Access Quarantine Control. As I said then, NAQC is effectively the precursor to a much more capable quarantining service, called Network Access Protection, which won't be available until both Vista and Longhorn server are released. In this tip, I'll take a look at the differences and provide some guidance as to what you should be paying attention to and when.
The topic of network quarantining grows in importance each day. The giants in networking and software realize it and have begun releasing products and services that automatically defend your network against foreign threats that find themselves on the wrong side of the firewall (at least from your perspective as the systems administrator).
NAQC and NAP: The differences
The biggest difference between NAQC and NAP is scope: NAQC protects just against machines outside your perimeter that attempt to connect to your network. NAP does that, too, but it takes protection a step further by enforcing policies on computers directly connected to the LAN, including mobile computers that come back to the home office and that connect occasionally. This closes a serious loophole in NAQC coverage.
That's not the only refinement, however. Here is a chart so you can see at a glance the primary differences between the NAQC application that exists today and the set of features that are coming when you pair Windows Vista with Longhorn Server.
NAP (in Vista/Longhorn Server
Scope of protection
Remote access and VPN clients
Remote access and VPN clients plus computers connected to local network (complete protection)
Server: Windows Server 2003 Resource Kit Client: through Connection Manager profiles
Baked into server and client releases; no further installation necessary
Scope of service
Any existing client that supports Connection Manager profiles (not local clients)
Windows Vista clients, local or remote
Protection for remote clients available for all client platforms with a special connection profile
Only through custom sets of packet filters
Complete graphical interface for managing individual and group-based exceptions
NOTE: The features and capabilities of NAP as listed in this tip are as of this writing; of course, when it comes to Microsoft beta software, everything is subject to change before release, even up to the last minute.
Should you deploy NAQC now?
A lot of administrators are wondering whether to go ahead and deploy Microsoft's existing quarantining solution, NAQC, when there's clearly a superior release on the horizon. You might also be considering an investment in Cisco's quarantining solution, Network Access Control -- the primary selling point being hardware-based control of policies that isn't dependent on the operating system software.
In either case, my recommendation is not to wait. In terms of NAQC, for one, the probability that a remote user will infect your premises grows with each passing day, particularly as more locations where mobile users frequent offer unfettered, unfirewalled, completely insecure Internet access. Second, the protection offered to your mobile users can still continue with NAP in its current form, so you don't exactly lose by making the effort to deploy NAQC now. Finally, some security is better than none at all. The only cost of NAQC now is time; you have the tools you need that are freely available. Why not take advantage of them and introduce the concept of quarantining in your organization? In terms of deploying Cisco's solution, consider your investment well protected. NAP and NAC are fully interoperable and compatible.
Either way, deploying quarantining services now will make the transition to full-blown NAP even easier when both Windows Vista and Longhorn Server are finally commercially available.
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
No problem! Submit your e-mail address below. We'll send you an email containing your password.
Your password has been sent to:
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
Value-added resellers and service providers interested in reselling Aruba networking hardware and software can learn the benefits of becoming an Aruba Networks partner with this standardized checklist. Compare Aruba's reseller partner program with other vendors' offering similar products.