Do you know the old saying that goes, "The quickest way out of something is to never have been in it?" If such wisdom rings true to you, then a new feature of Windows Server 2008, called Network Access Protection (NAP), should be of significant interest to you.
NAP is at the same time a technology and a technique that allows computers to be evaluated on the basis of their health. An administrator sets a baseline of what a "healthy" computer should be, and if a machine doesn't stack up in any way against that baseline, the system can be prevented from accessing the network -- quarantined, as it were, from the healthy systems until the user fixes his broken machine. If the fix is simple, then, in some cases, NAP services can automatically remediate the problem. For example, if an administrator mandates that the Windows Firewall must be turned on, NAP can easily enable the firewall if it's off, thereby fixing the problem and allowing access to the network.
NAP stops troubled and unhealthy machines -- which are, by far, the largest vector for malware to enter your network today -- from ever talking to other healthy machines on your network. You're hanging up the phone, or shutting the door, effectively, in malware's face.
The details
Network Access Protection consists of three parts:
, where the hopeful machine is checked against certain health criteria set by an administrator. The admin can look at patch state, service-pack level, presence of AV software and enabled firewalls and so on. Third parties can also plug into this framework. There is a Linux software vendor that is making an engine so that NAP can look at open source clients as well.
Health policy compliance, where managed computers that fail the validation process can be automatically updated or fixed via Systems Management Server or some other management software. This is an optional, but very useful, part of NAP that allows you to get a lot of benefit from keeping crappy machines off your network without phenomenally increasing your help desk costs.
Limited access, which is essentially the enforcement mechanism for NAP. It's possible to run NAP in deferred enforcement mode, which logs the compliance and validation state of computers connecting to the network. But in enforcement mode, computers that fail validations are put into a quarantine area where they can only contact a set of specially hardened servers that contain the tools most commonly needed to get machines up to snuff.
NAP's knacks and perils
NAP is a great feature of Windows Server 2008 -- in fact, it may be my favorite. The advantages are numerous. You get very effective protection against malware before it can infiltrate your network, it is included in the licensing cost of the server product and it presents another way for your users to take security seriously. If their systems aren't up to snuff, they can't get their work done, so system integrity becomes a unified priority across IT and the user community alike. Plus, it's intelligent enough out of the box to fix some simple problems, so quick fixes don't require calls to your support stuff.
That's not to say NAP is a golden ticket to security nirvana; there are indeed some disadvantages. Some skeptics even question why NAP is a security feature at all. (It is.) Consider the following:
- There are enforcement methods that jeopardize the effectiveness of NAP. For example, DHCP-based protection (where a few routes are assigned before health verification) is easily bypassed on the client by knowledgeable users who know what they're doing. They simply enter a static IP address and DNS/router information.
- The element of detection of network devices coming online can be difficult to implement securely, particularly solutions that rely on detecting broadcast packets.
- And finally, the best deployment method -- 802.1x protection with compatible switch or router hardware -- is expensive and requires a lot of time to test and bring online.
NAP with IPsec solves a lot of these problems. How? Stay tuned for Part 2, where I'll explain how the two technologies in conjunction are simply fantastic.
About the author: Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro magazine, SecurityFocus, PC Pro and Microsoft's TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration. He can be reached at jhassell@gmail.com.
