Computer security has always been about updates and restrictions. Updates ensure that computers have the proper patches and software versions to protect against malicious code, while restrictions, whether via network or systems controls, ensure that only preapproved behaviors are allowed to occur within a computing environment.
But a third component has been missing from security infrastructures: enforcement. Network administrators must be sure that specified configurations are present before systems are allowed to participate in an environment. Microsoft Network Access Protection (NAP) product is designed to verify that a network is complying with security policies.
Without enforcement of security policies, patching and restricting operations are like laws with no consequences. Administrators can deploy patches using a best-effort approach, hoping that compliance metrics will eventually get to 100%. Restrictions could be spread throughout the network with the assumption that client machines will eventually reconfigure themselves to suit.
The "update and pray" methodology doesn't work for comprehensive systems security. Examples abound: Stan the sales guy disables his firewall because he thinks it prevents him from accessing applications. Jane in accounting turns of her antivirus software because she believes it corrupts her spreadsheets. Users everywhere click the Postpone button ad infinitum when Windows patches request attention for installation.
The individual systems themselves may not receive critical updates because of a misconfiguration or because they're not on the network when updates are delivered.
Protection at the front door
There are more problems. Consider another scenario that is growing extremely common in today's business networks. The brick and mortar walls that bound the traditional office are giving way to telecommuting, work-from-anywhere and remote workspaces. Users take their laptops from the secured confines of an internal LAN and connect to networks across the wild and wooly Internet landscape. These machines spend time outside security administrator control in places that keep admins up at night. Once they cross the organization's threshold and plug back in, the laptops' outdated configurations introduce the chance of malware infecting the entire infrastructure.
To that end, imagine the world's most powerful Internet firewall. Such a firewall could scan inbound traffic and predict when malware was trying to come in. That firewall's god-like powers could protect your internal LAN from every possible vector of infection, including worms, viruses and replicating malware. Its position on the network between desktops and the outside world would be an impenetrable wall.
And then, someone walks a laptop through your company's front door and plugs in.
Even the world's most powerful firewall can't protect your network against a laptop that isn't configured with required security settings. That laptop could contain the malware that the world's most powerful Maginot Line attempts to protect against. Smart enterprises recognize the need for security policy enforcement.
Network Access Protection operates as a health-verification function that's built into every server and desktop operating system. NAP's primary job is to regularly verify certain configurations on those assets. Perhaps you want to ensure that your desktops have the correct level of patches installed or that antimalware or antivirus software is installed, enabled, and up-to-date. These and other configurations can be monitored by NAP, which can alert you when configurations aren't compliant with specifications.
Yet the real power in NAP lies in how it can enforce those configurations.
When a NAP-enabled computer discovers it isn't meeting the corporate security policy, the network infrastructure can be set to relocate that asset to a completely different -- and protected -- network for remediation. Located in that special network would be the infrastructure components (such as Domain Controllers, Windows Server Update Services servers and anti-malware servers) needed to bring the computer back to the established baseline of health. Only when the computer is deemed compliant would it be allowed to return to the regular network.
NAP uses five mechanisms for enforcement, which can be used in combination to protect different entry points into your environment. They are Dynamic Host Configuration Protocol, 802.1x, and IPsec and protect your internal LAN from potential clients by preventing their network connection at the point of IP address assignment, switch port assignment or security association. Virtual private network (VPN) and Remote Desktop Gateway enforcement extend the NAP infrastructure to others entering via external sources, enforcing compliance for VPN and Remote Desktop connections.
Right out of the box, NAP can determine whether client firewalls are enabled. It can verify whether antivirus and anti-malware applications are on and up to date, automatic updates are installed, and security patches of a specific criticality are installed. This is only the starting point for enforcement, since NAP's extensible infrastructure is intended to enable third-party software companies to write their own custom Security Health Validators for enforcing product-specific settings.
The challenge is getting NAP installed. The biggest limitation of NAP has more to do with the perception of complexity than actual complexity in its deployment. To help you get started, part two of this three-part series explains how the different pieces of NAP fit together.
About the author
This was first published in September 2009