Providing 802.1x Enforcement for Network Access Protection

We’re living in a highly connected world, where a large number of diverse devices gain access to the corporate environment using diverse technologies like wireless, wired 802.1x, virtual private networks (VPN), and more. Though this diversity is a great enabler allowing end users to always have up-to-date information at their fingertips, it creates a very challenging situation for enterprise IT administrators. Enterprise IT administrators don’t want to prevent access to their users, but they also don’t want to leave their networks exposed to threats. Often, these threats are not from malicious hackers, but from users who inadvertently bring authorized but unhealthy machines into corporate networks. Network Access Protection (NAP – https://www.microsoft.com/nap) addresses this by enabling IT administrators to govern a machine’s network access based on its compliance with corporate security policies.

NAP provides an extensible platform that enables both independent software vendors (ISVs) and independent hardware vendors (IHVs) to provide differentiated value in NAP deployments. NAP enables two kinds of extensions. First, it allows endpoint security software (e.g. patch management, anti-virus, anti-spyware, etc.) to flexibly define what it means for an endpoint to be compliant. Second, it enables network and security systems to provide restrictions on non-compliant endpoints. It accommodates a wide variety of enforcement mechanisms, including wireless protocols, firewalls, gateways, switches, routers, bump in the wire devices or even unique mechanisms that you might conceive of. In fact my challenge to you is to come up with answers for:

1. What would be some new ways in which you would want to enforce NAP?

2. What are some different mechanisms that you would want to be considered as part of the definition of health of a system?

My talk at WinHEC primarily focuses on NAP as relates to 802.1x (both wired and wireless). I will be talking about how both ISVs and IHVs can leverage our NAP platform to provide unique value to their customers. In Windows Vista and Windows Longhorn Server, we are making it easy to extend our platform, by leveraging the Extensible Authentication Protocol (EAP – https://www.microsoft.com/eap). We are introducing EapHost as well, which further simplifies extensibility by allowing 802.1x vendors to easily participate in NAP by plugging in their own EAP methods and writing unique EAP based supplicants.

This should be an awesome session, and I am looking forward to engaging in a healthy (pun intended) discussion over these features with you during and after the WinHEC session.

 

Mudit Goel

Development Manager

Network Access Protection