Exploring Microsoft's Network Access Protection policy options

Network Access Protection (NAP), a policy enforcement platform built into the Microsoft Windows Server 2008 and Windows Vista operating systems, allows users to protect network assets by enforcing compliance with system health requirements. NAP customers can create customized health policies to validate a computer's security before allowing it access or communication with a network.

For more on Windows Server 2008 Learn why one researcher says Windows Server 2008 security doesn't come as advertised. Microsoft promises the server revision is secure by design, default and deployment. Beth Quinlan investigates the claim. (Login required) See why some users said that Microsoft NAP-TNC compatibility won't necessarily speed up the technology's adoption.

NAP provides several remediation options. It can optionally confine non-compliant computers to a restricted network, restore the client to an acceptable level of health, and automatically update compliant computers to ensure ongoing compliance. Based on the security status of a client computer, NAP can allow full network access, limit access to a restricted network or deny access to the network completely.

The method of enforcement selected for NAP determines how the health policies will be imposed; policies can be enforced for Dynamic Host Configuration Protocol (DHCP), VPN with Routing and Remote Access, 802.1x port-based wired and wireless network access control, or IPsec-protected traffic. NAP can also enforce ongoing health compliance on compliant computers that are already connected to the network, which is useful when policies or the health of the clients change.

How NAP works
NAP functions with agents in Windows Server 2008 and the Windows XP SP2 or Windows Vista client operating systems. The client environment includes system health agents (SHAs), a quarantine agent (QA) and an enforcement client (EC). When a client connects through DHCP, VPN, 802.1x or IPsec, the SHA determines the current state of the client and forwards a network access request on to a network policy server (NPS), which includes a system health validator (SHV) and a quarantine server (QS). If the client is non-compliant, it is directed to a restricted network where remediation servers can apply the appropriate security updates to bring the system into compliance. If a client is found to be compliant, it is given access to the corporate network.

DHCP
Enforcement through DHCP is achieved through the use of NAP enforcement server and enforcement client components interacting with a network policy server. Each time a computer attempts to lease or renew an IP address configuration on the network, the DHCP server can check and enforce health policy requirements. The NPS limits the client's network access to a restricted network by instructing the DHCP server to assign a limited IP address configuration.

The drawback to this method is that if client computers are configured with a static IP address or are otherwise configured to circumvent the limited IP address configuration, DHCP enforcement will be ineffective.

VPN
VPN enforcement utilizes VPN NAP enforcement servers and VPN NAP enforcement client components. When a client attempts a remote VPN connection, the VPN server will validate the health of the client. While this method functions in the same way as for DHCP, it provides strong limited network access only for computers connecting to the network through the VPN server.

802.1x
The 802.1x policy method uses an NPS and an EAPHost NAP enforcement client. EAPHost is a component of the Windows infrastructure and implements the Extensible Authentication Protocol (EAP) state machine and EAP protocol framework, as per RFC 3748. When a non-compliant client attempts a connection through an access point, the network policy sender communicates with the access point (either a set of IP packet filters or a virtual LAN identifier), instructing it to place a restricted access profile on the 802.1x client until it is compliant.

IPsec
IPsec enhancement uses an NPS, a health registration authority (HRA) and an IPsec EC. The HRA issues an X.509 certificate to clients once they are in compliance with health policy requirements. The issued certificate is used to authenticate the clients when initiating or requesting IPsec communications. Of all the limited network access protection measures in NAP, the IPsec EC is considered to provide the strongest security. Because this method uses IPsec, the requirements for protected communications can be defined based on a specific IP address or TCP/UDP port number.

Each of these NAP enforcement methods has different advantages, and it is possible to combine these methods to obtain the benefits of each. However, this will add complexity to a NAP deployment.

Ultimately, NAP is intended to help an enterprise to increase business value, preserving user productivity and extending the existing investments an enterprise already has in its Microsoft-based or third-party infrastructure. By enforcing compliance with health requirements, Network Access Protection can help network administrators mitigate some of the common risks caused by improperly configured client computers that might be exposed to viruses and other malicious software.

About the author:
Beth Quinlan (MCT, MCSE-Security, CISSP) is the technical lead for HynesITe, where she is a trainer/consultant. She has specialized in Microsoft infrastructure technologies and security design for over 12 years. She has authored the ISA Server 2006 Reviewer's Guide.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Access Control Basics Network access control poised for a comeback by aiming small What are the top LAN security issues in a client-server network environment? What's the difference between access control mechanisms and identity management techniques? McAfee adds NAC module, appliance for unified policy enforcement Learn how to choose NAC services Companies Finding a Place for Maturing NAC Projects Sophos finds patching issues through endpoint NAC tool Forrester: NAC ready for wider deployments Which is a more secure data access technology: SPAN or TAP? Quiz: Using NAC to create a strong endpoint security strategy Creating and Managing Information Security Policies The 100-day plan: Achieving success as a new security manager How to implement and enforce a social networking security policy Quiz: Mitigating Web 2.0 threats Richard Mackey: Building a framework-based compliance program Learning the language of global compliance IT security pros face challenge during economic crisis Interview: Chris Nickerson of TruTV's 'Tiger Team' IT security not valued at many firms, study finds What value do research firms provide to enterprises that subscribe to their services? Sound compliance policies, practices reduce legal costs Creating and Managing Information Security Policies Research Network Security Tactics Screencast: Collecting metadata with Metagoofil Video: Setting up a secure wireless network How to implement and enforce a social networking security policy New blacklists: Highly predictive or hardly worth it? Smartphone security: The growing threat of mobile malware Screencast: How Tor improves Web surfing privacy and security audits Workstation hard drive encryption: Overdue or overkill? Wireshark tutorial: How to sniff network traffic IE 8 beta 2 security features may mark improvements for browser security Screencast: How to use Nipper to create network security reports RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Kerberos  (SearchSecurity.com) masquerade  (SearchSecurity.com) phreak  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.