As any network administrator knows, wireless networks present special problems. Users love them because they allow them to access the network from just about anywhere, but securing them can be a headache. One rogue access point, and before you know it, all of your corporate data can be literally streaming out the windows. Network Access Protection can help solve this problem. Here's how.
Security and wireless networking in the enterprise
A few years ago, if a user wanted you to deploy wireless networking in the enterprise, the standard answer from a security perspective was "NO!" The usefulness of wireless network quickly overcame the initial security concerns. Instead of users putting in rogue access points, many enterprises have embraced wireless networking and had security in mind from the start. Network access protection for the wireless networks functions, fundamentally, no different than the wired counterparts. There are the various roles and enforcement methods that apply much in the same ways in the scope of the MS-NAP implementation.
For the MS-NAP implementation, the key difference for wireless clients revolves around encryption and roaming. As a general rule, Microsoft recommends the IPSec enforcement method; but for wireless MS-NAP implementations, the situation is a little different. This is because with roaming wireless clients using the 802.1X authentication, the traffic is not encrypted end-to-end, but stops at the router or switch from the wireless client.
If you have wireless networking equipment that supports the IEEE 802.1X authentication protocol, Microsoft recommends that you use the 802.1X enforcement method or enforcement client (EC). The IEEE 802.1X authentication protocol was jointly developed by Microsoft and select networking companies.
However, be aware that products mature: if using the MS-NAP implementation over with the 802.1X enforcement client, there are two product lines for which you would have to maintain compatibility awareness. For example, suppose you executed a firmware update to a piece of networking equipment that incurred the enabling or disabling of 802.1X, which would break the MS-NAP implementation. Windows updates may, in the future, cause the MS-NAP implementation to behave differently or upgrade functionality; that may or may not be compliant on your networking equipment as-is.
Wireless clients scope of use
Managing wireless clients or mobile users always presents administrators with additional challenges for full functionality offline while maintaining all desired access levels. Many administrators allow notebook users to be local administrators, as it is just too easy to support the users when they are out of the office by letting them perform certain tasks directly.
Chances are when the notebook users are out of the office, they may be connecting to other networks to seemingly perform requisite elements of their job. When considering a MS-NAP implementation if applied to notebook users, be sure to test roaming off of your primary wired and wireless networks and go to a public network, and then return to the protected network. Be sure to also test your VPN connectivity from the public network. When everything is working as expected, the MS-NAP client gives a successful message that you are able to access the network and all seems fine. It is worth the effort to make sure that there are no operator issues in network hopping and that the security configuration is maintained and verified across all configurations.
One important consideration for wireless clients is that they may fall into multiple categories. You may choose to implement MS-NAP with one specific enforcement method, but a client may access your network from multiple mechanisms.
Consider a typical notebook user within an enterprise that has wireless networking. That user may access your network at their desk through the wired connection, via the enterprise wireless network, and remotely through the VPN. In that situation, there could be multiple ways you may need to implement MS-NAP. In this situation, you could have multiple servers running the Network Policy Server (NPS) for each connection point — VPN, DHCP, and 802.1X — or the IPSec enforcement client could span multiple connections. With multiple enforcement methods in use, you architect your solution to point to the same remediation network to streamline the resolution process, regardless of connection state.
Online resources for MS-NAP
The MS-NAP implementation is still officially a beta from the server side with the forthcoming release of Windows Server 2008. However, there is a lot of good information from Microsoft about the configuration, features, and usage scenarios of network access protection. Here are some resources available now:
- Microsoft TechNet — Network Access Protection: Here's a good starting point for understanding the Microsoft Network Access Protection implementation. Here, you can get some step-by-step guides for usage examples and access to Webcasts.
- Microsoft Virtual Lab — Network Access Protection with IPSec Enforcement: This is a 90-minute simulation where you can configure a MS-NAP implementation online without the hassle of setting up a test network.
- Microsoft TechNet — Introduction to Network Access Protection: Here you can download a white paper on an overview of the MS-NAP implementation.
- TechRepublic — Using NAP on VPN connections: Here TechRepublic contributor Scott Lowe gives a good walkthrough of MS-NAP using VPN connections.
- Microsoft TechNet — Network Access Protection: Frequently asked questions.
Give Microsoft's Network Access Protection a spin
This series on Microsoft's Network Access Protection has gone through client configuration, server configuration, and a look at the entire scope of the solution. There are many configurations and usage scenarios for the NAP and you need to decide if one is right for you. Share your comments and questions below with the TechRepublic blog on Microsoft's Network Access Protection for Windows Server 2008 "Longhorn".
Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.