Microsoft Takes Aim at Endpoint

Microsoft says Network Access Protection (NAP), SSL VPN gateway will play nicely together

LAS VEGAS -- Interop -- If you didn't look closely, you may have missed Microsoft's new beta version of its SSL VPN gateway product amid the company's splashy network access control (NAC) announcement here this week. But the software giant says SSL VPN technology is here to stay.

Although NAC is likely to eventually take over many of the security duties SSL VPNs perform today, Microsoft has no intention of letting its SSL VPN technology get overshadowed altogether, officials say. (See Vendors Get Their NAC Together, NAC Vendors in the Hot Seat, and Security Enforcement, The Cooperative Way.)

Microsoft product executives gave Dark Reading a glimpse of just how the two technologies will work together in an interview here.

"Some use their SSL VPN as a NAC" today, says Joel Sloss, senior product manager for ISA Server. Microsoft has already released the technical beta version of its latest SSL VPN product, Intelligent Application Gateway (IAG) 2007 SP1, he notes.

SSL VPNs are the precursors to NAC, Microsoft execs say. "The first place you saw 'NAC' was in remote access gateways," says Mike Schutz, director of product management for Microsoft. "Then threats started literally walking through the door, not just at the gateway."

That's, of course, where NAC comes in. The two will work hand-in-hand, with the SSL VPN gateway throttling down the level of access, Sloss says. "The gateway will dial down the level of access, and NAC/NAP will handle the 'in' or 'out'" policy for a client on the network.

Microsoft envisions the two products as a "single solution" for remote access and NAC policy enforcement. With a combination of the two, "you can manage access... and have application security, and control what the user does" and has access to, he says.

Sloss notes that Whale Communications -- the SSL VPN vendor Microsoft acquired last year and whose product is the basis of IAG -- was originally a Microsoft NAP partner. So integration of the two products won't be a big deal. And IAG -- like Microsoft's NAP -- will be fully integrated with Windows Server 2008, he says.

But some security experts say SSL VPN tools could get marginalized in the NAC age, as more robust NAC boxes sitting behind the SSL VPN gateway will take over some of the security functions of the gateway, such as enforcing compliance of remote clients. Today, SSL VPNs, NAC boxes, and other policy-based devices all work separately, and there can be overlap.

The advantage of running both SSL VPN gateways and NACs, of course, is a system of checks and balances, where the SSL VPN authenticates remote users and devices, and the NAC handles the "posture-checking" of all of the client machines, industry experts say. The NAC would have to clear the client before it hits the VPN gateway, for instance.

In a NAC vendor panel earlier this week, Paul Mayfield, group program manager for Microsoft, said the "ultimate promise of NAC is to provide a policy framework" that unifies NAC, VPN gateways, and wireless security.

Meanwhile, the new beta version of Microsoft's IAG 2007 comes with support for Microsoft Windows Vista, Mobile 5.0, Active Directory Federation Services, Forefront Client. It also comes with a simplified authentication feature, and twice the throughput of previous versions, according to Microsoft. Microsoft also announced a new lineup of OEMs for the product, including Pyramid Computer Gmbh, nAppliance Networks, SurfControl, Mendax Microsystems, and Baosight.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • SurfControl plc