|
Microsoft's NAP
NAP is yet to be implemented in any product, although the effort has a long list of more than 60 supporters, many of whom are hedging their bets and are supporters of NAC as well (see www.microsoft.com/tech net/itsolutions/network/nap/napoverview.mspx).
NAP brings the security policy management and enforcement perspective into Windows Server that has been somewhat lacking since the early days of Active Directory.
"NAP will provide the ability to enforce policies through a variety of mechanisms, using IPSec for host authentication, 802.1X, or through a VPN or DHCP," says Mike Schutz, the group product manager at Microsoft's Windows Server Division, which is leading the charge for NAP.
Like NAC, NAP employs client software, Quarantine Agent, that passes information to Microsoft's Network Policy Server, which, like Cisco's ACS, checks with third-party servers for policy compliance. NAP promises multiple enforcement options including DHCP, IPSec VPN and 802.1X.
NAP will initially only support Longhorn Server and Windows Vista, as well as XP SP2, which will require a NAP update on each device. This will present problems for shops using older versions of Windows, and require commitments to the new OSes, and testing and managing XP upgrades. Further, authentication and enforcement servers, i.e., DHCP and RADIUS, will require Longhorn, needing further upgrades and making NAP even more proprietary.
"We don't think of NAC and NAP as being an either/or situation," says Schutz. "We've announced that we would be working together on interoperable solutions, so customers can choose what will best meet their needs." However, neither Microsoft nor Cisco is currently working with the TNC solution and have no immediate plans to do so.
The government in Fulton County, Ga., is already wading into NAP, with early versions of Microsoft servers and Vista desktops and laptops.
"Everything is still in beta," says Keith Dickie, who is managing the NAP rollout of the county's IT department. "But several members of our IT staff are using it on their production machines without any problems, including incorporating Symantec's Norton Anti-Virus with Micro-soft's SMS and Windows servers."
The county is using IPSec authentication, and its NAP deployment checks for a series of health requirements, including making sure that the version of Norton AV is current.
|
