CTO Chronicles

Since the release of NAP compatible 2008 server ostensibly inaugurated this blog, I thought this week would be good time to revisit the big hairy beast that is Microsoft NAP.  While it's true that our (read: my) primary focus around infrastructure-based NAC is biased towards what the IETF ratifies, we remain NAP partners and continue to follow its progression.  One of the more common RSA questions, from press, analysts, and booth visitors was how we (specifically) and NAC pure plays (generally) compete with Microsoft NAP.  The answer, of course, is that we don't.  And the smart ones won't even try.  Here's why:

First, it's worth exploring what NAP is, what it isn't, and where its focus lies.  While some amount of "NAC is stupid/dead/bad" hay has been made over the number of NAC "Standards" offered, the truth is that CNAC, MS NAP, and TNC don't really differ by all that much.  They all look to leverage the initial authentication event to glean endpoint data characteristics; they all have a model for both granting and gating a level of network access based on the combination of endpoint characteristics and user identity; and they all have a fundamental presumption that the endpoint has the capability and willingness to run the endpoint software to make the declarations.  They presume what's connecting to your network are general purpose computing devices, with general purpose operating systems, managed by you, the IT organization.

Now, what's wrong with that model?  The answer, really, is nothing, so far as it goes.  Governing access to your network for your general-purpose computing assets is definitely a problem for you to solve.  MS NAP, with all of it's tradeoffs, is as likely to solve this problem for you as anything else is.  But controlling access for assets you *don't* own, as well for assets that you own but that are specialized in their function (printers, security cameras, cash registers, HVAC controllers, badge readers, the list goes on) is also a problem for you to solve.  Reasonable people can disagree over what percentage this is, and the percentage likely varies by vertical in any event, but that it is "some number greater than zero" is a slam dunk.

This is really where pure play vendors come in, and why (at least here) we openly welcome the advancements of NAP/TNC/NEA.  I've believed for a while now that you will govern your internally-owned desktops and laptops with something other than us.  Symantec.  McAfee. IBM.  Microsoft.  Juniper.  That's a good list; go to it.  But remember the "courage, serenity and wisdom" prayer?  You not only need a solution that brings governance to the class of non-managed (both unmanaged and unmanageable) devices, but you also need one that has the wisdom to know the difference.  The basic visibility of detecting and classifying what's connecting to your network is a tough thing to make a must have or to wrap ROI around (around which to wrap ROI?  Honestly, some times it's just better to end with a preposition).  But the truth is that discovery and classification do have value, and are critical pieces of any kind of reasonable NAC policy (They may be critical for an unreasonable NAC policy, but I try not to worry with such things).

So, what you get with NAP is governance for the Windows Vista and Windows XP SP3 devices that you own and administer.  What you don't get is governance for anything else.  That's a perfectly fair tradeoff, and a perfectly appropriate thing (I think) for Microsoft to go off and solve.  But what's left?  Why might you want some other (granted, integrated) NAC solution to help?  Here's why:

State:  What's on your network?  The importance of answering this basic question can't be overstated.  At least in all the environments I've ever had to manage, it's a moving target.  Minute by minute, second by second.  Which means that robust, real-time state of all devices is the first step.

Classification:  An extension of the above, this is where you get an additional level of detail about the endpoint, as well as when you split between, say "MS NAP" devices and "Non MS NAP" devices.

Post-Connect Monitoring:  Wheels within wheels.  This not only helps make your network safe by providing another layer (importantly, defined within the same management console, under the same policy construct), but it also gives some flexibility on making the front-end admission decision.  Reasonable people continue to disagree over whether organizations will accept a NAC policy that restricts at entry based on what many consider to be IT failures (firewall, patch, AV status), and Microsoft's own internal NAP deployment called out that tension.  A strong monitoring policy post-connect is the best way to cross that chasm.

Integrated Rollups and Status:  Duh

Enforcement:  Duh. See previous post and don't forget the C.