|
Posted by Aaron on October 29, 2008, 7:55 pm
If you were Registered and logged in, you could reply and use other advanced thread options
We've been having problems with our outside clients who come in to our
company and connect to our network when they are in thh office. Does NAP
prevent the unauthorized laptops from connecting to the network by not
giving them an IP address?
|
|
Posted by PA Bear [MS MVP] on October 29, 2008, 8:02 pm
If you were Registered and logged in, you could reply and use other advanced thread options
[No, only puce laptops.]
Aaron wrote:
> We've been having problems with our outside clients who come in to our
> company and connect to our network when they are in thh office. Does NAP
> prevent the unauthorized laptops from connecting to the network by not
> giving them an IP address?
|
|
Posted by MowGreen [MVP] on October 30, 2008, 3:29 pm
If you were Registered and logged in, you could reply and use other advanced thread options
PA Bear [MS MVP] wrote:
> [No, only puce laptops.]
>
> Aaron wrote:
>
>> We've been having problems with our outside clients who come in to our
>> company and connect to our network when they are in thh office. Does NAP
>> prevent the unauthorized laptops from connecting to the network by not
>> giving them an IP address?
|
|
Posted by Alun Jones on November 2, 2008, 6:59 pm
If you were Registered and logged in, you could reply and use other advanced thread options > We've been having problems with our outside clients who come in to our
> company and connect to our network when they are in thh office. Does NAP
> prevent the unauthorized laptops from connecting to the network by not
> giving them an IP address?
Partly yes, and partly no.
NAP has many different enforcement points. The four that come out of the box
are IPsec, VLAN (802.something), DHCP and VPN.
With an IPsec configuration, machines on the network can be configured so as
not to talk to hosts that don't have a valid system health certificate
assigned through a NAP server based on the system health report provided by
the client.
With a VPN configuration, access through the VPN router can be controlled
and limited depending on the system health reported to the VPN router and
passed to the NAP server. VLAN support is roughly similar in effect.
With a DHCP configuration, the DHCP server will assign IP addresses based on
the system health report, placing the requesting client either on the full
network or in a limited network.
That sounds like it protects you, but there are caveats:
1. Your network must have a plan for those systems that don't support NAP -
Linux machines, handhelds, old versions of Windows, etc. Often, this plan is
"full access", which means that NAP can't really prevent bad machines from
getting access.
2. Even on those machines that support NAP, the system health report is
generated by code on the machine. So, a subverted machine may very well have
had its NAP client subverted, and be issuing false statements that imply the
system is not subverted. Rather like having quarantine against the plague by
asking people "do you have the plague?" - all it takes is for someone to
successfully lie, and your quarantine is breached.
That sounds pretty awful, but it's not - the goal should be to use NAP to
coerce your network's members to maintain good virus protections, so that
they don't become infected in the first place, and that way you don't have
to worry (as much) about keeping out infected systems.
Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(206)428-1991 | Try our NEW client software, WFTPD Explorer.
|
|
Posted by Robert Moir on November 13, 2008, 3:48 am
If you were Registered and logged in, you could reply and use other advanced thread options
> We've been having problems with our outside clients who come in to our
> company and connect to our network when they are in thh office.
Simple solution
Don't have un-used network ports sitting there active
Use decent wireless security to stop people 'just connecting' that way.
|
| Similar Threads | Posted | | EFS / CRL / Laptops ? | July 26, 2005, 2:26 pm |
| EFS and laptops | December 27, 2005, 11:50 am |
| firewall for Laptops | July 22, 2006, 1:30 am |
| Help-My laptops Windows keeps rebooting | March 15, 2006, 10:54 pm |
| DHCP problem with PEAP on IBM laptops | February 22, 2006, 1:27 pm |
| Corporate Laptops and out of office security | April 4, 2006, 11:15 pm |
| So why not use full disk encryption on laptops? | October 16, 2006, 11:16 pm |
| corporate encryption/security for laptops | August 26, 2008, 11:10 am |
| Smartcard offline login and XP laptops | November 23, 2008, 4:42 pm |
| IPSEC, Wireless Access Cards and laptops | April 19, 2006, 11:54 pm |
|
XML site map