The most significant differences between Microsoft’s Network Access Protection architecture and other NAC architectures you see in the iLabs come because Microsoft does not make switches or routers. Therefore, the path for handling enforcement is different, focusing on server enforcement and standards-based switch enforcement. The original intent of MS-NAP was not security, but to find and quarantine non-compliant clients in the enterprise LAN. As the interest in NAC has increased, Microsoft has adjusted their architecture to include more enforcement mechanisms. In early 2007, the Trusted Computing Group (TCG) and Microsoft announced interoperability between TNC and NAP thus opening the door for a single unified Network Access Control client

It’s important to realize that MS-NAP is part of Microsoft’s Server 2008 product, previously codenamed Longhorn, and of Windows Vista. The soon to be released Service Pack 3 for Windows XP will also include MS-NAP functionality.

Access Requestor in MS-NAP
Following the common NAC architecture, the Microsoft client side is broken into three parts. At the top are the System Health Agents, taking on the function of collecting end-point security information about the client, such as the state of the anti-virus software or whether the firewall has the right policy. Microsoft has provided a System Health Validator, and many 3rd parties have declared their intent to provide System Health Validators of their own.

These agents are responsible for generating Statements of Health that can be used to assess end-point security. Tying the System Health Agents into the rest of the architecture is Microsoft’s Network Access Protection Agent, analogous to the IETF’s Client Broker component. Below the Network Access Protection Agent are Microsoft’s Enforcement Clients, which match up to the Network Access Requestor. MS-NAP includes 802.1X supplicant and VPN enforcement clients as typically found in other architectures, but also includes DHCP clients as an enforcement option.

More importantly, though, is that Microsoft has defined the API connecting its three layers of Network Access Protection on the client. By creating an API that describes how the three pieces of the client will fit together, Microsoft eliminates an enormous amount of risk and variability in the entire Network Access Control space. The Microsoft API provides a defined method for third party vendors to integrate their products into the MS-NAP solution. Even if Microsoft’s entire Network Access Protection product plans were jettisoned internally, the contribution of having these defined APIs shipping with Windows cannot be underestimated.

Download pdf What is Microsoft’s Network Access Protection