I recently had the pleasure of working with Elliot Lewis, a Network Security Architect at Microsoft who is well informed on Network Access Protection. Probably the most common question we have been asked by customers in Higher Education is how NAP will work with student machines, other platforms, and non-Microsoft infrastructure servers. While many see the advantage of NAP to secure the desktop, often those who will make the decision to deploy NAP in a University setting do not have ownership of the network infrastructure including DHCP and DNS.
<Michael>I understand there is an answer for student owned machines, can you explain how Universities should approach this problem and what the typical student would need to do?
<Elliot> Network Access Protection is a platform that allows for all kinds of integration into the quarantine system – it allows for managed, un-managed, local attached, remote attached, wired or wireless clients. In short, no matter HOW you touch the university's network, quarantine operations are going to take place. In order to accomplish comprehensive control we use multiple quarantine enforcement mechanisms under the covers to control all of the various enforcement points. Examples of these enforcements mechanisms are IPsec, DHCP, VPN, 802.1x, and Terminal Services. The university can choose any one or any combination of these enforcement controls – they can even be combined if desired to meet the needs of the university's environment.
So in answer to the question above, the university needs to decide which enforcement mechanisms they want to utilize across their enterprise and this will determine what, if anything, the students will need to do to their machines to get on the network. Here are some of the issues to think about:
- What client OS is the student running on his PC? If it is Vista then the NAP client is already running in the OS on the base load. If it is XP (or any other downlevel or 3rd party OS), then the student will have to update the client with the appropriate update to install a NAP client. For XP, this update will be available via Microsoft. For all others, such as MAC or Linux, the NAP architecture is open to additions for 3rd party clients. There are vendors looking at making these 3rd party OS NAP clients now – and this would be a very interesting project for a university to potentially look at doing <wink>.
- Which enforcement mechanisms does the university want to use? The un-managed student PC will need to have a quick script run on the PC to set the enforcement client controls and user interface settings (all other options are supplied by the Network Policy Services (NPS) servers on the network). NOTE: In the case of using IPsec control, the university will set up Health Registration Authority (HRA) servers that are essentially web-based front end servers to health certificate authorities. This parameter will be included in the setup script as well. If the student PC is part of a domain and can take group policy then all of this can be done via GPO.
<Michael> So, students will need to install something on their machines?
<Elliot> Yes, as described in the last question there will need to be some configuration if the student machine is not Vista + domain joined. But this being said, once that one simple script is run giving the student the settings they need to participate in quarantine operations EVERYTHING is handled by the network itself and the student should have little to no need to deal with the quarantine operations. (NOTE: If the student does NOT run the script, they will not get on the network – NAP controls will simply quarantine them until such time as they have the appropriate settings to participate in quarantine ops. This means that "not running the script" = "off the network by default"! The only way around this is to have an NAP exemption from the network administrators OR compliance to a "non-NAP aware" policy on the Network Policy Servers.)
<Michael> I suspect we have partners working on a NAP solution for Apple and Linux?
<Elliot> We do have partners looking at this, but to date we have no firm commitments on delivery. As stated earlier, this is an excellent opportunity for some work at the universities to create such a client!
<Michael> Will Mac or Linux users need to worry about being blocked from the network?
<Elliot> In short, no, there is no danger of this. As stated earlier, the administrators can set a policy in the NAP settings to allow for non-NAP aware clients to be handled in a certain way. Therefore, if the client in question cannot provide Microsoft based health credentials for evaluation the NAP system will understand this and can check for a policy to deal with that client – whether allowing it on the network by default or placing into some sort of quarantine control area – the choices are completely up to the administrator. Another option is to allow for exemptions per machine in the system – be aware this method can be an administrative burden. When a MAC or Linux NAP client is eventually developed then these OSes will be able to provide health credentials and participate under normal operations.
<Michael> If we let other OS's on, wouldn't that allow some way for students running Vista to circumvent NAP?
<Elliot> Absolutely not. Each client coming online is handled in its own context and that control is handled by the network – not the clients! Anytime a client touches the bandwidth of the network in any way the NAP architecture will assess it for health status. If it is able to provide health status – as is the case in XP or Vista – then the NAP system will evaluate the client from the network side of the house. Network entry is by no means authorized on the client side – it is all controlled on the network and server infrastructure. Since enforcement mechanisms like IPsec, 802.1x, VPN and Terminal Services are all authenticated by network based operations there is no way for a student to bypass that authorization control process! The one exemption on this rule could potentially be the use of DHCP enforcement control by the university because in the case where the student is a local administrator on their PC they can manually override DHCP IP addressing and plumb manual addressing parameters onto their own PC. This being said, the student will have to be able to manipulate far more than just the IP address (we won't go into the other settings on this blog J) and have intimate knowledge of the network operations of the university to get their settings right. If this is a concern then DHCP can be combined with the other enforcement controls to "harden" it.
<Michael> Will antivirus vendors need to develop special ties to NAP?
<Elliot> Not necessarily – this depends on how closely the university wants to control the anti-virus vendors allowed to be used in their environment. For instance, if the university wants to ONLY allow certain AV vendors to be used on campus and MANDATE that use amongst the student body then yes, they should get the particular NAP-aware AV software and supply it to the student body. On the other hand, if the university just wants to make that each student is using SOME sort of AV and does not care which one it is then the university can use the built-in Windows System Health Agent (SHA) that comes in Windows and the base NAP code. The Windows SHA works off of Security Center which runs on XP and Vista and the university can check for all of the security settings that Security Center checks for and can mandate compliance to those settings via NAP. One of those settings is the presence and "up-to-date" status of AV software – without specifying WHICH AV software is running. Other settings that can be checked/enforced on XP/Vista clients are the Windows Firewall active and running and Automatic Updates active and running with the latest patches available from Microsoft. In Vista, Security Center has the ability to check for Microsoft Defender spyware settings as well. Since the Windows SHA comes "out-of-the-box" with the NAP client for XP/Vista there is no need to download or manage any other SHAs to do this level of functionality!
<Michael> Is there any way for NAP to work with non-Microsoft infrastructure servers that provide DHCP and DNS?
<Elliot> Absolutely. First of all, NAP does not rely on DNS services to do the work so there are no issues there. Now as for DHCP, as I said earlier, NAP is designed to use several enforcement controls – DHCP is just one option for use! If the university is not using Microsoft DHCP services then they can use another of the enforcement controls to handle quarantine operations. This being said, I have to state once again that NAP is designed to be a "pluggable" architecture – we have over 60 vendors working on the NAP architecture to align their systems to work with NAP. If the university is using a non-Microsoft DHCP service and wish to use DHCP as the enforcement control then there is no reason why that service provider cannot modify their DHCP ops to work with NAP. Microsoft has provided all of the APIs to allow that integration!
<Michael> Is there anything we can do for machines that use a static IP?
<Elliot> Absolutely – just use IPsec, 802.1x, VPN, Terminal Services, or a combination of all four to handle the quarantine control for the network!
Thanks very much to Elliot for time and knowledge sharing. Network Access Protection is a good step towards intercepting student machines as they join the University network and checking to ensure they are not putting themselves and others at risk. For more information see the TechNet website on NAP. Comments welcome!