The scenario: A sales person toting a
less than well-protected corporate laptop on business spends weeks visiting
dozens of customer sites and connects to their networks, uses the omnipresent
Starbucks to check e-mail between meetings, and conducts business from his remote
offices. As a result of this user’s forays into the Internet
wilderness — and his lack of connectivity to the home office — his OS patches
are woefully behind, his antivirus signatures are weeks old, and he’s managed to
accidentally disable his Windows firewall. After traveling the sales region with his laptop, he
comes back to the home office for a few days to report in. Do you really want
this potentially malware-infested and ill-protected laptop sullying the good
waters of your corporate network? Fortunately, there are solutions out there that will protect
your network from becoming the victim of a poorly managed laptop.

In this article, I’ll focus on features coming to Windows
Server 2008 that will assist in network protection efforts and will also
mention similar products from Cisco and Bradford as well as an open source
possibility. There are really dozens of such products and solutions available
on the market and in the open source world, so if the discussed solutions are
not viable for your organization, make liberal use of Google to locate a
suitable solution.

Author’s note

For the purposes of this article, the phrases “Network
Access Protection” and “Network Access Control” are intended to
encompass all solutions that help to prevent misconfigured
clients from using network resources.

How Network Access
Protection works

To sum up the services provided by Network Access Protection
(NAP) products: NAP systems technologically enforce existing organizational
security policies across the enterprise and prevent noncompliant systems from
accessing the network.

NAP systems accomplish this task by analyzing end point — that
is, every client computer and device — state and making an access
determination based on any number of factors. Such factors can include the
state of operating system updates, virus definition age, existence
of virus control software, whether or not the Windows Firewall service is
running, and more.

NAP systems protect the infrastructure from malware and helps
reduce the possibility of your or your customer’s private information from
falling into the wrong hands, among other things. As you can probably tell, NAP
systems also help prevent the spread of viruses and spyware in your
organization through the use of specific agents that track compliance.

Many NAP systems use some kind of quarantine method in order
to segregate noncompliant systems from compliant systems. In the case of Microsoft’s
NAP solution, you can segregate clients using DHCP (place them into a separate
subnet from which quarantined clients can access only remediation services),
using 802.1X, or using IPSec (clean systems get a certificate indicating their
healthy state) or VPN quarantine methods (for remote clients).

NAP is intended for a number of scenarios beyond the
promiscuous laptop I talked about earlier. Consider the impact of guest laptops
on your network as well. You may want to run them through your NAP system
before granting network access in order to prevent them from spreading possible
malware on your network. NAP is also appropriate for ensuring that all
organizational systems — desktops and laptops — remain at a specific level of
health and for making sure that home computers that may connect to the
corporate network via the VPN meet some minimum health standards. In fact, some
NAP systems take automatic steps to help keep systems compliant.

Windows Server 2008
Network Access Protection

Shipping with Windows Server 2008 are the ultimate results
of Microsoft’s foray into the network protection market. When combined with
Windows XP (service pack 3) or Windows Vista clients, Microsoft’s Network
Access Protection presents a complete access protection solution.

In order to get a grasp on NAP in Windows Server 2008, you
should understand the general elements that make up an overall, comprehensive
solution. I’ve already presented some of the terms you’ll need to know in a Windows Vista
article; these are the building blocks and are important to understand. Although
these are the terms used by Microsoft, the concepts behind them apply to other
network access systems as well.

Other NAP options

It would be remiss to not mention other NAP solutions
currently available on the market.

Cisco NAC Appliance

A few years ago, networking equipment company Cisco
purchased Perfigo, a leading network access control system, and renamed the
product as Cisco Clean Access. More recently, they renamed the product again,
to Cisco NAC Appliance. Like Microsoft’s solution, the Cisco NAC Appliance is
an “enforcement solution that allows network administrators to
authenticate, authorize, evaluate, and remediate users and their machines prior
to allowing users onto the network.” In short, it keeps your network — and
other computers on your network — in a healthy state. Cisco’s NAC Appliance
has three overall components that make the solution work:

  • Clean Access Server: The Clean Access Server initiates
    endpoint assessment and enforces access privileges based on the compliance
    state of the client computer.
  • Clean Access Manager: The Clean Access Manager is a
    centralized management console for all of the individual Clean Access
    Servers and is used to define the policies to which endpoints must adhere.
  • Clean Access Agent: This is the software component that sits
    on the endpoint computer and verifies and enforces client health.

Packet Fence (Open
Source)

Packet Fence brings network access control to the masses via
its open source and free nature. Packet Fence is deployed in a number of
academic environments and makes use of a significant number of open source
tools — including Fedora, LAMP, Perl and Snort — to achieve its goals.

Due to its nature, Packet Fence is extremely configurable
and obtainable. In fact, if you want to start testing Packet Fence right away,
you can download a VMware
virtual machine on which Packet Fence is ready to start testing — no
installation necessary. And, of course, you can use VMware Workstation or ESX
Server or the free VMware Server to perform your testing.

On the feature side, Packet Fence includes the following:

  • Authenticate users using
    any authentication Apache supports
  • Registration-based and
    scheduled vulnerability scans
  • Captive portal-based user
    registration and remediation
  • Passive operating system fingerprinting
    using DHCP
  • Ban unsupported operating
    systems or NAT-based routers
  • Automatically register
    game consoles or VoIP phones
  • Log location-based
    information using DHCP
  • Protect multiple networks
    and 802.1Q trunks
  • Web-based GUI

Again, by viewing this list, you’ll notice some common
themes. There is policy definition (i.e., ban unsupported operating systems),
authentication, remediation, and more — all of the components necessary to
operate a successful network access system.

In summary

In this article, you learned about Microsoft’s upcoming
foray into the world of Network Access Protection and about two other products
— one commercial and one open source — that may fit the bill. This list of
three products, however, only begins to scratch the surface of what’s available
in this market space, so be sure to do your research and investigate other
options.