Microsoft Corp yesterday sketched out its plan to join the endpoint security policy enforcement market, with the announcement of Network Access Protection, a program backed by more than 25 partner companies.
Like Cisco Systems Inc’s Network Admission Control project, Microsoft’s NAP plans to enable networks to automatically quarantine computers that are not compliant with the organization’s security policies.
Introducing NAP at the Microsoft Worldwide Partner Conference in Toronto, Microsoft security boss Mike Nash said that the first Microsoft part of the system will come next year, with Windows Server 2003 Release 2.
NAP will be a system whereby Windows XP clients will be able to communicate information about their security status to Windows 2003 servers, which will check them for policy compliance before allowing full network access.
State information could include the current patch level of the machine, or whether the PC has up-to-date antivirus software installed. Machines not fully compliant could have their access limited to update or patch servers.
Companies in patch management, endpoint policy enforcement, antivirus, firewalls, routers and switches are expressing support for NAP. It’s not immediately clear how all these products will interact with NAP components.
Microsoft comments could not be reached for comment, but product documentation indicates two deployment options, one using Microsoft’s DHCP server one using its VPN gateway, both of which are components of Windows Server 2003.
There’s no mention yet of 802.1x support, which is on Cisco’s NAC roadmap and is in current use by the likes of Sygate Inc and Zone Labs. The VPN deployment option would use PEAP, Microsoft’s Protected Extensible Authentication Protocol.
The key thing we’ve done here is to make sure that we’ve designed this architecture to work with the environment customers have today, Microsoft’s Nash said in Toronto. It will, however, require Windows clients and servers.
Partners said that NAP looks like less of proprietary system than Cisco’s NAC, which is being built just to work with Cisco hardware. Cisco’s partner base for NAC is more restricted than Microsoft’s appears to be.
Many of the partners listed by Microsoft, such as Juniper, Foundry, McAfee, Symantec and Sygate, and Microsoft itself, are involved in a similar Trusted Computing Group initiative to create open standards to achieve the same goals as NAC and NAP.
The fact that there is such a crossover, and that Microsoft is involved in the TCG effort as well as its own program, suggests that the two projects could evolve in tandem, perhaps even merging in future.
They could work together very tightly, said Rod Murchison, senior director of product management at Juniper’s security division. There’s actually a good opportunity for them not to come to different conclusions.
Microsoft also said in its FAQ about NAP that it will investigate with Cisco how we can best work together in this space.