Microsoft technology needs others' help

Microsoft's jump into client inspection and isolation technology will need cooperation with third parties and integration with multi-vendor software and hardware packages for customers to see the full benefits, users and analysts say.

Microsoft last week introduced Network Access Protection (NAP), a set of technologies for creating a standards-based mechanism to verify client desktops are securely configured with updated anti-virus signatures and patches before allowing network access. Microsoft unveiled a set of APIs it hopes to standardize, a Policy Connection Server that will ship next year in an upgraded version of Windows Server 2003 and 25 partners in the NAP project, including anti-virus, firewall, policy management, patch management and network vendors.

"As long as Microsoft just talks about APIs it will help the market, but if they start to talk about and build products, it freezes the market," says Pete Lindstrom, an analyst with Spire Security. "There is enough skepticism around Microsoft security, however, that there should be plenty of third-party software to provide checks and balances."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Microsoft's jump into client inspection and isolation technology will need cooperation with third parties and integration with multi-vendor software and hardware packages for customers to see the full benefits, users and analysts say.

Microsoft last week introduced Network Access Protection (NAP), a set of technologies for creating a standards-based mechanism to verify client desktops are securely configured with updated anti-virus signatures and patches before allowing network access. Microsoft unveiled a set of APIs it hopes to standardize, a Policy Connection Server that will ship next year in an upgraded version of Windows Server 2003 and 25 partners in the NAP project, including anti-virus, firewall, policy management, patch management and network vendors.

"As long as Microsoft just talks about APIs it will help the market, but if they start to talk about and build products, it freezes the market," says Pete Lindstrom, an analyst with Spire Security. "There is enough skepticism around Microsoft security, however, that there should be plenty of third-party software to provide checks and balances."

NAP, which only works with Windows XP desktops, is strikingly familiar to technology Cisco unveiled last year called Network Admission Control (NAC). Initially NAC is used to monitor compliance, but eventually it will evaluate desktops and devices, provide quarantine services, incorporate VPN concentrators and firewalls, and automatically shut down rogue machines.

Check Point, Citadel, EndForce, Enterasys Networks, Sygate and WholeSecurity also have similar technology to control misconfigured or malicious clients. Sygate, EndForce and Enterasys are partnering with Microsoft.

Users say whatever Microsoft's ultimate intentions, the NAP technology must work with more than just Windows-based systems.

"Anything that works on Microsoft servers is all well and good, but that doesn't cover the breadth of our corporate network," says George Defenbaugh, manager of global IT infrastructure projects for petroleum company Amerada Hess in Houston. He says because Microsoft is not considering Linux and Unix platforms, his company is evaluating this type of technology at the router level because those devices ultimately see the entire network.

"But we would like to use Microsoft's Active Directory as the policy repository because it is pervasive on our network," he says.

A battle for control seems to be brewing between Cisco and Microsoft.

"Microsoft has copied Cisco's strategy announced last year, and the enterprise may get stuck in the middle," says John Pescatore, an analyst with Gartner. "They will be forced to interoperate but if it takes the market to force interoperability it will slow down this technology."

Microsoft is in discussions with Cisco but the vendor is not a partner in NAP, according to Steve Anderson, director of marketing for Windows server at Microsoft.

However, Pescatore says Microsoft and Cisco are going in different directions - with the implementation of 802.1X and the Protected Extensible Authentication Protocol - instead of making them compatible.