One aspect of network security that is frustrating for many administrators is that they have no control over the configuration of remote computers. Although the corporate network might be running a highly secure configuration, there is presently nothing to prevent remote user from connecting to the corporate network using a computer that is infested with viruses or that contains outdated patches. Longhorn Server's Network Access Protection feature will change all this. In this article series, I will introduce you to Network Access Protection and show you how it works.
When I was a network administrator one of the things that really frustrated me was how little control I have over remote users. My organization's business requirements mandated that remote users be able to connect to the corporate network from locations outside of the office. The problem was that although I had gone to extreme measures to secure the corporate network, I had absolutely no control over the PCs that users would use to connect to the network remotely. After all, a user's home computer is not company property.
The reason why this was so frustrating was because I never knew what type of condition a remote user's computer would be in. Sometimes remote users would connect to the network using a PC that was infested with viruses. Other times, a remote user's PC might be running an ancient version of the Windows operating system. Although I took steps to secure a corporate network, I was always afraid that a remote user with inadequate protection would infect files on the network with a virus, or would inadvertently disclose sensitive information because their PC was infected with some kind of Trojan.
Several years ago there was a ray of hope though. As Microsoft prepared to release Windows Server 2003 R2, there was talk of a new feature called Network Access Protection. To make a long story short, some of the early builds practically required you to have a Ph.D. in computer science in order to configure Network Access Protection. As such, the Network Access Protection feature was removed prior to R2 being released.
Microsoft has done a lot of work on Network Access Protection since that time, and Network Access Protection will be one of the key security features in Longhorn Server. Although the Longhorn version of Network Access Protection is going to be much easier to configure than the ill-fated Windows Server 2003 version, it is still somewhat complicated. Therefore, my purpose in writing this article series is to give you an introduction to Network Access Protection, and show you how it works before Longhorn Server is released.
Before I Begin
Before I get started, there is one thing that I want to clarify in regards to Network Access Protection. The Network Access Protection feature's purpose is to make sure that remote user's computers comply with your organization's security requirements. Network Access Protection does nothing to prevent unauthorized access to your network. If an intruder has a PC that complies with your corporate security policy, then Network Access Protection will do nothing to try to stop that intruder. Preventing the intruder from gaining access to network resources is the job of other security mechanisms. Network Access Protection is simply designed to prevent legitimate users from logging onto your network using insecure PCs.
One more thing that I want to mention before I get started is that Network Access Protection is different from the Network Access Quarantine Control feature found in Windows Server 2003. Network Access Quarantine Control provides limited health policy control for remote computers, but is inferior to Network Access Protection.
The Fundamentals of Network Access Protection
Network Access Protection is designed to augment a corporate VPN. The process begins when clients establish a VPN session with a Longhorn Server that is running the Routing and Remote Access service. After the user establishes a connection, a network policy server validates the remote system's health. This is done by comparing the remote computer's configuration against a network access policy defined by the administrator. What happens next depends on the policy that the administrator has configured.
The administrator has the option of configuring either a monitoring only policy or an isolation policy. If a monitoring only policy is in effect then any user with a valid set of credentials will be given access to network resources, regardless of whether or not their PCs is in compliance with the corporate security policy. Although a monitor only policy will not prevent any PCs from gaining access your network, the compliance state each remote PC attempting a connection will be logged.
In my opinion, a monitoring only policy is best suited for making the transition to a Network Access Protection environment. Think about it for a second, if you've got remote users who need to be able to access resources on your corporate network in order to do their jobs, you probably don't want to initially enable Network Access Protection in isolation mode. If you do, there is a good chance that none of your remote users will be able to access your corporate network. Instead, you can initially configure Network Access Protection to use a monitoring only policy. This will allow you to gauge the impact of your network access policies without accidentally preventing anyone from being able to do their job. Once you have all the kinks worked out you can switch the policy to isolation mode.
As you probably already guessed, isolation mode works by placing remote computers that do not comply with the corporate security policy onto an isolated network segment away from the resources on your production network. Of course this is a general statement. It's ultimately up to the administrator to control what a user with a non-compliant computer can actually access. Normally an administrator will give users with noncompliant machines access to an isolated network segment, which I will talk about more in a moment. The administrator does however have the option of limiting access to a single resource or of preventing access to all network resources.
Right now you may be wondering what the advantage is of granting noncompliant computers access to an isolated network segment. When a non-compliant computer attaches to the network, and Network Access Protection is running in isolation mode, the noncompliant computer is quarantined from the production network. Normally this quarantine lasts for the duration of the user's connection. Simply quarantining a noncompliant machine might help prevent viral infections or security breaches on your network, but it doesn't do the remote user a whole lot of good. After all, if the user cannot connect to resources on the network, they cannot do their job.
This is where the isolated network segment comes into play. An administrator can place health update resources on to the isolated segment. These health update resources are secured servers whose job it is to bring the noncompliant remote computer into compliance. They might for example install security patches or antivirus updates.
One thing that is important to note is that Network Access Protection does not contain any mechanisms that are capable of verifying a remote computer's health or applying updates to a remote computer. This will be the job of System Health Agents and System Health Validators. Rumor has it that these components will be integrated into the next version of SMS Server.
No comments:
Post a Comment