Microsoft, McAfee offer improved network controls
Getting every security system on a single network to work together end-to-end seems like a never-ending challenge.
That's one of the issues Microsoft technology specialists were trying to address in the D.C. market, among others, last week. Microsoft was in town, along with more than two dozen partner vendors at the Walter E. Washington Convention Center, as part of the launch activities for last month's debuts
of Microsoft's 2008 editions of Windows Server and Visual Studio, and the nearly ready SQL Server.
Among them were federal government specialists Rob Campbell and Rhys Ziemer, who sat down with GCN to make their case why Windows Server 2008 offers superior security and virtualization features.
A central part of Windows Server 2008's security approach is its new Network Access Protection (NAP) feature that makes it easier for administrators to set the conditions that permit client machines to connect to a network, including machines that run on non-Microsoft operating systems such as Linux.
The problem, until recently, has been getting unified actions from a variety of routers, antivirus software and other third-party products, each of which had their own method for verifying security controls.
NAP relies on a combination of security agents and validators that interact with the agents and servers of third-party vendors, in an orchestrated fashion. Agents monitor the health of clients, checking for the presence of viruses and spyware, the currency of virus definition files, patches and scans, and for altered registry settings and other signs of system infections. Validators compare the reports to a pre-established set of response policies and aid in access control.
McAfee is among the first of a number of third-party companies to roll out a new beta release, called McAfee Network Access Control 3.0, designed to support NAP on Windows Server 2008 and Vista. Network Access Control checks for more than 600 health conditions; it also offers the ability to create custom checks. In the new, more coordinated arrangement, a McAfee agent and server exchange notes respectively with a NAP agent and server on a network; the NAP agent and NAP server compare notes before finalizing instructions (see image below).
Another security improvement is the introduction of a Read-Only Domain Controller.
Domain controllers containing passwords and personally identifiable information are ripe targets for hackers. Up to now, an employee logging on to a branch office involved checking credentials over the wide-area network, and in effect opening up access to the entire copy of an organization's Active Directory. That's not a small issue for federal agencies with hundreds of thousands of employees. Creating read-only versions of the Active Directory for each branch significantly compartmentalizes the potential risk for data breaches.
Finally, another security benefit of Windows Server 2008 is its ability to provide terminal services for remote access computers. Terminal services can be as secure, and in some cases more secure, than virtual private networks, says Microsoft's Campbell. An employee logging on remotely to a VPN via a laptop PC that has been infected has the potential of infecting the network. Terminal services essential exchange keyboard, mouse and monitor instructions. Assuming the policies are in place, they also can do a better job of limiting what files can be downloaded. That's not always as easily accomplished via VPN sessions.
Of course, many administrators would say these improvements are long overdue. The good news is Windows Server 2008 can be run in parallel with earlier editions so information technology departments can start to take advantage of the benefits without having to mount full-scale migrations.
Posted by Wyatt Kash on Mar 31, 2008 at 9:39 AM