Whitepapers
Network Management

Calsoft labs provides turnkey software development, consulting and system integration services. more

Bookmark and Share

Fig 2. NAP platform architecture - client Fig 3. NAP platform architecture- Server

Before going into the component level description a few points about the technologies, which are supported in the case of, network isolation. In the proposed initial release, Network Access Protection provides network isolation components for three technologies: Dynamic Host Configuration Protocol (DHCP), virtual private networks (VPNs), and Internet Protocol security (IPsec). Administrators can use these technologies separately or together to isolate unhealthy computers. Internet Authentication Service (IAS) acts as a policy server for all three technologies. In the initial release, Network Access Protection requires servers to run Windows Server "Longhorn" and clients to run Microsoft Windows® XP with Service Pack 2.

DHCP Quarantine

DHCP Quarantine comprises a DHCP Quarantine Enforcement Server (QES) component and a DHCP Quarantine Enforcement Client (QEC) component. Using DHCP Quarantine, DHCP servers can enforce network access requirements any time a computer attempts to lease or renew an IP address configuration on the network. DHCP Quarantine is the easiest enforcement to deploy because all DHCP client computers must lease IP addresses. However, DHCP Quarantine provides only weak network isolation.

VPN Quarantine

VPN Quarantine comprises a VPN QES component and a VPN QEC component. Using VPN Quarantine, VPN servers can enforce network access requirements any time a computer attempts to make a VPN connection to the network. VPN Quarantine provides strong network isolation for all computers accessing the network through a VPN connection.

Note:

VPN Quarantine with NAP is different than Network Access Quarantine Control, a feature in Windows Server 2003.

IPsec Quarantine

IPsec Quarantine comprises a health certificate server-a Windows-based certification authority (CA) running Internet Information Services (IIS)-and an IPsec QEC. The health certificate server issues X.509 certificates to quarantine clients when they are determined to be healthy. These certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on an intranet.

IPsec Quarantine confines the communication on your network to those nodes that are considered healthy and because it is leveraging IPsec, you can define requirements for secure communications with healthy clients on a per-IP address or per-TCP/UDP port number basis. Unlike DHCP Quarantine and VPN Quarantine, IPsec Quarantine confines communication to healthy clients after the clients have connected and obtained a valid IP address configuration. IPsec Quarantine is the strongest form of isolation in Network Access Protection.

Note:

IPsec Quarantine is different from VPN Quarantine. VPN Quarantine isolates unhealthy VPN clients that are attempting to access a private intranet through a VPN connection. IPsec Quarantine isolates unhealthy clients that are attempting to communicate after network access to the private intranet has been successfully made.

IAS/RADIUS

The Remote Authentication Dial-In User Service (RADIUS) component of Windows Server "Longhorn", IAS, does not have a QES or QEC component. Instead, it works as a policy server in conjunction with QES and QEC components. Administrators must define quarantine policies and a quarantine user class on the IAS server. IAS Quarantine servers provide policy checks and coordinate with the Active Directory® directory service any time a computer attempts to connect to a DHCP or VPN server or obtain a health certificate.

Click here to go to Top

Additional Components and Resources for Network Access Protection

Network Access Protection consists of server components, client components, and remediation resources. Remediation resources consist of servers, services, or other resources that a computer that is isolated in a restricted network can access. These resources might perform name resolution; obtain the most recent software updates, or access instructions and components needed to make the computer comply with network access policies. For example, a secondary Domain Name System (DNS) server, an antivirus signature file server, and software update server could all be remediation resources.

Administrators can configure some or all of the following components when they implement Network Access Protection.

Click here to go to Top

Server Components for Network Access Protection

Quarantine Server

Quarantine Server is server component that coordinates the output from all the system health validators (SHVs) and determines whether Quarantine Enforcement Server (QES) components should isolate a client from the network or not based on policy compliance status. In the initial release of the Network Access Protection platform, the Quarantine Server component runs on an IAS server.

System Health Validator

A system health validator (SHV) is server software that validates the output from a corresponding system health agent (SHA) to verify whether the Statement of Health (SoH) submitted by an SHA complies with policy or not. In the initial release of the Network Access Protection platform, SHVs run on the IAS server. One network might have more than one kind of SHV. If it does, a quarantine server must coordinate the output from all of the SHVs and determine whether a computer should be isolated.

Policy Server

A policy server is a computer that contains resources to keep network clients healthy and to provide remediation for client computers that are not healthy. System health agents (SHAs), such as those for antivirus software or software update management, communicate with policy servers to obtain the most recent updates. System health validators (SHVs) communicate with policy servers to validate the Statement of Health (SoH) from a corresponding SHA.

Quarantine Policy

A quarantine policy specifies the required conditions for network access. In the initial release of Network Access Protection, quarantine policies will be configured in IAS. A network might have more than one quarantine policy. For example, DHCP Quarantine and VPN Quarantine might use different quarantine policies.

Systems Management Server (SMS)

Systems Management Server manages applications, assets, and software updates on servers and clients. SMS has both policy server and policy client components. Administrators can configure SMS as an SHV and an SHA in a network for which Network Access Protection has been deployed.

Accounts Database

An accounts database stores user accounts and their network access properties. For Windows Server "Longhorn" domains, Active Directory functions as the accounts database.

Health Certificate Server

A Windows-based CA that issues certificates to healthy NAP clients for IPsec Quarantine. Client Components for Network Access Protection.

Quarantine Agent

Quarantine Agent is client software that coordinates information between the various system health agents (SHAs) and Quarantine Enforcement Clients (QECs).

Policy Client

A policy client is client software that a system health agent (SHA) can use to perform system health management functions in conjunction with a policy server. For example, an SMS SHA can use the locally installed SMS client software (the policy client) to perform software installation and update functions with the SMS server (the policy server).

System Health Agent

A system health agent (SHA) is client software that integrates with Quarantine Agent to provide system policy checks and to update system state. An SHA can communicate with a policy server directly or use the facilities of an installed policy client, such as the SMS client software.

Click here to go to Top

The working of Network Access Protection

Deployment of Network Access Protection

Fig 4. Typical deployment of Network Access Protection

Network Access Protection is designed so that administrators can configure it to meet the needs of individual networks. Therefore, the actual configuration of Network Access Protection will vary according to the administrator's preferences and requirements. However, the underlying operation of Network Access Protection remains the same. The above diagram and steps illustrate how Network Access Protection works in an example network.

The example network is configured for DHCP Quarantine, VPN Quarantine, and IPsec Quarantine. IAS is installed on a separate server. The IAS server acts as both a policy server and a quarantine server, coordinating policy from the SMS server. The SMS server is a policy server and an SHV, and it provides software management services through its client component acting as a SHA. This example network is configured for network policy validation, network policy compliance, and network isolation.

When making a VPN connection to the network, leasing or renewing an IP address from the DHCP server, or obtaining a health certificate, each computer is classified in one of two ways. Computers that comply with network access policies are classified as healthy and allowed access to the network. Computers that do not comply are classified as unhealthy and are isolated to the restricted network until they meet the requirements. An unhealthy computer does not necessarily have a virus or some other active threat to the network, but it does not have the software and configuration required by network policy (as an administrator has defined and SMS, acting as the policy server, has determined). Therefore, unhealthy computers pose health risks to the rest of the network. Administrators configure SMS, the SHA, and the SHV to automatically update isolated computers with the software required for full network access.

The example network contains a restricted network. A restricted network can be logically isolated, where a separate virtual local area network (VLAN) is used for the isolated computers and the remediation resources. Alternatively, restrictions (such as IP filters or static routes) can be placed on isolated computers to define the remediation resources with which they can communicate.

DHCP Quarantine

The following process describes how DHCP Quarantine works on a network configured similarly to the network shown in Figure when a DHCP client that has only a single SHA must lease or renew a lease on an IP address:

The DHCP client sends a DHCP request message to the DHCP server.

If the DHCP client has an SoH, the DHCP request message includes it. The SoH contains information about the health of the client. The DHCP server passes the SoH to the IAS server. The IAS server communicates with the SMS server to determine whether the SoH is valid. A valid SoH is defined as matching the list of components and configurations that the SMS server requires.

If the SoH is valid, the DHCP server assigns the DHCP client an appropriate IP address and subnet mask. The DHCP client has normal access to the network, as defined by policy.

If the SoH is not valid, the DHCP server isolates the DHCP client into the restricted network and assigns it the quarantine subnet mask and the quarantine route addresses, as the network administrator has defined.

If the DHCP client does not have a SoH, it is not compliant. The DHCP server isolates the DHCP client into the restricted network and assigns it the quarantine subnet mask and the quarantine route addresses, as the network administrator has defined.

The quarantine agent on the isolated DHCP client reports its status to the SMS server and requests updates.

The SMS server provisions the DHCP client with the required updates to bring it into compliance with network policy. The DHCP client's SoH is updated.

The isolated DHCP client sends a DHCP request message, including the updated SoH, to the DHCP server. When the IAS server validates the updated SoH, the DHCP server grants the DHCP client normal access to the network, as defined by policy.

VPN Quarantine

The following process describes how VPN Quarantine works for a VPN client that has only a single SHA on a network configured similarly to the network in the Figure 4.

The VPN client initiates a connection to the VPN server.

The VPN client passes its authentication credentials to the VPN server using Protected Extensible Authentication Protocol (PEAP) and Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).

If the authentication credentials are valid, the VPN server requests an SoH from the VPN client.

If the VPN client has an SoH, the client passes the SoH to the VPN server, which passes the SoH to the IAS server. The IAS server, acting as the quarantine server, communicates with the SMS server to determine whether the SoH is valid. A valid SoH is defined as matching the list of components and configurations that the SMS server requires.

If the SoH is valid, the VPN server completes the connection and grants the VPN client normal access to the network, as defined by policy.

If the SoH is not valid, the VPN server completes the connection but isolates the VPN client into the restricted network. The VPN client can successfully send traffic only to the restricted network, the VPN server, and the SMS server.

If the VPN client does not have an SoH, it is not compliant. The VPN server completes the connection but isolates the VPN client into the restricted network.

The quarantine agent on the isolated VPN client reports its status to the SMS server and requests updates.

The SMS server provisions the VPN client with the required updates to bring it into compliance with network policy. The VPN client's SoH is updated.

The VPN client sends its updated SoH to the VPN server in a PEAP exchange. When the IAS server validates the updated SoH, the VPN server grants the VPN client normal access to the network, as defined by policy.

IPsec Quarantine

The following process describes how IPsec Quarantine works for a NAP client that has only a single SHA on a network configured similarly to the network in Figure 4.

When the NAP client starts, it sends its current SoH to the health certificate server.

The health certificate server passes the SoH information to the IAS server. The IAS server, acting as the quarantine server, communicates with the SMS server to determine whether the SoH is valid. A valid SoH is defined as matching the list of components and configurations that the SMS server requires. If the SoH is valid, the health certificate server issues the NAP client a health certificate. The NAP client can now initiate IPsec-based communication with secure resources using the issued health certificate for IPsec authentication, and respond to communications initiated from other NAP clients that can authenticate using their own health certificate.

If the SoH is not valid, the health certificate server informs the NAP client how to correct its health state and does not issue a health certificate. The NAP client cannot initiate communication with other computers that require a health certificate for IPsec authentication. However, the NAP client can initiate communications with the SMS server to bring itself back to a healthy state.

The quarantine agent on the restricted NAP client reports its status to the SMS server and requests updates.

The SMS server provisions the NAP client with the required updates to bring it into compliance with network policy. The NAP client's SoH is updated.

The NAP client sends its updated SoH to the health certificate server. When the IAS server validates the updated SoH, the health certificate server issues a health certificate to the NAP client.

Depending on network needs, an administrator might choose to make some computers, devices, and users exempt from network access requirements. For example, some versions of Windows do not support Network Access Protection, so computers running these versions of Windows are always isolated by default. However, the network administrator can configure an exception for these computers. If an exception is configured, these computers are not checked for compliance, and they will have normal access to the network.

Click here to go to Top

NAP Vs NAC

The discussion about NAP architecture will not be complete without bringing in the NAC (Network Admission Control) initiative from Cisco. Readers may please refer the discussion on a simplified schematic on a general network integrity system at the beginning of this section.

 

Click here to go to Top

An Overview of Network Admission Control

NAC provides a new, comprehensive solution that allows organizations to enforce host patch policies and to regulate noncompliant and potentially vulnerable systems by assigning them to quarantined environments for remediation. By combining information about endpoint security status with network admission enforcement, NAC enables organizations to dramatically improve the security of their computing infrastructures.

NAC allows network access to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example), and restricts the access of noncompliant devices. Network access decisions can be based on such information as the endpoint's antivirus state, operating system version, operating system patch level, or Cisco Security Agent version and settings.

NAC components

Fig 5. NAC components and it's working schematic

NAC has the following components:

Cisco Trust Agent

A software tool that resides on an endpoint system and collects security state information from security software solutions, such as antivirus and Cisco Security Agent clients, and communicates this to the network access device. Cisco Systems has licensed its trust agent technology to the NAC cosponsors-market-leading security software developers-in order to gather and report security state levels to the network policy server. Cisco Trust Agent is integrated with the Cisco Security Agent to provide endpoint security information such as operating system version, patch level, and Cisco Security Agent version and settings.

Network access devices

Network devices that enforce admission control policy include routers, switches, wireless access points, and security appliances. These devices demand host security "credentials" and relay this information to policy servers, where NAC decisions are made. Based on customer-defined policy, the network will enforce the appropriate admission control decision-permit, deny, quarantine, or restrict.

Policy server

Evaluates the endpoint security information relayed from the network access device and determines the appropriate access policy to be applied. Cisco Secure Access Control Server (ACS), an authentication, authorization, and accounting (AAA) RADIUS server, is the foundation of the policy server system. It works in concert with NAC cosponsor application servers, such as security policy servers that are able to provide deeper credential validation.

Management system

CiscoWorks VPN/Security Management Solution (VMS) provisions NAC elements, while CiscoWorks Security Information Manager Solution (SIMS) provides monitoring and reporting tools. NAC cosponsors also provide management solutions for their endpoint security software.

Advanced services

Planning, design, and implementation consulting can save time, money, and resources, and can help ensure the deployment of an effective NAC solution. Advanced NAC services from Cisco include: Network Readiness Assessment to assess the network infrastructure to determine NAC readiness; Design Development to help create detailed NAC design specifications for a corporate-wide deployment; Implementation Engineering to deliver onsite installation, configuration, testing, and tuning of NAC components; and Optimization Engineering to provide periodic consultation to optimize NAC for reliability, efficiency, and scalability.

Click here to go to Top

NAP & NAC - Two sides of the same coin.

NAP and NAC are two different implementations of a general network integrity system looking at it from different perspectives.

In NAC, Cisco tries to translate the gatekeeper/inspector and a portion of supervisor functions as part of the networking gear. A central policy server and agents, which are sitting on the client, complete the links and interactions among all the participating components.

In NAP, Microsoft has opted to focus its architecture on its core competencies i.e. host and server software. In their approach the same functions are going to be part of the operating system itself. As on now it does not talk about a networking component, but could become part of the initiative because of the fact that it has partnered with a number of networking gear vendors.

Click here to go to Top

The NAP story - The industry perspective

The NAP Map

Microsoft has announced the NAP initiative early this year, which will be added in the R2 update of Windows server in late 2005 and NAP won't actually be available until at least 2007 when the new version of Microsoft's Longhorn server software is released

An effort of this magnitude and flavor will not bear fruition unless you have the participation from the industry. So Microsoft has chalked out a partnership program where 25 prominent companies have agreed to participate out of which 18 companies have already signed up. To list a few, they are Nortel networks, Check point software, Juniper networks etc.

Another twist to the story is that there is not only one initiative but many, the other prominent one being NAC (Network Admission Control) from Cisco Systems. This definitely gives a shudder among the users with the prospect of lack of interoperability among these different initiatives, though both Cisco and Microsoft have pledged that they would work together.

The Pros and Cons

First, the good news

The industry lost billions in US dollars with the recent outbreak of mass mailing worms like Mydoom, Netsky, Sober, Zafi etc. And it has been found that it was always the weakest link principle that played havoc in networks, which was supposed to be secure. And the weakest link was mostly provided by remote computers, roaming laptops, home computers etc. Network administrators found it virtually impossible to guarantee that all the systems were updated with patches across the network. This is exactly where NAP or NAP like initiatives pitch in. NAP addresses these problems effectively, which were giving nightmares to network administrators and a big hole in corporate budgets.

The scenario where NAP is going to be deployed or the problems, which it is going to address, is a typical case where multiple owners, causes and victims are involved. A comprehensive solution will come only if there is a concerted effort from all participating entities/agencies. Now this is the most difficult phase of the NAP initiative. This is where Microsoft pitches in. We are all aware that when Microsoft puts their mind (and of course their financial muscle to buttress it) nothing is impossible. They are already spearheading a partnership where 25 systems integrators and security, management and networking companies have agreed to participate and it is a good sign for the industry.

The other good thing is that Microsoft has announced that they will be working towards open standards in the NAP initiatives. This will give vendors wider options and more room to work with.

Now, the bad news

The industry is not united when it come to network protection. The NAC initiative from Cisco approaches the problem from a different perspective. Now Microsoft has a monopoly in desktop operating systems and when it comes to networking products Cisco holds more than 70% of the market. So there is always likelihood that customers can get caught in the middle. But both Cisco and Microsoft have pledged that there will be interoperability between two initiatives and customers will not be forced into a tough either/or decision.

The NAP is OS specific and the initial implementation requires servers to run Windows Server "Longhorn" and clients to run Microsoft Windows® XP with Service Pack 2. So it is going to be another 'only windows' product.

There could be a transaction overhead with lots of authentication tickets flying around. This means more processing and maintenance effort.

Then, there is that ubiquitous issue of privacy. How privacy issues are going to be handled are not clear at the moment.

Click here to go to Top

CONCLUSION

This paper has attempted to look into the recent NAP initiative from Microsoft from a technical point of view as well as from an industry perspective. The merits and demerits of the proposed initiative have been discussed. The apparent tussle between Microsoft and Cisco in reigning supremacy over this niche market with different approaches has been highlighted. In the process the basic components for a generic network integrity system have been worked out.

At the end let us hope that corporate management and network administrators can take a peaceful nap, which is long due for them.

Click here to go to Top

REFERENCES

Click here to go to Top