Providing 802.1x Enforcement for Network Access Protection

wndpteam — Wed, 10 May 2006 23:30:00 GMT

We’re living in a highly connected world, where a large number of diverse devices gain access to the corporate environment using diverse technologies like wireless, wired 802.1x, virtual private networks (VPN), and more. Though this diversity is a great enabler allowing end users to always have up-to-date information at their fingertips, it creates a very challenging situation for enterprise IT administrators. Enterprise IT administrators don’t want to prevent access to their users, but they also don’t want to leave their networks exposed to threats. Often, these threats are not from malicious hackers, but from users who inadvertently bring authorized but unhealthy machines into corporate networks. Network Access Protection (NAP – http://www.microsoft.com/nap) addresses this by enabling IT administrators to govern a machine’s network access based on its compliance with corporate security policies.

NAP provides an extensible platform that enables both independent software vendors (ISVs) and independent hardware vendors (IHVs) to provide differentiated value in NAP deployments. NAP enables two kinds of extensions. First, it allows endpoint security software (e.g. patch management, anti-virus, anti-spyware, etc.) to flexibly define what it means for an endpoint to be compliant. Second, it enables network and security systems to provide restrictions on non-compliant endpoints. It accommodates a wide variety of enforcement mechanisms, including wireless protocols, firewalls, gateways, switches, routers, bump in the wire devices or even unique mechanisms that you might conceive of. In fact my challenge to you is to come up with answers for:

1. What would be some new ways in which you would want to enforce NAP?

2. What are some different mechanisms that you would want to be considered as part of the definition of health of a system?

My talk at WinHEC primarily focuses on NAP as relates to 802.1x (both wired and wireless). I will be talking about how both ISVs and IHVs can leverage our NAP platform to provide unique value to their customers. In Windows Vista and Windows Longhorn Server, we are making it easy to extend our platform, by leveraging the Extensible Authentication Protocol (EAP – http://www.microsoft.com/eap). We are introducing EapHost as well, which further simplifies extensibility by allowing 802.1x vendors to easily participate in NAP by plugging in their own EAP methods and writing unique EAP based supplicants.

This should be an awesome session, and I am looking forward to engaging in a healthy (pun intended) discussion over these features with you during and after the WinHEC session.

Mudit Goel

Development Manager

Network Access Protection

wndpteam — Tue, 18 Apr 2006 22:00:00 GMT

Network Access Protection (NAP) is an exciting new solution that will be included in Windows Vista and Windows Longhorn Server. You can find out some basic information about NAP here: http://www.microsoft.com/nap.

The world is becoming increasingly interconnected. This is great because it enables us to access our information on more devices, in more locations and at all times. However, these benefits require new approaches to access control. They require us to go beyond securing the network perimeter to securing the internal network and the hosts themselves. That’s what NAP is all about – providing integrated access controls across multiple layers in the network and on the hosts.

One thing that really sets NAP apart as a solution is the platform approach it takes. With NAP, customers can provide access controls across virtually any product from any vendor. Any product that can isolate a non-compliant endpoint can participate in a NAP deployment: VPN gateways, perimeter firewalls, internal firewalls, host firewalls, 802.1x switches, routers, DHCP servers, bump-in-the-wire network security appliances and more.

We are starting to showcase NAP integration with the ecosystem. Bill Gates demonstrated NAP in his RSA keynote in February. On the floor at RSA, NAP was demonstrated in 14 partner booths in addition to the Microsoft booth. We also recently participated in iLabs where we got NAP working with 802.1x switches from several vendors.

Mudit Goel, the NAP Development Manager, is busy preparing his presentation for WinHEC. He’ll provide a deep technical review of Network Access Protection. Then, he’ll discuss ways that NAP can be extended by network and security ISVs and IHVs. He’ll focus on 802.1x integration but will cover other kinds of integration as well. This will be a great session. We hope to see you there.

-Paul Mayfield

Group Program Manager

Network Access Protection

Windows Core Networking : nap

Providing 802.1x Enforcement for Network Access Protection

Network Access Protection