Microsoft Is Committed to Interoperability with its Network Access Protection Solution
By Mike Schutz
Group Product Manager, Security and Access Products, Microsoft Corporation
See other Viewpoint articles.
Microsoft is working with industry leaders across networking and security as well as collaborating with Cisco on interoperable architecture for NAP and NAC
For the past two years, there has been much hype around the term “Network Access Control” (NAC). With the hype, there has been confusion for many IT professionals and chief information officers (CIOs) about what NAC is, how to deploy it, what the benefits are, and how the different flavors of NAC can work together.
In simple terms, the generic NAC is a framework designed to protect your network against endpoint devices that pose a threat to your IT infrastructure and to enable access to the network by trusted endpoints. In other words, it lets the good guys in while keeping the bad guys out.
But, as you know, it’s not that simple. That is why vendors such as Microsoft have developed solutions that provide granular policy-level controls and the ability to help quarantine and/or remediate endpoints accessing the network if they do not comply with security policies.
One solution is Microsoft Network Access Protection (NAP). NAP is a policy-enforcement platform built into the Windows operating system in both Windows Vista for the desktop and Windows Server (codenamed “Longhorn”). NAP inspects, assesses, and helps to ensure policy compliance and to remediate where necessary all Windows-based machines requesting network access. With NAP, customers can create customized system health policies requirements for all devices attempting access or communication with the IT infrastructure.
There are also other leading Network Access Control solutions, such as Cisco Network Admission Control (CNAC), which is a set of solutions and technologies built into Cisco’s networking infrastructure products, and the Trusted Computing Group’s Trusted Network Computing (TNC) initiative. There are also NAC point solutions being offered by vendors across the market.
These initiatives share a common goal of trying to help you protect your infrastructure and network resources. In fact, the spirit of Network Access Control is to make possible a framework of integration and interoperability across platforms and solutions. However, to achieve this, these different solutions must work together and create an interoperable environment for customers.
That is why companies across the NAC landscape are collaborating and providing customers with integrated or interoperable solutions. For example, at the Interop conference this past May, several leading networking, security, and remote-access vendors demonstrated their products working with Microsoft’s NAP. In all, more than 65 technology companies have announced their support for the Microsoft NAP technology. These companies include anti-virus, firewall, intrusion detection and prevention, patch management, SSL virtual private network (VPN), and NAC appliance vendors, as well as systems integrators.
Microsoft and Cisco have been collaborating for two years to achieve interoperability between Microsoft NAP and Cisco NAC. Earlier this month, they delivered on their promise to interoperate. The companies unveiled a joint NAP-NAC interoperable architecture, which allows communication and policy enforcement across each company’s solution. With this architecture, a multi-vendor, end-to-end solution can be built around the Cisco-Microsoft interoperability.
The two companies also co-authored a technical white paper that provides details on how to integrate the embedded security capabilities of the Cisco network infrastructure with those of Windows Vista and Windows Server “Longhorn.” (Get a copy of the white paper at www.microsoft.com/nap.)
As part of a joint road map, Microsoft and Cisco will be implementing a limited beta of the NAP and NAC interoperability later this year for a select group of companies. Customers will be able to start implementing the NAP-NAC interoperability once Windows Server “Longhorn” ships, which is expected to happen in the second half of 2007.
The joint architecture includes a combination of components from Microsoft and Cisco that interoperate to help enforce health and security requirements for network access. Here is a quick look at those components and how they work:
NAP client (Microsoft): This computer, running Windows Vista or Windows Server "Longhorn," sends its health credentials as either a list of Statements of Health (SoHs) or a health certificate. The client architecture consists of a layer of System Health Agents (SHAs), the NAP Agent, extensible authentication protocol (EAP) methods to perform account credential authentication and indication of health status, the EAPHost NAP Enforcement Client, and EAP supplicants that allow the client to send EAP messages over 802.1X or User Datagram Protocol (UDP). To obtain a current health certificate, the NAP client uses the Health Certificate Enrollment Protocol (HCEP) to send a certificate request and its list of SoHs to the Health Registration Authority (HRA).
Network access devices (Cisco): Cisco NAC-enabled network access devices (including switches, routers, wireless access points, and VPN concentrators) provide network access to clients and serve as network enforcement points.
Access Control Server (ACS) (Cisco): Cisco Secure ACS authorizes network access for clients by validating the administratively specified client attributes, which could include the identity of the user and/or the computer, and the overall health state of the client. Cisco Secure ACS sends an access profile to the network access device(s) to grant the appropriate level of network access for the client based on the authorization result. Note that validation of the client health state attributes and assignment of the overall client health state in the interoperability architecture is performed by the Microsoft Network Policy Server.
Network Policy Server (NPS) (Microsoft): A Microsoft NPS, which is based on Windows Server “Longhorn,” the next version of the Windows Server operating system, performs the validation of the computer's system health and provides remediation instructions if needed.
Health Registration Authority (Microsoft): An HRA obtains health certificates on behalf of NAP clients from a public key infrastructure (PKI).
Policy servers (Microsoft or third party): Policy servers provide the current system health status for Microsoft NPSs. They integrate with Microsoft NPSs through the NPS System Health Validator (SHV) application programming interface (API).
Customers have given us clear feedback that that they would like the Microsoft and Cisco solutions to be able to interoperate with one another for greater flexibility in fulfilling their strategic initiatives. With this joint architecture, they will no longer be forced to choose between Cisco NAC and Microsoft NAP, but can realize the benefits of both.
Customers will be able to choose components, infrastructure, and technology based on what best serves their business needs. In addition, the interoperability architecture helps protect investments of NAC and NAP deployments. For example, you can begin deploying Cisco NAC today and integrate NAP into the environment concurrent with your deployment of Windows Vista and Windows Server “Longhorn.”
Other key benefits of the Cisco-Microsoft interoperability include:
Single agent included in Windows Vista: Computers running Windows Vista or Windows Server "Longhorn" will include the NAP Agent component as part of the core operating system, which can be used for both NAP and NAC.
Independent software vendor integration ecosystem: To simplify the development of third-party health agent and health enforcement components for clients running Windows Vista, the NAP client APIs will serve as the single programmatic interface used for health reporting and enforcement for both NAP and Cisco NAC.
Agent deployment and update support: The customer experience and process for deploying the required agent components for interoperability with Windows Vista and Windows Server “Longhorn” will be similar to deploying typical Windows operating system services and Windows Update / Windows Server Update Services client component distribution mechanisms.
Cross-platform support: To support client operating systems other than Windows, Microsoft will license elements of the NAP client technology that support both NAP and Cisco NAC to third-party software developers. Cisco will continue to support and develop its NAC client (the Cisco Trust Agent) for non–Windows Vista and non–Windows Server “Longhorn” platforms, and will continue to execute on its publicly stated direction to submit the Cisco NAC protocols for standardization through open standards processes.
As you’re reading this, you may be asking why you need NAP or NAC or any flavor of network access control. These types of solutions are becoming more important because of the trends converging around the pervasiveness of broadband, work force mobility, malicious attacks, and software, as well as increased IT complexity.
Threats against IT infrastructure are ever-changing and are becoming more sophisticated and dangerous. At the same time, today’s mobile work force and global business environment require network access virtually every minute of the day from all endpoints, both managed and unmanaged. This is leading to more demand than ever to provide ubiquitous access to corporate networks and assets in a low-cost, seamless, and integrated fashion but without sacrificing security. What’s more, remote connections, wireless connectivity, and unknown machines accessing the network contribute to additional IT complexity by adding “layers” of technology requiring more IT resources and increased help-desk support. As a result, IT professionals need more control over access methods and policy compliance to protect corporate and IT assets.
Microsoft believes that NAP gives you the visibility and control you need as IT professionals. However, we also realize there are elements of your IT infrastructure that NAP does not control and needs to work with, such as a heterogeneous client environment and network hardware from multiple vendors such as Cisco. This is why in addition to continuing to invest in NAP and related technologies, we also are working with the networking and security ecosystem to help provide customers with a more comprehensive solution and to enable customers to deploy NAP into their existing deployed infrastructure.