OUT FOR A SPIN
To get a hands-on read of Network Access Protection, we deployed DHCP enforcement in our lab environment and quickly hit our first snag: To use DHCP enforcement with NAP, you need to be running a Windows 2008-based DHCP server. That's because DHCP in Windows 2008 is NAP-aware and includes the additional user classes and scope options necessary to dynamically black-hole clients that fail health checks. Thankfully, your domain controller and DNS server do not need to be running Windows 2008 to perform DHCP enforcement.
The second gotcha: Only Windows XP SP3 and Vista have built-in NAP clients, and Microsoft has no plans to support additional operating systems. Fortunately, third parties are working on clients for Linux and Mac OS devices; in fact, Avenda Systems already offers a beta version of a Linux-based NAP client.
As we configured our DHCP scopes and NAP policies, we discovered a third gotcha: The NAP client is installed as a service on XP SP3 and Vista machines out of the box, but by default, the service is unconfigured and not running, so we had to configure a group policy to get clients to start up the service automatically and participate in DHCP enforcement. Sure, we could have taken the easy road and configured the client manually for testing purposes, but how good would this review be if we didn't subject ourselves to the same pain that you'll feel in the real world?
Once our group policies were built and tested, we unleashed them on our domain. We were curious to see what would happen with our XP SP2 clients. To our surprise, these non-NAP-capable PCs were quarantined, as though they had failed a health check. The good news: You can force users to upgrade to SP3 immediately. The bad news: Employees might not take kindly to having to wait half an hour for their systems to be remediated up to SP3. Luckily, you can configure policies to allow non-NAP clients onto the production network, or you can do delayed enforcement and let end users decide when to remediate themselves.
We also were curious to see how the auto-remediation feature worked. To test it, we modified the Windows Security Health Validator to require all clients to have their Windows firewalls turned on. We then turned off the firewall on our Vista client, logged out, and popped back in. To our delight and slight surprise, the policy worked as advertised. The NAP client greeted us with a yellow balloon saying that the client failed a health check, and about 60 seconds later, our Windows firewall was turned back on and all of our routes to production network resources were restored.
Although auto-remediation worked well, we had to twiddle our thumbs for a minute until the NAP client let us back onto the network. Just for fun, we tried to turn off the Windows firewall again while logged in. The NAP client didn't even bark at us--it just immediately turned the firewall back on.
Bottom line, NAP is a great value for organizations that have yet to invest in NAC. For now, it's all about the price; if you're buying a Windows 2008 license, you're getting the functionality for free. In addition, as more vendors develop the System Health Validators needed to expand on present policy enforcement capabilities, we expect Microsoft NAP to mature to the point where it will pose a significant threat to established NAC players.
If our reader survey yielded one truth, it's that IT wants an industry-standard NAC framework.
On the other hand, Microsoft Network Access Protection is difficult to configure, even for simple enforcement methods. We'd like to see a more intuitive auto-install process for an antivirus or anti-spyware client as part of the auto-remediation process, for example, and we wish Redmond had added captive portal functionality for guest access in this first cut of NAP. Microsoft says that functionality is coming via Forefront Universal Access Gateway, due next year. In addition, it's an open question how aggressively Microsoft will seek to dominate the NAC market. In much the same way that Citrix and Terminal Services coexist, we don't see the company wanting to alienate its partners over what is, after all, a free feature of Windows 2008 Server. Expect Microsoft to instead concentrate its top talent on the features that will most quickly drive licensing revenue growth--like Hyper-V, which we'll evaluate in the next installment of our Windows Server Rolling Review.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
Maintaining existing network infrastructures often incurs huge technical debt before newer technologies are adopted over time.
Amid ongoing regional uncertainties, telecom infrastructure in the Middle East has expand to include terrestrial low-latency network infrastructure, which offers resilience and agility in navigating political complexities without relying solely on undersea networks.
