Microsoft's jump into client inspection and isolation technology will need cooperation with third parties and integration with multi-vendor software and hardware packages for customers to see the full benefits, according to users and analysts.
Microsoft (MS) has introduced Network Access Protection (NAP), a set of technologies for creating a standards-based mechanism to verify client desktops are securely configured with updated antivirus signatures and patches before allowing network access. MS unveiled a set of APIs it hopes to standardise, a Policy Connection Server that will ship next year in an upgraded version of Windows Server 2003 and 25 partners in the NAP project, including antivirus, firewall, policy management, patch management and network vendors.
“As long as Microsoft just talks about APIs it will help the market, but if they start to talk about and build products, it freezes the market,” Spire Security analyst, Pete Lindstrom, said. “There is enough skepticism around Microsoft security, however, that there should be plenty of third-party software to provide checks and balances.”
NAP, which only works with Windows XP desktops, is strikingly familiar to technology Cisco Systems unveiled last year called Network Admission Control (NAC). Initially NAC is used to monitor compliance, but eventually it will evaluate desktops and devices, provide quarantine services, incorporate VPN concentrators and firewalls, and automatically shut down rogue machines.
Check Point Software, Citadel Security Software, EndForce, Enterasys Networks, Sygate Technologies and WholeSecurity also have similar technology to control misconfigured or malicious clients.
Sygate, EndForce and Enterasys are partnering with Microsoft.
Whatever Microsoft's ultimate intentions, users have said the NAP technology must work with more than just Windows-based systems. A battle for control seems to be brewing between Cisco and Microsoft.
“Microsoft has copied Cisco's strategy announced last year, and the enterprise may get stuck in the middle,” Gartner analyst, John Pescatore, said. “They will be forced to interoperate but if it takes the market to force interoperability it will slow down this technology.”
Microsoft is in discussions with Cisco but the vendor is not a partner in NAP, according to director of marketing for Windows server at Microsoft, Steve Anderson.
However, Pescatore said Microsoft and Cisco were going in different directions – with the implementation of 802.1X and the Protected Extensible Authentication Protocol – instead of making them compatible.
Anti-virus vendors McAfee, Symantec and Trend have partnered with Cisco and Microsoft.
Enterasys' Trusted End-System combines the vendor's hardware with assessment software from Check Point and Sygate. McAfee has worked with Nortel Networks Corp. and Check Point to ensure their VPNs can validate that a user has the appropriate anti-virus signature updates before granting access.
The Trusted Computing Group this fall plans to publish a technical specification called Trusted Network Connect for use in multi-vendor environments for compliance checks for virus and patch updates.