I attended a Microsoft briefing recently that showcased the vendor’s new Network Access Protection (NAP) technology due to be included in Windows Server 2008. I wasn’t impressed. Furthermore, I couldn’t help but wonder whether it was something customers wanted or just another solution searching for a problem.

What Microsoft refers to as NAP others tend to call network access control (NAC). Whatever the name, however, the aims are the same, the idea being to check the “health” of client systems before they’re allowed a network connection. Those that don’t match a basic minimum security profile – in terms of installed patches, firewall setup, antivirus protection and so on – are then either quarantined or have the requisite elements updated before being allowed access.

NAC is all very laudable but it’s not an easy concept to deploy, requiring major network infrastructure changes, which can be both hugely expensive and disruptive. In the case of NAP, you have to deploy additional health validation and remediation servers – running Windows Server 2008 – plus an agent on each PC, which is included in Vista but extra for XP. NAP software only provides a basic security framework, and Microsoft is expecting third parties to supply plug-ins to provide the really detailed functionality.

These third-party add-ins look to be really crucial, a point brought home in the Microsoft demo I saw. For example, we were shown how NAP could be configured to check for the presence of the Windows firewall before allowing clients onto the LAN – the NAP software automatically turning the firewall back on if it had been disabled. What you couldn’t do, however, was get the software to drill down any deeper to check up on how the firewall was configured, leaving open the possibility that users could still configure exception rules to let traffic through.

Of course, third-party security vendors will want to be part of the NAP party, but that will take time. Also most have their own take on NAP/NAC, and products to sell, which could limit what they’re prepared to support.

One final thought. In the past few years companies have already become accustomed to taking pre-emptive measures to make sure clients are properly configured. As such, most have tools and procedures in place to ensure antivirus software is installed and up to date, firewalls are correctly configured and suchlike, in which case another layer of protection (and complexity) could be seen as superfluous. OK, it helps automate the process, but at a cost, and I wonder whether NAC will make it to the mainstream.