SolutionBase: Take a NAP to secure your network

Searching for a way to prevent misconfigured clients from using your company's network resources? Scott Lowe assists you in your research by presenting three product options in the world of Network Access Proctection.

The scenario: A sales person toting a less than well-protected corporate laptop on business spends weeks visiting dozens of customer sites and connects to their networks, uses the omnipresent Starbucks to check e-mail between meetings, and conducts business from his remote offices. As a result of this user's forays into the Internet wilderness -- and his lack of connectivity to the home office -- his OS patches are woefully behind, his antivirus signatures are weeks old, and he's managed to accidentally disable his Windows firewall. After traveling the sales region with his laptop, he comes back to the home office for a few days to report in. Do you really want this potentially malware-infested and ill-protected laptop sullying the good waters of your corporate network? Fortunately, there are solutions out there that will protect your network from becoming the victim of a poorly managed laptop.

In this article, I'll focus on features coming to Windows Server 2008 that will assist in network protection efforts and will also mention similar products from Cisco and Bradford as well as an open source possibility. There are really dozens of such products and solutions available on the market and in the open source world, so if the discussed solutions are not viable for your organization, make liberal use of Google to locate a suitable solution.

Author's note

For the purposes of this article, the phrases "Network Access Protection" and "Network Access Control" are intended to encompass all solutions that help to prevent misconfigured clients from using network resources.

How Network Access Protection works

To sum up the services provided by Network Access Protection (NAP) products: NAP systems technologically enforce existing organizational security policies across the enterprise and prevent noncompliant systems from accessing the network.

NAP systems accomplish this task by analyzing end point -- that is, every client computer and device -- state and making an access determination based on any number of factors. Such factors can include the state of operating system updates, virus definition age, existence of virus control software, whether or not the Windows Firewall service is running, and more.

NAP systems protect the infrastructure from malware and helps reduce the possibility of your or your customer's private information from falling into the wrong hands, among other things. As you can probably tell, NAP systems also help prevent the spread of viruses and spyware in your organization through the use of specific agents that track compliance.

Many NAP systems use some kind of quarantine method in order to segregate noncompliant systems from compliant systems. In the case of Microsoft's NAP solution, you can segregate clients using DHCP (place them into a separate subnet from which quarantined clients can access only remediation services), using 802.1X, or using IPSec (clean systems get a certificate indicating their healthy state) or VPN quarantine methods (for remote clients).

NAP is intended for a number of scenarios beyond the promiscuous laptop I talked about earlier. Consider the impact of guest laptops on your network as well. You may want to run them through your NAP system before granting network access in order to prevent them from spreading possible malware on your network. NAP is also appropriate for ensuring that all organizational systems -- desktops and laptops -- remain at a specific level of health and for making sure that home computers that may connect to the corporate network via the VPN meet some minimum health standards. In fact, some NAP systems take automatic steps to help keep systems compliant.

Windows Server 2008 Network Access Protection

Shipping with Windows Server 2008 are the ultimate results of Microsoft's foray into the network protection market. When combined with Windows XP (service pack 3) or Windows Vista clients, Microsoft's Network Access Protection presents a complete access protection solution.

In order to get a grasp on NAP in Windows Server 2008, you should understand the general elements that make up an overall, comprehensive solution. I've already presented some of the terms you'll need to know in a Windows Vista article; these are the building blocks and are important to understand. Although these are the terms used by Microsoft, the concepts behind them apply to other network access systems as well.

Other NAP options

It would be remiss to not mention other NAP solutions currently available on the market.

Cisco NAC Appliance

A few years ago, networking equipment company Cisco purchased Perfigo, a leading network access control system, and renamed the product as Cisco Clean Access. More recently, they renamed the product again, to Cisco NAC Appliance. Like Microsoft's solution, the Cisco NAC Appliance is an "enforcement solution that allows network administrators to authenticate, authorize, evaluate, and remediate users and their machines prior to allowing users onto the network." In short, it keeps your network -- and other computers on your network -- in a healthy state. Cisco's NAC Appliance has three overall components that make the solution work:

  • Clean Access Server: The Clean Access Server initiates endpoint assessment and enforces access privileges based on the compliance state of the client computer.
  • Clean Access Manager: The Clean Access Manager is a centralized management console for all of the individual Clean Access Servers and is used to define the policies to which endpoints must adhere.
  • Clean Access Agent: This is the software component that sits on the endpoint computer and verifies and enforces client health.

Packet Fence (Open Source)

Packet Fence brings network access control to the masses via its open source and free nature. Packet Fence is deployed in a number of academic environments and makes use of a significant number of open source tools -- including Fedora, LAMP, Perl and Snort -- to achieve its goals.

Due to its nature, Packet Fence is extremely configurable and obtainable. In fact, if you want to start testing Packet Fence right away, you can download a VMware virtual machine on which Packet Fence is ready to start testing -- no installation necessary. And, of course, you can use VMware Workstation or ESX Server or the free VMware Server to perform your testing.

On the feature side, Packet Fence includes the following:

  • Authenticate users using any authentication Apache supports
  • Registration-based and scheduled vulnerability scans
  • Captive portal-based user registration and remediation
  • Passive operating system fingerprinting using DHCP
  • Ban unsupported operating systems or NAT-based routers
  • Automatically register game consoles or VoIP phones
  • Log location-based information using DHCP
  • Protect multiple networks and 802.1Q trunks
  • Web-based GUI

Again, by viewing this list, you'll notice some common themes. There is policy definition (i.e., ban unsupported operating systems), authentication, remediation, and more -- all of the components necessary to operate a successful network access system.

In summary

In this article, you learned about Microsoft's upcoming foray into the world of Network Access Protection and about two other products -- one commercial and one open source -- that may fit the bill. This list of three products, however, only begins to scratch the surface of what's available in this market space, so be sure to do your research and investigate other options.