Longhorn Networking Stack: NAP

Today was the Longhorn Networking Chat, I've organized some of the QA and will do a series of posts on different topics that came up. See the full transcript on Channel 9.

Network Access Protection:

Khaja_MSFT (Expert):
Q: oh yes = tell us more about NAP - this going to hit longhorn client???

A: The idea behind NAP is that we create a framework that allows IT admins to ensure policy compliance of their systems. In essense, a computer has to prove that it is healthy (compilant with policy) before it is allowed to connect to the network. Of course, the IT admin has the option of using strong enforcemnet or not.

Khaja_MSFT (Expert):
Q: oh yes = tell us more about NAP - this going to hit longhorn client???

A: By the way, more info is available at https://www.windows.com/nap

Khaja_MSFT (Expert):
Q: oh yes = tell us more about NAP - this going to hit longhorn client???

A: NAP is indeed giong to be in Longhorn client. It will ship with some out of box capabilities to enforce policy compliance. Additionally we are working with 40+ partners who are industry leades in Anti-virus, intrusion detection / prevention, network access devices and much more to support the NAP architecture.

Jawad_Khaki_MSFT (Expert):
Q: The new networking stack will integrate with various vendors endpoint security technologies (like CISCO NAC or Check Point Integrity)? Will it be integrated with Microsoft NAP?

A: NAP support planned for Longhorn will take advantage of the new stack in LH. Can't comment of 3rd party plans.

Khaja_MSFT (Expert):
Q: In addition to enhanced NAP support and an IPv6 GUI, will Longhorn have another other security features from a netowrking perspective built in (i.e., improved ICF, antivirus, etc)?

A: There are certainly improvements in usability and manageablity of the components you name. Network security is handled at multiple levels so I will answer from the perspective of NAP. Properly used, NAP will be the framework that protects you network. This is the 'wholistic' solution to protect both your network as well as the devices / end points connnected to the network. When I say NAP I am not talking about just the NAP agent and serer that comes in LH client and Server. I am also including the server side and client site elements that come from MS and other third parties. The client side agents are called SHAs, system health agents and each SHA will have a corresponding SHV (System Health Validator) on the infrastructure side. These pairs can address various aspects of network securiyt, policy compliance, and other network / ssytem health parameter. As an example one pair may address the anti-virus health aspect, another may address the configuration management; yet another may address patch lvl.

Joe_MSFT (Expert):
Q: Will NAC/NAP be standard in LH for network access and WS health prior to allowing network access.

A: The current plan is to include client and server support for Network Access Protection (NAP) in Longhorn, which performs system health checks prior to allowing various levels of access to a managed network. Cisco NAC integration in Longhorn is under development. See https://www.microsoft.com/nap for more information.

Jawad_Khaki_MSFT (Expert):
Q: Will NAC/NAP be standard in LH for network access and WS health prior to allowing network access.

A: NAP enhancements will enable IT network managers to enforce health check prior to networkn access. It will depend on the IT policies.

Jawad_Khaki_MSFT (Expert):
Q: Will PolicyNAT and PolicyRouting could be supported in LH timeframe ?

A: there will be some level of policy based configuration and we are eager to feedback from you in this space.

Khaja_MSFT (Expert):
Q: Will the SHA component of NAP work withour the SHV piece such as in the Windows Security Center in XP SP2?

A: Depending on the particular aspect of system health a SHA deals with, there may be no requirement for a correspoding SHV. So this has more to do with the nature of the SHA than the architecture of NAP. As an example, if the SHA reports on the Anti-virus configuration you pretty much need a server side way (an SHV) that can affirm / validate that the virus signature file being used is really the latest, the configuration is as required by policy etc. Some other SHA may simply be a binary state check about whether or not a particualr parameter that is required by policy has the right value.

Khaja_MSFT (Expert):
Q: What improvements in security point of view will Longhorn's networking component present?

A: A significant improvement in LH from a network health as well as a end-point (Desktop and serever) health perspective is NAP. It is a suite of components in the client and the server that works in a coordinated fashion with other MS and third party applications to ensure policy compliance of systems that connect to the network. This should do a great deal to improve security and mangeability of security for your desktops and the network.

Wendy [R2 Tech Beta] (Expert):
Q: Will R2 Beta Participants get an early look on Longhorn/Longhorn Networking?

A: While there are many criteria that MS Beta programs use when selecting beta applicants, one of the best ways to make yourself more visible to Beta PMs is to actively participate in current betas of similar products.

If you would like to be considered as a candidate for Beta 2 of Windows Server “R2”, please complete the following steps:

1. Go to https://beta.microsoft.com
2. Enter a valid .Net Passport
3. Click on GuestID
4. Enter 'R2B2Beta' (case-sensitive)
5. Complete the survey in the left-hand pane

Successful participants will be notified within ~2 weeks.