Microsoft starts to define its isolation technology

Microsoft Tuesday finally laid bare details of its plans to create an isolation technology that lets corporations blocks infected or misconfigured clients from accessing a network.

At its annual Worldwide Partner Conference in Toronto, the company introduced Network Access Protection (NAP); a broad set of technologies for creating a standards-based, multi-vendor mechanism to verify that a client desktop is secure before allowing network access.

Microsoft also announced 25 partners in the project including anti-virus, firewall, policy management, patch management and network vendors.

Cisco, which is working on a similar technology called Network Admission Control, is not one of Microsoft’s partners.

The NAP technology will check for virus signatures and patch levels as a way to assess the “health” of a desktop. The client’s “health” would be validated against a set of policies and those that do not pass could be put into an isolation area where they would be updated to comply with policies and eventually gain network access.

Microsoft plans to deliver in the first half of next year as part of its Windows Server 2003 Update, codenamed R2, a Policy Connection Server that will be built into the server operating system and act as a sort of mediator that enforces network policies on access control.

A key component is a policy store that will be added to Microsoft’s Internet Authentication Service (IAS), which is an implementation of the RADIUS protocol. The store will house IT-defined policies such as mandatory checks of current patch levels. The Policy Server all includes a set of APIs that would allow other vendors to link their products to the server.

Microsoft plans to eventually publish the APIs as a set of industry standards. Company officials said candidates for submission of the APIs include the Trusted Computing Group (TCG) or the IEEE.  Microsoft is currently a member of TCG, which this fall plans to publish a technical specification called Trusted Network Connect for use in multi-vendor environments for compliance checks for virus and patch updates.

“The goal is to get IT more control to enforce network policies on the machines coming on to a network,” says Steve Anderson, director of marketing for Windows server at Microsoft.  Anderson said the technology will be flexible in allowing IT to set access controls per users or groups of users.

“This type of technology could drive a lot of support calls so we are spending a lot of time on the user experience,” Anderson says. He said end-users would see pop-up Windows that show the progress of virus and patch assessments and upgrades.

Users also will have to install code on their Windows XP desktop machines to support NAP.  Microsoft plans to support network access request using a VPN and the Protected Extensible Authentication Protocol (PEAP). The company has yet to decide if 802.1x and IPSec support will make it into R2 or will come out with Longhorn in 2007 and whether NAP will support Windows 2000 desktops.

Isolation and resiliency have become cornerstone principals in Microsoft’s security business and technology division. The company plans to release the first taste of the technology in Windows Server 2003 Service Pack (SP) 1 later this year. The service pack will support VPN quarantine, but users will have to write their own rules and scripts in order to support the feature.

In the Policy Server coming in R2 next year all that will be hidden behind a point-and-click user interface plus users will be able to enforce policies and update clients, as well as, integrate third-party software.

But Microsoft says any rules created with SP1 won’t be compatible with NAP, which is viewed as the replacement for SP1’s VPN quarantine features.

A number of smaller software vendors, including Citadel, Sygate and WholeSecurity, already have security policy-compliance products. McAfee has worked with Nortel and Check Point, for instance, to ensure their VPNs can validate that a user has the appropriate anti-virus signature updates before letting the user access the corporate network.

Both Sygate and McAfee are partnering with Microsoft on the NAP initiative.

In addition, Microsoft also announced the general availability of its Internet Security and Acceleration Server 2004 and that HP is the first to ship a device based on the software, the HP ProLiant DL320 Firewall/VPN/Cache Server.

Microsoft also said it is making available a cleaner tool for the Download.Ject exploit that has plagued Internet Information Services and Internet Explorer.