NAP is more than just a Microsoft technology -- 87 partners are integrating their software into NAP's framework in hopes of further extending security enforcement protections to custom configurations.
Microsoft designed multiple points of extensibility into NAP's client and server enforcement architectures. This allows individual application vendors to supply and support their own mechanisms for enforcement, authentication and identity management; verification of compliance; and remediation of noncompliant clients.
Since these activities are separate in NAP's management consoles, third-party technologies can be added as an organization sees fit.
Third-party technologies for enforcement
Microsoft's options for policy enforcement require the use of Microsoft technologies. For example, Dynamic Host Configuration Protocol enforcement requires Microsoft's DHCP server, while virtual private network (VPN) enforcement requires an Internet Security and Acceleration or Routing and Remote Access server.
In this case, extensibility enables organizations with technologies such as alternate VPNs or switch port authentication infrastructures to plug directly into NAP. Organizations that need special protection for wireless networks and those that want to add pervasive access support, like Microsoft's new DirectAccess capability in Windows Server 2008 R2, can benefit.
Authentication and identity management
Advanced technologies in the enforcement mechanisms enable rich support for authentication and identity management. Users and computers can be positively verified against those allowed in the infrastructure. Permissions to access discrete services can be set at extremely granular levels based on user ID, role, location and other contextual elements.
In addition, user identities can be mapped to linked assets. Tighter links between individual users, their assets and their approved levels of connectivity are increasingly important as more mobile users connect to LAN resources.
Verification of compliance at the client layer
Security software vendors have augmented their client applications to include enforcement components.
For example, consider a typical anti-malware application that an organization has been running for a while. The organization would prefer to keep the existing infrastructure setup and simply add compliance-verification components.
Such an organization could take advantage of the NAP awareness that many enterprise-focused software companies have added to their application infrastructures.
Remediation of noncompliant clients
A NAP infrastructure that kicks out noncompliant clients is only partially useful. You also need automated systems to remediate noncompliant clients relocated to special networks.
In addition, you need extremely precise support to determine what to do with these noncompliant clients, since many types of clients may attempt to connect to an environment. For example, while a corporate asset can be remediated on its first connection within the LAN, a user's home computer requires a different level of security when connecting via a VPN.
Finding the right remediation system that aligns with your security requirements as well as your existing client security setup is critical for a successful NAP deployment. In general, many large organizations will require more from NAP than the native components.
Not only must you find the best add-ons for your organization, but you must also recognize that enforcement mechanisms such as NAP are necessary in today's enterprise environments.
Organizations that don't incorporate an enforcement component are merely hoping or wishing that their servers and workstations remain compliant with security mandates.
About the author
This was first published in October 2009