LAS VEGAS, Nev., May 21, 2007 – This week at the Interop 2007 trade show, Microsoft announced that the company’s Network Access Protection (NAP) technology will be interoperable with the Trusted Computing Group’s (TCG) Trusted Network Connect (TNC) Network Access Control standard, which includes the NAC standards for Juniper Networks. This announcement represents a significant breakthrough for companies with diverse infrastructures and user needs. With this level of interoperability, companies can deliver access to users at anytime from anywhere, save money and simplify and improve network security management. Microsoft also announced the upcoming public beta of Intelligent Application Gateway (IAG) 2007 SP1, which contains some key enhancements to Microsoft’s SSL VPN solution.
Henry Sanders, General Manager, Core Networking and Collaboration Group, Windows Networking.
For some perspective, we turned to a longtime networking expert at Microsoft, Henry Sanders, a Microsoft Distinguished Engineer and the general manager of the Core Networking and Collaboration group in Windows Networking.
PressPass: What do customers want in regards to network security?
Henry Sanders: IT departments have users who seek a consistent connected experience, regardless of their location, the device they use, or the networks they traverse. At the same time, IT organizations need to deliver this seamless-access experience without compromising security or increasing complexity. In simple terms: it just works, works securely, and at a lower cost. Microsoft, driven both by these customer requirements as well as the needs of its own IT organization, is investing in solutions to deliver upon this vision of secure and seamless networking. One of the key components of that vision is NAP. Another is our SSL VPN product, the Intelligent Application Gateway (IAG) 2007.
PressPass: What is “NAP” and “NAC,” what do these terms mean, and why are they important to IT?
Sanders: “Network Access Control” is a generic term that refers to a client/server method of ensuring proper health “posture” or “state” of endpoints before they can connect to a computer network. NAC systems usually include a policy server that checks the health state of a client attempting to connect to a network for things like up-to-date antivirus signatures or operating system patches. The NAC system can then limit access and/or remediate a device that does not meet minimum health requirements. .
Microsoft understands the importance of protecting networks from computers that do not meet corporate security policy, regardless whether the devices connect via a remote access gateway or locally via a wired or wireless LAN. This level of infrastructure protection will become a fundamental requirement for all IT organizations, and, in order to help our customers, Microsoft has developed an NAC solution called Network Access Protection (NAP).
Microsoft’s NAP is a policy-enforcement platform built into Microsoft Windows Vista, Windows Server 2008 and Windows XP (update now in beta testing). NAP enables customers to better protect network assets by enforcing compliance with system health requirements. With NAP, customers can create customized health policies to validate computer health before allowing access or communication, automatically update clients to ensure ongoing compliance, and, optionally, confine noncompliant computers to a restricted network until they become compliant.
PressPass: Tell us more about this announcement, and what it means for network administrators?
Sanders: To put this into perspective, there are three primary NAC architectures. Microsoft’s NAP, the Trusted Computing Group’s Trusted Network Connect (TNC), and Cisco’s Network Admission Control, or C-NAC. In September, Microsoft announced an interoperability agreement with Cisco’s NAC solution. This week at the Interop trade show, Microsoft announced that NAP would now be interoperable with the Trusted Computing Group’s TNC. The TNC agreement makes NAP’s Statement of Health (SoH) protocol, included in Windows Vista, the standard client-server communication protocol within TNC. We are very excited because, with this announcement, Microsoft’s NAP is now interoperable with the two other primary NAC architecture solutions, TNC and Cisco’s NAC.
The SoH protocol now allows “client standardization,” as organizations can now standardize on the (SoH) client protocol, regardless of their NAC infrastructure. The SoH client is available in Windows Vista, will be available in the next service pack of Windows XP, and through NAP partners for non-Microsoft operating systems. One of our NAP partners, Avenda Systems, is releasing a NAP client for the Linux operating system at Interop. The broad level of interoperability removes a major adoption barrier by providing investment protection, because organizations can deploy NAP into their existing infrastructure without having to rip and replace their existing investments. The two key components of NAP, Windows Vista and Beta 3 of Windows Server 2008 are available now for companies to deploy and test.
PressPass: How does NAP fit into Microsoft’s networking vision?
Sanders: NAP’s integration as an industry standard is also an important milestone in advancing the vision of secure and easy “anywhere access” announced by Bill Gates at the RSA trade show in February 2007, as well as Microsoft’s ongoing “Interoperability by Design” initiative.
“Anywhere Access” is Microsoft’s call to action to design systems and processes that give people and organizations a high degree of confidence that the technology they use will protect their identity, their privacy, and their information. People increasingly want anywhere access that is easy to use and manage, with seamless, connected experiences that extend across networks and devices, so they can access, share, and use corporate and personal information without fear that it will be compromised, stolen, or exploited. NAP helps advance this vision by helping keep malware off networks, helping keep computers connecting to networks more healthy, and facilitating connections between networks.
“Interoperability by Design” is Microsoft’s approach to interoperability, where Microsoft strives to bring technologies to market in a way that balances competitive innovation with an ability to connect unique systems and applications. As a result, technologies such as XML and web services, among many others, have evolved as industry standards, and the NAP SoH is now emerging as Microsoft’s latest contribution to industry standards.
PressPass: Can you tell us about the Intelligent Application Gateway product?
Sanders: The Intelligent Application Gateway (IAG) 2007 features Application Optimizers, SSL VPN, a Web application firewall, and endpoint security management that enables access control, authorization and content inspection for a wide variety of line-of-business applications. Together, these technologies provide mobile and remote workers with easy and flexible security-enhanced access from a broad range of devices and locations including kiosks, PCs and mobile devices. IAG also enables IT administrators to enforce compliance with application and information usage guidelines through a customized remote access policy based on device, user, application or other business criteria.
PressPass: What’s new in this release of IAG?
Sanders: The SP1 of IAG 2007 offers support for Windows Vista, which will extend to Windows Vista clients the IAG 2007’s superb endpoint compliance tools, including, Download Manager, which helps enforce document and browser download policies based on user identity, location and end-point profile to avoid misuse of corporate data, and Attachment Wiper, the IAG 2007 cache cleaner which helps ensure that sensitive data is wiped from mobile clients when users close their sessions.
IAG 2007 improvements to enterprise integration include remote access support for Active Directory Federation Services (ADFS), which enables organizations to securely share a user's identity information across organizational boundaries. Other improvements include performance increases of up to 100% in certain HTTP deployment scenarios, and support for Kerberos Constrained Delegation (KCD), which simplifies authentication based on a broader set of client credentials.