Network Access Protection (NAP), a policy enforcement platform built into the Microsoft Windows Server 2008 and Windows Vista operating systems, allows users to protect network assets by enforcing compliance with system health requirements. NAP customers can create customized health policies to validate a computer's security before allowing it access or communication with a network.
NAP provides several remediation options. It can optionally confine non-compliant computers to a restricted network, restore the client to an acceptable level of health, and automatically update compliant computers to ensure ongoing compliance. Based on the security status of a client computer, NAP can allow full network access, limit access to a restricted network or deny access to the network completely.
The method of enforcement selected for NAP determines how the health policies will be imposed; policies can be enforced for Dynamic Host Configuration Protocol (DHCP), VPN with Routing and Remote Access, 802.1x port-based wired and wireless network access control, or IPsec-protected traffic. NAP can also enforce ongoing health compliance on compliant computers that are already connected to the network, which is useful when policies or the health of the clients change.
How NAP works
NAP functions with agents in Windows Server 2008 and the Windows XP SP2 or Windows Vista client operating systems. The client environment includes system health agents (SHAs), a quarantine agent (QA) and an enforcement client (EC). When a client connects through DHCP, VPN, 802.1x or IPsec, the SHA determines the current state of the client and forwards a network access request on to a network policy server (NPS), which includes a system health validator (SHV) and a quarantine server (QS). If the client is non-compliant, it is directed to a restricted network where remediation servers can apply the appropriate security updates to bring the system into compliance. If a client is found to be compliant, it is given access to the corporate network.
Enforcement through DHCP is achieved through the use of NAP enforcement server and enforcement client components interacting with a network policy server. Each time a computer attempts to lease or renew an IP address configuration on the network, the DHCP server can check and enforce health policy requirements. The NPS limits the client's network access to a restricted network by instructing the DHCP server to assign a limited IP address configuration.
The drawback to this method is that if client computers are configured with a static IP address or are otherwise configured to circumvent the limited IP address configuration, DHCP enforcement will be ineffective.
VPN enforcement utilizes VPN NAP enforcement servers and VPN NAP enforcement client components. When a client attempts a remote VPN connection, the VPN server will validate the health of the client. While this method functions in the same way as for DHCP, it provides strong limited network access only for computers connecting to the network through the VPN server.
The 802.1x policy method uses an NPS and an EAPHost NAP enforcement client. EAPHost is a component of the Windows infrastructure and implements the Extensible Authentication Protocol (EAP) state machine and EAP protocol framework, as per RFC 3748. When a non-compliant client attempts a connection through an access point, the network policy sender communicates with the access point (either a set of IP packet filters or a virtual LAN identifier), instructing it to place a restricted access profile on the 802.1x client until it is compliant.
IPsec enhancement uses an NPS, a health registration authority (HRA) and an IPsec EC. The HRA issues an X.509 certificate to clients once they are in compliance with health policy requirements. The issued certificate is used to authenticate the clients when initiating or requesting IPsec communications. Of all the limited network access protection measures in NAP, the IPsec EC is considered to provide the strongest security. Because this method uses IPsec, the requirements for protected communications can be defined based on a specific IP address or TCP/UDP port number.
Each of these NAP enforcement methods has different advantages, and it is possible to combine these methods to obtain the benefits of each. However, this will add complexity to a NAP deployment.
Ultimately, NAP is intended to help an enterprise to increase business value, preserving user productivity and extending the existing investments an enterprise already has in its Microsoft-based or third-party infrastructure. By enforcing compliance with health requirements, Network Access Protection can help network administrators mitigate some of the common risks caused by improperly configured client computers that might be exposed to viruses and other malicious software.
About the author:
Beth Quinlan (MCT, MCSE-Security, CISSP) is the technical lead for HynesITe, where she is a trainer/consultant. She has specialized in Microsoft infrastructure technologies and security design for over 12 years. She has authored the ISA Server 2006 Reviewer's Guide.
This was first published in September 2008