Most companies allow remote access to the corporate network via virtual private network (VPN). While a VPN connection allows a trusted host to connect to a corporate network over an insecure medium, trust remains an issue. Unless your customers own and maintain the computers remotely accessing their Windows network, those machines cannot be considered trustworthy. They could be running an ancient operating system and be completely infested with viruses and spyware. Enter Network Access Protection.
Network Access Protection is a security feature scheduled to make its debut in Longhorn Server. Its job is to analyze computers running Windows Vista that are connecting to the corporate network and verify that those computers adhere to the corporate security policy. For example, Network Access Protection can be used to make sure that any computer remotely connecting to your customer's network is running the latest Windows security patches. It can also be used to ensure that various security features, such as the Windows firewall, are enabled.
It's important to note that Network Access Protection is only designed to make sure that computers remotely connected to the network comply with your customer's corporate security policy. Network Access Protection does nothing to verify the identity of a remote user or to keep intruders out of the network. Authentication is performed by your customer's virtual private network server (with help from the RADIUS server), not by a Network Access Protection server.
How Network Access Protection works
When deploying a Network Access Protection server, you must create a couple of policies. The first is the network health policy, which is simply a definition of what it means for a PC to be healthy. For example, if your customer considers a PC with the latest security patches and antivirus definitions to be healthy, then the network health policy would mandate that computers have the latest security patches and antivirus definitions.
When a PC connects to the VPN and the user is authenticated, the network policy server requests that the PC provide it with a statement of health. For now, only workstations running Windows Vista are equipped to provide health statements -- a summary of the computer's configuration as it relates to security. When the network policy server receives the statement of health, it compares it against one or more system health validators, and uses the results to determine whether or not the computer is compliant with the network security policy. Network Access Protection can also be configured so that in the case of a failure, remote computers are automatically treated as being non compliant, so as to avoid accidentally allowing a non-compliant computer to access the network.
It's up to the administrator to determine what happens to non-compliant PCs. If Network Access Protection is running in Monitoring Only mode, then the connection will be granted, but the particulars of the non-compliance will be logged. If Network Access Protection is not running in Monitoring Only mode, then non-compliant computers are typically placed into isolation mode. Isolation mode gives non-compliant computers access to an isolated network segment and prevents access to the rest of the corporate network.
The isolated segment can theoretically be used to host resources that can help the computer become compliant. The isolated network segment might contain a WSUS server that could deploy security patches to non-compliant computers. Or you may place hardened servers with read-only copies of critical data onto isolated segments so that users can still access the data they need, but can not compromise the integrity of the data (or the network in general).
Although Network Access Protection has not been released yet, I think that it will completely change the way that virtual private networks are implemented. Network Access Protection is destined to become an indispensible technology because it will allow network administrators to protect their networks against remote connections from insecure computers. As a hardware and software reseller, it is important for you to have a basic understanding of Network Access Protection, because it's something that the majority of your customers are probably going to want once it becomes available.
About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.