Over the coming weeks I’m embarking on a journey through the wonders and mysteries of Windows Vista’s Network Access Protection (NAP).
All of the content for this journey will be tagged as “JourneyThrough: Network Access Protection”.
Through a series of blog posts I’ll share with you details of what’s possible with Windows XP and Server 2003 to reduce the risk of machine that fail to comply with corporate security policy through Network Quarantine (a feature of Windows Server 2003) and IPsec.
I’ll share with you the background and context for this important new technology. I’m writing the content myself and linking to interesting documents as well providing my own commentary and suggestions.
This material is grounded in reality rather than marketing spin; it’s a technical guide which will help you learn about how to secure network access by asserting and enforcing the security policy compliance (health) of client machines BEFORE granting them access to sensitive “internal” networks.
Modern information workers typically take advantage of seamless access to whatever internet access is available to them. Think about your daily use of network resources. I use a 3Mb/sec DSL (Digital Subscriber Line) connection at home, the corporate wireless and wired connections when I’m in the office and cyber café wireless access when I’m out and about. Sometimes I also use hotel and customer/partner network access too. No longer is it safe to assume that “the network protects me” from all ills. In fact it’s often “the network” that carries the malicious software from other peoples’ poorly configured / poorly patched systems. Consider what happens when you return from holiday. Often a security update (formerly referred to as a patch) is released while you’re away. When you return (either remotely or in the office) your system is susceptible to exploitation via the vulnerability until you update it. Both quarantine (for VPN connections) and NAP (for all connections) will reject connection requests (if so configured to do so) for un-patched systems thereby saving other members of the network from infection. These technologies work in conjunction with personal firewalls (such as the one built into XP SP2) which reject unsolicited incoming connection requests from other hosts. Theoretically this will prevent worms infecting such un-patched systems. Defense in depth best practice dictates that both quarantine/NAP AND personal firewalls should BOTH be used to provide effective security.
The quarantine feature in Windows Server 2003 is a “no additional charge” (free) feature of the operating system that enables us to force VPN (Routing and Remote Access – RRAS) clients to prove that they comply with the prime aspects of our information security policy BEFORE granting them access to the internal network. If you’ve ever worked from home and established a full network connection (Virtual Private Network – VPN) to corpnet then you’ve used our quarantine implementation. The Connection Manager Administration Kit (CMAK) is used in conjunction with Remote Quarantine Client (RQC) and Remote Quarantine Server (RQS) to implement quarantine. Microsoft employees (who work remotely) run “Connection Manager” to initiate the VPN client and integrated Quarantine functionality. Remediation is a unique benefit of both Quarantine and NAP which enables users to bring their systems into policy compliance if they are initially denied access.
NAP is essentially a next generation of quarantine bringing in support for IPsec, DHCP, 802.1X (port based authentication), RRAS (VPN) enforcement points. Client machines must prove that they comply with corporate policy (i.e. are “healthy”) BEFORE connecting to corporate resources by wired, wireless and remote access.
Stay tuned and please provide your feedback in the customary “comment” manner.