Longhorn – network access protection – the shape of things to come
I have promoted the concept of standard corporate PC builds for over a decade, in fact my first standard PC’s were in fact Unix workstations back in the late 1980’s. However I have become increasingly unsure of the approach as we find more and more uncontrolled devices connecting to the network (customers, partners, contractors etc), more home devices being used and more IT literate users who want to take on the burden of management in return for flexibility.
In all of these senarios it’s not standard builds that are important but policy compliance and enforcement. Enter NAP, I first came across NAP in SSL VPN’s but now I see it being much more universally used on corporate networks, and heralding improved security and greater freedom and flexibility, especially for innovators, developers and other creative professionals. Here’s how Microsoft describes their Longhorn implementation:
NAP, a set of components in the Microsoft® Windows® Code Name “Longhorn” client operating system and in the Microsoft Windows Server™ Code Name “Longhorn” operating system, helps protect access to a private network by enforcing health policies. System administrators establish health policies, which can include such things as software requirements, security update requirements, and required configuration settings. NAP enforces health policies by inspecting and assessing the health of client computers, restricting network access when client computers are deemed unhealthy, and remediating unhealthy client computers for full network access. NAP enforces health policies on client computers that are attempting to connect to a network; NAP also provides ongoing health compliance enforcement while a client is connected to a network.
To help protect network access, NAP relies on four key processes.
NAP uses health policies to determine whether a client computer is allowed access to a network. The system administrator defines health policies, which include such things as virus signature requirements, security update requirements, and firewall configuration settings. NAP deems a client computer as healthy if it complies with current health policies and unhealthy if it does not comply.
NAP denies unhealthy client computers access to the network or allows them access only to a special restricted network (sometimes known as a quarantine network or a remediation network). Set up properly, a restricted network provides client computers with access only to servers that can update them to a healthy state.
Unhealthy client computers that are put into a restricted network might undergo remediation. Remediation is the process of automatically updating a client computer so that it meets current health policies. For example, a restricted network might contain a File Transfer Protocol (FTP) server that automatically updates the virus signatures of unhealthy client computers that have outdated signatures.
NAP can enforce health compliance on client computers that are already connected to the network. This functionality is useful for ensuring that a network is protected on an ongoing basis as health policies change and the health of client computers change. For example, NAP will determine that the client computer is in an unhealthy state if a health policy requires that Windows Firewall be turned on and an administrator inadvertently turns it off on a client computer. NAP will then put the client computer into the restricted network until Windows Firewall is turned back on.
NAP enforces health policies for the following network access technologies: Dynamic Host Configuration Protocol (DHCP) address configuration, network connections based on virtual private networking (VPN), and communication based on Internet Protocol security (IPsec). NAP also provides a suite of application programming interfaces (APIs) that allow companies other than Microsoft to integrate their software into the NAP platform. By using the NAP APIs, software vendors can provide end-to-end solutions that validate health and remediate unhealthy clients.
I would add only a little to this description and that is that in many cases the resticted network that non-compliant devices have access to needs to provide access to the internet, this means that visitors who connect to your network then can get “home” without impacting on the integrity of your network.
This is a great example of a feature that needs MDS, MCS, MNS and GISS to work together!
More information is in the attachment.