Network Access Protection (NAP)
Introduction
The latest initiative from Microsoft called Network Access Protection or NAP is intended to keep the networks healthy. It stems from the same dilemma faced by health authorities to shield their country from contagious diseases when scores of people travel in and out of its borders. Two major instances where there could be compromises are when their citizens go out of the country and then come back or when visitors enter their country. The same situations could be mapped into a network scenario. We could also see similar measures being taken to keep the network healthy and even similar terms have found a place in those initiatives.
Roaming laptops are always a health threat for any network. While laptops are away from the company, they might not receive the most recent software updates or configuration changes. Laptops might also be infected while exposed to unsecured networks, such as the Internet Organizations frequently need to allow consultants and guests access to their private networks. The laptops that these visitors bring might not meet network requirements and can present health risks.
Although desktop computers do not usually leave the premises, they still can present a health threat to a network. These computers are at higher risk of infection from Web sites, e-mail, files from shared folders, and other publicly accessible resources.
Unmanaged home computers provide an additional challenge to network administrators because they do not have physical access to these computers. Lack of physical access makes enforcing compliance with network requirements (such as the use of antivirus software) even more difficult. Verifying the health of these computers is similarly challenging.
These unhealthy practices are potential health hazards for any network. The Network Access Protection from Microsoft is being initiated to address these concerns.
What is NAP?
The Network Access Protection (NAP) for Windows Server "Longhorn" is a new set of operating system components and protocols that provide an interactive platform for protected access to networks. The NAP platform provides an integrated way of detecting the state of a network client that is attempting to connect to a network and restricting the access of the network client until the policy requirements for connecting to the network have been met. By using Network Access Protection, network administrators can check the health of any laptop when it reconnects to the company network, whether by creating a VPN connection back to the company network or by physically returning to the office. For visiting laptops, generally, administrators would not require or provide any updates or configuration changes. The administrator might configure Internet access for visiting laptops in the restricted network, but not for other isolated computers.
In the case of desktop computers, network administrators can automate system checks to verify each desktop computer's compliance with the network access policies. Administrators can check log files to review what computers do not comply. With the addition of management software, automatic reports can be generated, updates can be made automatically to noncompliant computers, and when administrators change network access policies, computers can be automatically provided with the most recent updates.
For home computers, by using Network Access Protection, network administrators can check for required programs, registry settings, files, or combinations of these every time it makes a VPN connection to the network, and they can isolate the connection to a restricted network until these checks have been performed.
Depending on their business needs, administrators can configure a solution to address any or all of these scenarios for their networks. At the same time one has to remember that Network Access Protection is not designed to secure a network from malicious users. It is designed to help administrators maintain the health of the computers on the network, which in turns helps maintain the network's overall integrity.
THE NAP ARCHITECTURE
Fig 1. Simplified Schematic of a Network Integrity System
A very simplified schematic giving the abstract level components in a NAP or NAP like network integrity system implementation and the interactions among them is given below.
The network entity could be an existing member of the network seeking readmission or it could be an external entity seeking admission. In the case of an entity which has been part of the network or which has been admitted, can be also subjected to periodic checkups. They should be also able to collect/validate their credentials from the credential sources directly or through supervisor.
The gate keeper/inspector will be able to validate the credentials presented by the network entities. He will be also doing periodic checkups on the entities, which are being admitted, in which he will be doing a role of an Inspector. Depends on the outcome he will open the gate or extend their stay or give them restricted access so that they will get a chance for remediation or in worst case kick them out where the Inspector will turn out to be a bouncer. He makes himself updated regarding the validation rules and the policies to be followed from the supervisor.
Supervisor instructs the Inspector about the policies to be followed and updates him with the latest credentials, which need to be verified. He is also in touch with the credential sources to get updated himself and also helps the external/internal network entities to get the latest credentials or guide them through the remediation measures so that they are eligible for the credentials.
The credential sources will supply/grant the credentials and also have the ability to define or improve the credentials from time to time to keep the stability, integrity and overall health of the network at the peak. It is also responsible for giving remediation measures in case the entities are not eligible for credentials, which it does in conjunction/consultation with the Supervisor.
A Broader View
Now let us go deeper and study the architecture level components, which are finally going to build the whole system.
Fig 2. NAP platform architecture - client Fig 3. NAP platform architecture- Server
Before going into the component level description a few points about the technologies, which are supported in the case of, network isolation. In the proposed initial release, Network Access Protection provides network isolation components for three technologies: Dynamic Host Configuration Protocol (DHCP), virtual private networks (VPNs), and Internet Protocol security (IPsec). Administrators can use these technologies separately or together to isolate unhealthy computers. Internet Authentication Service (IAS) acts as a policy server for all three technologies. In the initial release, Network Access Protection requires servers to run Windows Server "Longhorn" and clients to run Microsoft Windows® XP with Service Pack 2.
DHCP Quarantine
DHCP Quarantine comprises a DHCP Quarantine Enforcement Server (QES) component and a DHCP Quarantine Enforcement Client (QEC) component. Using DHCP Quarantine, DHCP servers can enforce network access requirements any time a computer attempts to lease or renew an IP address configuration on the network. DHCP Quarantine is the easiest enforcement to deploy because all DHCP client computers must lease IP addresses. However, DHCP Quarantine provides only weak network isolation.
VPN Quarantine
VPN Quarantine comprises a VPN QES component and a VPN QEC component. Using VPN Quarantine, VPN servers can enforce network access requirements any time a computer attempts to make a VPN connection to the network. VPN Quarantine provides strong network isolation for all computers accessing the network through a VPN connection.
Note:
VPN Quarantine with NAP is different than Network Access Quarantine Control, a feature in Windows Server 2003.
IPsec Quarantine
IPsec Quarantine comprises a health certificate server-a Windows-based certification authority (CA) running Internet Information Services (IIS)-and an IPsec QEC. The health certificate server issues X.509 certificates to quarantine clients when they are determined to be healthy. These certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on an intranet.
IPsec Quarantine confines the communication on your network to those nodes that are considered healthy and because it is leveraging IPsec, you can define requirements for secure communications with healthy clients on a per-IP address or per-TCP/UDP port number basis. Unlike DHCP Quarantine and VPN Quarantine, IPsec Quarantine confines communication to healthy clients after the clients have connected and obtained a valid IP address configuration. IPsec Quarantine is the strongest form of isolation in Network Access Protection.
Note:
IPsec Quarantine is different from VPN Quarantine. VPN Quarantine isolates unhealthy VPN clients that are attempting to access a private intranet through a VPN connection. IPsec Quarantine isolates unhealthy clients that are attempting to communicate after network access to the private intranet has been successfully made.
IAS/RADIUS
The Remote Authentication Dial-In User Service (RADIUS) component of Windows Server "Longhorn", IAS, does not have a QES or QEC component. Instead, it works as a policy server in conjunction with QES and QEC components. Administrators must define quarantine policies and a quarantine user class on the IAS server. IAS Quarantine servers provide policy checks and coordinate with the Active Directory® directory service any time a computer attempts to connect to a DHCP or VPN server or obtain a health certificate.
Additional Components and Resources for Network Access Protection
Network Access Protection consists of server components, client components, and remediation resources. Remediation resources consist of servers, services, or other resources that a computer that is isolated in a restricted network can access. These resources might perform name resolution; obtain the most recent software updates, or access instructions and components needed to make the computer comply with network access policies. For example, a secondary Domain Name System (DNS) server, an antivirus signature file server, and software update server could all be remediation resources.
Administrators can configure some or all of the following components when they implement Network Access Protection.
Server Components for Network Access Protection
Quarantine Server
Quarantine Server is server component that coordinates the output from all the system health validators (SHVs) and determines whether Quarantine Enforcement Server (QES) components should isolate a client from the network or not based on policy compliance status. In the initial release of the Network Access Protection platform, the Quarantine Server component runs on an IAS server.
System Health Validator
A system health validator (SHV) is server software that validates the output from a corresponding system health agent (SHA) to verify whether the Statement of Health (SoH) submitted by an SHA complies with policy or not. In the initial release of the Network Access Protection platform, SHVs run on the IAS server. One network might have more than one kind of SHV. If it does, a quarantine server must coordinate the output from all of the SHVs and determine whether a computer should be isolated.
Policy Server
A policy server is a computer that contains resources to keep network clients healthy and to provide remediation for client computers that are not healthy. System health agents (SHAs), such as those for antivirus software or software update management, communicate with policy servers to obtain the most recent updates. System health validators (SHVs) communicate with policy servers to validate the Statement of Health (SoH) from a corresponding SHA.
Quarantine Policy
A quarantine policy specifies the required conditions for network access. In the initial release of Network Access Protection, quarantine policies will be configured in IAS. A network might have more than one quarantine policy. For example, DHCP Quarantine and VPN Quarantine might use different quarantine policies.
Systems Management Server (SMS)
Systems Management Server manages applications, assets, and software updates on servers and clients. SMS has both policy server and policy client components. Administrators can configure SMS as an SHV and an SHA in a network for which Network Access Protection has been deployed.
Accounts Database
An accounts database stores user accounts and their network access properties. For Windows Server "Longhorn" domains, Active Directory functions as the accounts database.
Health Certificate Server
A Windows-based CA that issues certificates to healthy NAP clients for IPsec Quarantine. Client Components for Network Access Protection.
Quarantine Agent
Quarantine Agent is client software that coordinates information between the various system health agents (SHAs) and Quarantine Enforcement Clients (QECs).
Policy Client
A policy client is client software that a system health agent (SHA) can use to perform system health management functions in conjunction with a policy server. For example, an SMS SHA can use the locally installed SMS client software (the policy client) to perform software installation and update functions with the SMS server (the policy server).
System Health Agent
A system health agent (SHA) is client software that integrates with Quarantine Agent to provide system policy checks and to update system state. An SHA can communicate with a policy server directly or use the facilities of an installed policy client, such as the SMS client software.
The working of Network Access Protection
Fig 4. Typical deployment of Network Access Protection
Network Access Protection is designed so that administrators can configure it to meet the needs of individual networks. Therefore, the actual configuration of Network Access Protection will vary according to the administrator's preferences and requirements. However, the underlying operation of Network Access Protection remains the same. The above diagram and steps illustrate how Network Access Protection works in an example network.
The example network is configured for DHCP Quarantine, VPN Quarantine, and IPsec Quarantine. IAS is installed on a separate server. The IAS server acts as both a policy server and a quarantine server, coordinating policy from the SMS server. The SMS server is a policy server and an SHV, and it provides software management services through its client component acting as a SHA. This example network is configured for network policy validation, network policy compliance, and network isolation.
When making a VPN connection to the network, leasing or renewing an IP address from the DHCP server, or obtaining a health certificate, each computer is classified in one of two ways. Computers that comply with network access policies are classified as healthy and allowed access to the network. Computers that do not comply are classified as unhealthy and are isolated to the restricted network until they meet the requirements. An unhealthy computer does not necessarily have a virus or some other active threat to the network, but it does not have the software and configuration required by network policy (as an administrator has defined and SMS, acting as the policy server, has determined). Therefore, unhealthy computers pose health risks to the rest of the network. Administrators configure SMS, the SHA, and the SHV to automatically update isolated computers with the software required for full network access.
The example network contains a restricted network. A restricted network can be logically isolated, where a separate virtual local area network (VLAN) is used for the isolated computers and the remediation resources. Alternatively, restrictions (such as IP filters or static routes) can be placed on isolated computers to define the remediation resources with which they can communicate.
DHCP Quarantine
The following process describes how DHCP Quarantine works on a network configured similarly to the network shown in Figure when a DHCP client that has only a single SHA must lease or renew a lease on an IP address:
The DHCP client sends a DHCP request message to the DHCP server.
If the DHCP client has an SoH, the DHCP request message includes it. The SoH contains information about the health of the client. The DHCP server passes the SoH to the IAS server. The IAS server communicates with the SMS server to determine whether the SoH is valid. A valid SoH is defined as matching the list of components and configurations that the SMS server requires.
If the SoH is valid, the DHCP server assigns the DHCP client an appropriate IP address and subnet mask. The DHCP client has normal access to the network, as defined by policy.
If the SoH is not valid, the DHCP server isolates the DHCP client into the restricted network and assigns it the quarantine subnet mask and the quarantine route addresses, as the network administrator has defined.
If the DHCP client does not have a SoH, it is not compliant. The DHCP server isolates the DHCP client into the restricted network and assigns it the quarantine subnet mask and the quarantine route addresses, as the network administrator has defined.
The quarantine agent on the isolated DHCP client reports its status to the SMS server and requests updates.
The SMS server provisions the DHCP client with the required updates to bring it into compliance with network policy. The DHCP client's SoH is updated.
The isolated DHCP client sends a DHCP request message, including the updated SoH, to the DHCP server. When the IAS server validates the updated SoH, the DHCP server grants the DHCP client normal access to the network, as defined by policy.
VPN Quarantine
The following process describes how VPN Quarantine works for a VPN client that has only a single SHA on a network configured similarly to the network in the Figure 4.
The VPN client initiates a connection to the VPN server.
The VPN client passes its authentication credentials to the VPN server using Protected Extensible Authentication Protocol (PEAP) and Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).
If the authentication credentials are valid, the VPN server requests an SoH from the VPN client.
If the VPN client has an SoH, the client passes the SoH to the VPN server, which passes the SoH to the IAS server. The IAS server, acting as the quarantine server, communicates with the SMS server to determine whether the SoH is valid. A valid SoH is defined as matching the list of components and configurations that the SMS server requires.
If the SoH is valid, the VPN server completes the connection and grants the VPN client normal access to the network, as defined by policy.
If the SoH is not valid, the VPN server completes the connection but isolates the VPN client into the restricted network. The VPN client can successfully send traffic only to the restricted network, the VPN server, and the SMS server.
If the VPN client does not have an SoH, it is not compliant. The VPN server completes the connection but isolates the VPN client into the restricted network.
The quarantine agent on the isolated VPN client reports its status to the SMS server and requests updates.
The SMS server provisions the VPN client with the required updates to bring it into compliance with network policy. The VPN client's SoH is updated.
The VPN client sends its updated SoH to the VPN server in a PEAP exchange. When the IAS server validates the updated SoH, the VPN server grants the VPN client normal access to the network, as defined by policy.
IPsec Quarantine
The following process describes how IPsec Quarantine works for a NAP client that has only a single SHA on a network configured similarly to the network in Figure 4.
When the NAP client starts, it sends its current SoH to the health certificate server.
The health certificate server passes the SoH information to the IAS server. The IAS server, acting as the quarantine server, communicates with the SMS server to determine whether the SoH is valid. A valid SoH is defined as matching the list of components and configurations that the SMS server requires. If the SoH is valid, the health certificate server issues the NAP client a health certificate. The NAP client can now initiate IPsec-based communication with secure resources using the issued health certificate for IPsec authentication, and respond to communications initiated from other NAP clients that can authenticate using their own health certificate.
If the SoH is not valid, the health certificate server informs the NAP client how to correct its health state and does not issue a health certificate. The NAP client cannot initiate communication with other computers that require a health certificate for IPsec authentication. However, the NAP client can initiate communications with the SMS server to bring itself back to a healthy state.
The quarantine agent on the restricted NAP client reports its status to the SMS server and requests updates.
The SMS server provisions the NAP client with the required updates to bring it into compliance with network policy. The NAP client's SoH is updated.
The NAP client sends its updated SoH to the health certificate server. When the IAS server validates the updated SoH, the health certificate server issues a health certificate to the NAP client.
Depending on network needs, an administrator might choose to make some computers, devices, and users exempt from network access requirements. For example, some versions of Windows do not support Network Access Protection, so computers running these versions of Windows are always isolated by default. However, the network administrator can configure an exception for these computers. If an exception is configured, these computers are not checked for compliance, and they will have normal access to the network.
NAP Vs NAC
The discussion about NAP architecture will not be complete without bringing in the NAC (Network Admission Control) initiative from Cisco. Readers may please refer the discussion on a simplified schematic on a general network integrity system at the beginning of this section.
An Overview of Network Admission Control
NAC provides a new, comprehensive solution that allows organizations to enforce host patch policies and to regulate noncompliant and potentially vulnerable systems by assigning them to quarantined environments for remediation. By combining information about endpoint security status with network admission enforcement, NAC enables organizations to dramatically improve the security of their computing infrastructures.
NAC allows network access to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example), and restricts the access of noncompliant devices. Network access decisions can be based on such information as the endpoint's antivirus state, operating system version, operating system patch level, or Cisco Security Agent version and settings.
Fig 5. NAC components and it's working schematic
NAC has the following components:
Cisco Trust Agent
A software tool that resides on an endpoint system and collects security state information from security software solutions, such as antivirus and Cisco Security Agent clients, and communicates this to the network access device. Cisco Systems has licensed its trust agent technology to the NAC cosponsors-market-leading security software developers-in order to gather and report security state levels to the network policy server. Cisco Trust Agent is integrated with the Cisco Security Agent to provide endpoint security information such as operating system version, patch level, and Cisco Security Agent version and settings.
Network access devices
Network devices that enforce admission control policy include routers, switches, wireless access points, and security appliances. These devices demand host security "credentials" and relay this information to policy servers, where NAC decisions are made. Based on customer-defined policy, the network will enforce the appropriate admission control decision-permit, deny, quarantine, or restrict.
Policy server
Evaluates the endpoint security information relayed from the network access device and determines the appropriate access policy to be applied. Cisco Secure Access Control Server (ACS), an authentication, authorization, and accounting (AAA) RADIUS server, is the foundation of the policy server system. It works in concert with NAC cosponsor application servers, such as security policy servers that are able to provide deeper credential validation.
Management system
CiscoWorks VPN/Security Management Solution (VMS) provisions NAC elements, while CiscoWorks Security Information Manager Solution (SIMS) provides monitoring and reporting tools. NAC cosponsors also provide management solutions for their endpoint security software.
Advanced services
Planning, design, and implementation consulting can save time, money, and resources, and can help ensure the deployment of an effective NAC solution. Advanced NAC services from Cisco include: Network Readiness Assessment to assess the network infrastructure to determine NAC readiness; Design Development to help create detailed NAC design specifications for a corporate-wide deployment; Implementation Engineering to deliver onsite installation, configuration, testing, and tuning of NAC components; and Optimization Engineering to provide periodic consultation to optimize NAC for reliability, efficiency, and scalability.
NAP & NAC - Two sides of the same coin.
NAP and NAC are two different implementations of a general network integrity system looking at it from different perspectives.
In NAC, Cisco tries to translate the gatekeeper/inspector and a portion of supervisor functions as part of the networking gear. A central policy server and agents, which are sitting on the client, complete the links and interactions among all the participating components.
In NAP, Microsoft has opted to focus its architecture on its core competencies i.e. host and server software. In their approach the same functions are going to be part of the operating system itself. As on now it does not talk about a networking component, but could become part of the initiative because of the fact that it has partnered with a number of networking gear vendors.
The NAP story - The industry perspective
The NAP Map
Microsoft has announced the NAP initiative early this year, which will be added in the R2 update of Windows server in late 2005 and NAP won't actually be available until at least 2007 when the new version of Microsoft's Longhorn server software is released
An effort of this magnitude and flavor will not bear fruition unless you have the participation from the industry. So Microsoft has chalked out a partnership program where 25 prominent companies have agreed to participate out of which 18 companies have already signed up. To list a few, they are Nortel networks, Check point software, Juniper networks etc.
Another twist to the story is that there is not only one initiative but many, the other prominent one being NAC (Network Admission Control) from Cisco Systems. This definitely gives a shudder among the users with the prospect of lack of interoperability among these different initiatives, though both Cisco and Microsoft have pledged that they would work together.
The Pros and Cons
First, the good news
The industry lost billions in US dollars with the recent outbreak of mass mailing worms like Mydoom, Netsky, Sober, Zafi etc. And it has been found that it was always the weakest link principle that played havoc in networks, which was supposed to be secure. And the weakest link was mostly provided by remote computers, roaming laptops, home computers etc. Network administrators found it virtually impossible to guarantee that all the systems were updated with patches across the network. This is exactly where NAP or NAP like initiatives pitch in. NAP addresses these problems effectively, which were giving nightmares to network administrators and a big hole in corporate budgets.
The scenario where NAP is going to be deployed or the problems, which it is going to address, is a typical case where multiple owners, causes and victims are involved. A comprehensive solution will come only if there is a concerted effort from all participating entities/agencies. Now this is the most difficult phase of the NAP initiative. This is where Microsoft pitches in. We are all aware that when Microsoft puts their mind (and of course their financial muscle to buttress it) nothing is impossible. They are already spearheading a partnership where 25 systems integrators and security, management and networking companies have agreed to participate and it is a good sign for the industry.
The other good thing is that Microsoft has announced that they will be working towards open standards in the NAP initiatives. This will give vendors wider options and more room to work with.
Now, the bad news
The industry is not united when it come to network protection. The NAC initiative from Cisco approaches the problem from a different perspective. Now Microsoft has a monopoly in desktop operating systems and when it comes to networking products Cisco holds more than 70% of the market. So there is always likelihood that customers can get caught in the middle. But both Cisco and Microsoft have pledged that there will be interoperability between two initiatives and customers will not be forced into a tough either/or decision.
The NAP is OS specific and the initial implementation requires servers to run Windows Server "Longhorn" and clients to run Microsoft Windows® XP with Service Pack 2. So it is going to be another 'only windows' product.
There could be a transaction overhead with lots of authentication tickets flying around. This means more processing and maintenance effort.
Then, there is that ubiquitous issue of privacy. How privacy issues are going to be handled are not clear at the moment.
CONCLUSION
This paper has attempted to look into the recent NAP initiative from Microsoft from a technical point of view as well as from an industry perspective. The merits and demerits of the proposed initiative have been discussed. The apparent tussle between Microsoft and Cisco in reigning supremacy over this niche market with different approaches has been highlighted. In the process the basic components for a generic network integrity system have been worked out.
At the end let us hope that corporate management and network administrators can take a peaceful nap, which is long due for them.
REFERENCES
- Introduction to Network Access Protection
- Network Access Protection Platform Architecture
- Network Access Protection Frequently Asked Questions
- Microsoft partners to take NAP for security| CNET News.com
- Cisco,Microsoft Pledge security interoperability
- Microsoft spreadheads latest security partnership
- Network admission control
- The Cisco Self-Defending Network
- Microsoft and cisco clash on security