Does NAP protect against rouge laptops

[Guest Aaron]

We've been having problems with our outside clients who come in to our

company and connect to our network when they are in thh office. Does NAP

prevent the unauthorized laptops from connecting to the network by not

giving them an IP address?

[Guest PA Bear [MS MVP]]

[No, only puce laptops.]

 

Aaron wrote:<span style="color:blue">

> We've been having problems with our outside clients who come in to our

> company and connect to our network when they are in thh office. Does NAP

> prevent the unauthorized laptops from connecting to the network by not

> giving them an IP address?</span>

[Guest MowGreen [MVP]]

ROTFLMAO

 

 

PA Bear [MS MVP] wrote:

<span style="color:blue">

> [No, only puce laptops.]

>

> Aaron wrote:

> <span style="color:green">

>> We've been having problems with our outside clients who come in to our

>> company and connect to our network when they are in thh office. Does NAP

>> prevent the unauthorized laptops from connecting to the network by not

>> giving them an IP address?</span></span>

[Guest Alun Jones]

"Aaron" <Aaron@Utifix.uk> wrote in message

news:uIP5XHiOJHA.1172@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> We've been having problems with our outside clients who come in to our

> company and connect to our network when they are in thh office. Does NAP

> prevent the unauthorized laptops from connecting to the network by not

> giving them an IP address?</span>

 

Partly yes, and partly no.

 

NAP has many different enforcement points. The four that come out of the box

are IPsec, VLAN (802.something), DHCP and VPN.

 

With an IPsec configuration, machines on the network can be configured so as

not to talk to hosts that don't have a valid system health certificate

assigned through a NAP server based on the system health report provided by

the client.

 

With a VPN configuration, access through the VPN router can be controlled

and limited depending on the system health reported to the VPN router and

passed to the NAP server. VLAN support is roughly similar in effect.

 

With a DHCP configuration, the DHCP server will assign IP addresses based on

the system health report, placing the requesting client either on the full

network or in a limited network.

 

That sounds like it protects you, but there are caveats:

1. Your network must have a plan for those systems that don't support NAP -

Linux machines, handhelds, old versions of Windows, etc. Often, this plan is

"full access", which means that NAP can't really prevent bad machines from

getting access.

2. Even on those machines that support NAP, the system health report is

generated by code on the machine. So, a subverted machine may very well have

had its NAP client subverted, and be issuing false statements that imply the

system is not subverted. Rather like having quarantine against the plague by

asking people "do you have the plague?" - all it takes is for someone to

successfully lie, and your quarantine is breached.

 

That sounds pretty awful, but it's not - the goal should be to use NAP to

coerce your network's members to maintain good virus protections, so that

they don't become infected in the first place, and that way you don't have

to worry (as much) about keeping out infected systems.

 

Alun.

~~~~

--

Texas Imperial Software | Web: http://www.wftpd.com/

23921 57th Ave SE | Blog: http://msmvps.com/alunj/

Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.

Fax/Voice +1(206)428-1991 | Try our NEW client software, WFTPD Explorer.

[Guest Robert Moir]

Aaron wrote:<span style="color:blue">

> We've been having problems with our outside clients who come in to our

> company and connect to our network when they are in thh office.</span>

 

Simple solution

Don't have un-used network ports sitting there active

Use decent wireless security to stop people 'just connecting' that way.