Microsoft Unveils Network Access Protection, APIs For Next WinServer


Microsoft aims to rally the industry around its new network access protection (NAP) architecture and related set of APIs for the next Windows Server, even as it prepares two enhanced security frameworks for future Windows releases.

At its Worldwide Partner Conference in Toronto, Microsoft said it plans to establish NAP as an industry standard. The technology, previously described by some executives as Active Defense technology, is designed to give end users secure access to the corporate network and IT administrators a way to set policies and detect the "health" and security configurations of incoming PCs, laptops and handhelds.

Looking beyond NAP, the software giant also is developing two major security enhancements for Windows, including Next Generation Authentication and Authorization (NGNZ) and Application Security (AppSec) frameworks, sources familiar with the plans said.

The momentum behind NAP is already substantial. More than 25 security, firewall, patch management and networking ISV partners--including Symantec, Trend Micro, Citrix, Shavlik and Juniper Networks--announced support for the NAP architecture and application programming interfaces (APIs) planned for the next Windows Server upgrade, code-named R2 and due out in late 2005.

Though Cisco Systems was noticeably absent from the list of NAP-supporting ISVs, Microsoft hinted that a deal is close. Microsoft is in "deep negotiations" with the networking giant on a variety of security areas, including quarantine, VPN, wireless and wired technology, said Steve Anderson, a product marketing manager in Microsoft's Windows Server group.

Microsoft systems integration partners Avanade, Cap Gemini and PricewaterhouseCoopers have signed up to provide NAP services.

Designed to secure the perimeter around the corporate network, the technology is music to the ears of many Microsoft solution providers in the enterprise and midmarket spaces. Still, many wish NAP would come before the next Windows Server code late next year.

"Customers asked us for this a year ago, but Cisco was the only company that provided a solution," said Ted Dinsmore, president of Conchango, a New York-based solution provider. "But this should be a higher priority than getting it out in the R2 time frame. This should be released as soon as possible."

The software will check applications and firewalls against a set of IT or partner-defined policies before opening the gate to the network. In addition to network policy validation, the technology also restricts noncompliant client machines to another site where patch and virus updates from third-party ISVs can bring the client back to health, Microsoft said.

The NAP architecture resides on Microsoft's implementation of the Radius server protocol in Windows Server, called Internet Authentication Server (IAS). The NAP APIs will be built into the dial-up authentication server and policy authority.

Third-party policy providers--including leading antivirus, firewall, policy management, patch management and networking vendors--will support the Network Access Protocol solution, Microsoft said.

The policy coordinator server enforces policies set by administrators. For example, it would prevent access by any laptop that isn't equipped with appropriate patches or critical updates. Such a solution would have prevented destructive viruses and worms, such as Sasser and Blaster, from spreading throughout many networks, according to Microsoft.

Windows XP Service Pack 2 and NAP are grouped in one of five pillars of Microsoft's next-generation security framework and are intended to provide isolation and resiliency.

Beyond NAP, the NGNZ framework under development would extend authentication in Windows past the corporate domain to any device and support roles and delegation. AppSec, which is designed to eradicate viruses and spyware, would bring application access control to Windows, providing authentication and isolation for applications entering the network, sources said.

Microsoft is still trying to make good on year-old promises to make the current Windows more secure by default. At the vendor's partner conference last October, CEO Steve Ballmer formally announced plans to release the security-focused Windows XP Service Pack in the first half of 2004 and later unveiled plans to offer features in the server code to protect the network perimeter.

This week, Microsoft formally announced that its delayed Windows XP SP2 will be released to manufacturing in August, with OEM shipments and general availability in the fourth quarter of 2004. The NAP technology, however, isn't expected out until the second half of 2005.

Microsoft also announced the general availability of its ISA 2004 firewall Standard Edition, but it acknowledged that the ISA 2004 Enterprise Edition won't be ready until later this year.

Moreover, the Windows Update Services patch management server code--formerly known as SUS 2.0--has been delayed until the first half of 2005, executives also said this week. It was originally due in mid-2004.

Only one VPN company, SyGate, announced support for Microsoft's NAP. Microsoft acknowledges that it currently has a VPN quarantine function that exists as an undocumented API in the Windows Server 2003 server code. The company will expose and document that VPN quarantine feature in the upcoming Windows Server 2003 Service Pack 1. Its inclusion would enable developers to limit or define policies for remote users coming in on a VPN.

Microsoft executives said the company intends to make the NAP technology robust and straightforward for IT administrators to implement at customer sites, but it won't be an out-of-the-box solution. That will give service providers additional security opportunities, they noted.

"It's not a turnkey solution," Anderson said.