The low-down on NAC, Windows-style

Microsoft's Network Access Protection has its shortcomings, but earns praise from our tester for Windows shops

Network World has completed a massive test of 12 network access control systems including the one from Microsoft known as Network Access Protection. NAP is certainly not the most functional NAC implementation we tested, says tester Joel Snyder, "but it has a huge advantage over every other strategy: it's built-in to Windows. Savvy network managers will look for ways to work around NAP's weaker spots, while taking advantage of the strong parts of the architecture, such as the built-in client and easy integration with Windows."

Keep Out
NAP is based on a Windows-only client that combines endpoint security checking with optional authentication. Out-of-the-box, the Microsoft NAP client uses Windows Security Center for its health check, giving a fairly basic set of endpoint security checks — anti-virus, anti-spyware, firewall, automatic patching. However, the NAP client’s health check can be swapped for any third-party health checker that is NAP compatible.

Ultimately, however, NAP on its own is best used only with and between Windows machines -- which only goes so far. This is not a condemnation of Microsoft. Microsoft includes a lot of network technology in Windows that works between the pieces it can control, client and server. Another example is the VPN-alternative DirectAccess, which works between Windows 7 and Windows Server 2008 R2. I don't think that Microsoft is obligated to try to make every technology feature a plug-and-play industry standard, particularly in the network access control market -- where all the NAC vendors are doing their own thing.

When it first embarked on NAC, Microsoft did attempt to line up a broad coalition of third-party support that would take its basic Windows implementation and extend it. Microsoft still names dozens of vendors to its list of third-party NAP partners.

But if your goals for a NAC deployment include securing devices other than Windows clients, and doing more fine-grained work with policies, then is one of the other products we reviewed a better choice? Alas, none of the ones we tested are perfect, Snyder concludes. When looking at NAC from a security point of view, he heavily favors ones that use 802.1X including Avenda eTIPS, Enterasys NAC and Juniper UAC.

But, there are those that will want to dabble with NAP first. You may, for instance, mostly worry about viruses brought in from the device most likely to bring them in, the Windows PC. In that case, Microsoft NAP, "is an obvious winner, as is any solution that lets us build on what we get for free from Microsoft," he finds.

More from our NAC tests

Quickly gain the pros/cons of each of the 12 product tested, check out the test in a slideshow format, Network access control in a nutshell Ultimate guide to network access control productsThe Microsoft NAP review can be found here.

For an in-depth look at each individual product, start at the

Check out these other posts from Microsoft Subnet

Like RSS? Subscribe to all Microsoft Subnet bloggers. Like e-mail? Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.) Like Twitter? Follow All Microsoft Subnet bloggers on Twitter

Follow Julie Bort on Twitter
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.