network against foreign threats that find themselves on the wrong side of the firewall (at least from your perspective as the systems administrator).

NAQC and NAP: The differences
The biggest difference between NAQC and NAP is scope: NAQC protects just against machines outside your perimeter that attempt to connect to your network. NAP does that, too, but it takes protection a step further by enforcing policies on computers directly connected to the LAN, including mobile computers that come back to the home office and that connect occasionally. This closes a serious loophole in NAQC coverage.

That's not the only refinement, however. Here is a chart so you can see at a glance the primary differences between the NAQC application that exists today and the set of features that are coming when you pair Windows Vista with Longhorn Server.

Aspect	NAQC (existing)	NAP (in Vista/Longhorn Server
Scope of protection	Remote access and VPN clients	Remote access and VPN clients plus computers connected to local network (complete protection)
Enforcement	DHCP VPN	DHCP VPN 802.1x IPsec
Deployment	Server: Windows Server 2003 Resource Kit Client: through Connection Manager profiles	Baked into server and client releases; no further installation necessary
Scope of service	Any existing client that supports Connection Manager profiles (not local clients)	Windows Vista clients, local or remote Protection for remote clients available for all client platforms with a special connection profile
Exception Management	Only through custom sets of packet filters	Complete graphical interface for managing individual and group-based exceptions

NOTE: The features and capabilities of NAP as listed in this tip are as of this writing; of course, when it comes to Microsoft beta software, everything is subject to change before release, even up to the last minute.

Should you deploy NAQC now?
A lot of administrators are wondering whether to go ahead and deploy Microsoft's existing quarantining solution, NAQC, when there's clearly a superior release on the horizon. You might also be considering an investment in Cisco's quarantining solution, Network Access Control -- the primary selling point being hardware-based control of policies that isn't dependent on the operating system software.

In either case, my recommendation is not to wait. In terms of NAQC, for one, the probability that a remote user will infect your premises grows with each passing day, particularly as more locations where mobile users frequent offer unfettered, unfirewalled, completely insecure Internet access. Second, the protection offered to your mobile users can still continue with NAP in its current form, so you don't exactly lose by making the effort to deploy NAQC now. Finally, some security is better than none at all. The only cost of NAQC now is time; you have the tools you need that are freely available. Why not take advantage of them and introduce the concept of quarantining in your organization? In terms of deploying Cisco's solution, consider your investment well protected. NAP and NAC are fully interoperable and compatible.

Either way, deploying quarantining services now will make the transition to full-blown NAP even easier when both Windows Vista and Longhorn Server are finally commercially available.

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft Windows Network Security Are tougher NACs needed in your shop? Setting your Windows security assessment expectations, step by step Restricting user permissions in folders Windows XP folder permissions management NTFS permissions control: Who will watch the watcher? Top Windows server hardening tips of 2006 Safe and secure Windows logging practices Eliminate zero-day threats with virtual server technology Permitting Ping: ICMP Exceptions Stop unauthorized access Authentication How can I use a GPO to manage Windows user rights? Windows network rights, password policy and network security testing Password cracking, network rights and Windows Firewall expert advice How to manage network access for single users in AD Windows server access management in Active Directory File management on a Windows Server 2003 NAS system Windows Small Business Server 2003 access management Manage Windows network access in Active Directory One patch for Active Directory is a doozy NTFS permissions control: Who will watch the watcher? Authentication Research Encryption How to recover from lost BitLocker PINs and startup keys Tales from the enCRYPTion Password security in Group Policy for Windows networks Recover encrypted files in Windows Server 2003 Email archiving: what's right for your enterprise? Step 3: What good are your findings? Step 2: Public keypairs Step 6: Extras: Symmetric encryption and hotkey commands How to stop a rogue user from circumventing network security Security tips for dealing with a rogue user Encryption Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Security Descriptor Definition Language  (SearchWindowsSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.