Network Access Protection for Windows Server “Longhorn”

Network Access Protection for Windows Server “Longhorn”

Network Access Protection (NAP) is a policy enforcement platform built into the Microsoft Windows Vista and Windows Server code name "Longhorn" operating systems that allows you to better protect network assets by enforcing compliance with system health requirements. With Network Access Protection, you can create customized health policies to validate computer health before allowing access or communication, automatically update compliant computers to ensure ongoing compliance, and optionally confine noncompliant computers to a restricted network until they become compliant.

Network Access Protection includes an application programming interface (API) set for developers and vendors to create complete solutions for health policy validation, network access limitation, and ongoing health compliance.

To validate access to a network based on system health, a network infrastructure needs to provide the following areas of functionality:

•Health policy validation. Determines whether the computers are compliant with health policy requirements.

•Network access limitation. Limits access for noncompliant computers.

•Automatic remediation. Provides necessary updates to allow a noncompliant computer to

become compliant.

•Ongoing compliance. Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements.

Scenarios for Network Access Protection

Designed to provide customers with the most flexible solution, NAP can interoperate with any vendor’s software that provides a System Health Agent (SHA) and System Health Validators (SHV) or that recognizes its published API set. Examples of third-party solutions that work with Network Access Protection would be Anti-Virus, Patch Management, VPN, and Networking Equipment. Network Access Protection helps provide a solution for the following common scenarios.

•Check the health and status of roaming laptops

With Network Access Protection, network administrators can check the health of any laptop when it reconnects to the company network without sacrificing the portability and flexibility of laptops.

•Ensure the ongoing health of desktop computers

With the addition of management software, automatic reports can be generated, updates can be made automatically to noncompliant computers, and when administrators change health policies, computers can be automatically provided with the most recent updates preventing health threats from publicly accessible resources.

•Determine the health of visiting laptops

With Network Access Protection, administrators can determine that the visiting laptops are not authorized to access the network and limit their access to a restricted network without requiring any updates or configuration changes to the visiting laptops.

•Verify the compliance and health of unmanaged home computers

By using Network Access Protection, network administrators can check for required programs, registry settings, files, or combinations of these every time a home computer makes a VPN connection to the network, and they can limit the connection to a restricted network until system health requirements are met.

Components of Network Access Protection

Network Access Protection provides a flexible platform that supports multiple access enforcement mechanisms including, but not limited to:

•Internet Protocol security (IPsec) for host based authentication

•IEEE 802.1X authenticated network connections

•Virtual private networks (VPNs) for remote access

•Dynamic Host Configuration Protocol (DHCP)

Administrators can use these technologies separately or together to limit noncompliant computers. Network Policy Server (NPS), the replacement for Internet Authentication Service (IAS) in Windows Server 2003 in Windows Server "Longhorn," acts as a health policy server for all of these technologies.

Network Access Protection requires servers to run Windows Server "Longhorn" and clients to run Windows Vista, Windows XP with Service Pack 2 (SP2), or Windows Server "Longhorn."

IPsec Enforcement
IPsec Enforcement comprises a health certificate server and an IPsec NAP Enforcement Client (EC). The health certificate server issues X.509 certificates to quarantine clients when they are determined to be compliant. These certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on an intranet.

IPsec Enforcement confines the communication on your network to those nodes that are considered compliant and because it is leveraging IPsec, you can define requirements for secure communications with compliant clients on a per-IP address or per-TCP/UDP port number basis. IPsec Enforcement confines communication to compliant computers after they have successfully connected and obtained a valid IP address configuration. IPsec Enforcement is the strongest form of limited network access in Network Access Protection.

802.1X Enforcement
802.1X Enforcement comprises an NPS server and an EAPHost NAP EC component. Using 802.1X Enforcement, an NPS server instructs an 802.1X access point (an Ethernet switch or a wireless access point) to place a restricted access profile on the 802.1X client until it performs a set of remediation functions. A restricted access profile can consist of a set of IP packet filters or a virtual LAN (VLAN) identifier to confine the traffic of an 802.1X client. 802.1X Enforcement provides strong limited network access for all computers accessing the network through an 802.1X connection.

VPN Enforcement
VPN Enforcement comprises a VPN NAP Enforcement Server (ES) component and a VPN NAP EC component. Using VPN Enforcement, VPN servers can enforce health policy requirements any time a computer attempts to make a VPN connection to the network. VPN Enforcement provides strong limited network access for all computers accessing the network through a VPN connection.

DHCP Enforcement
DHCP Enforcement comprises a DHCP NAP ES component and a DHCP NAP EC component. Using DHCP Enforcement, DHCP servers can enforce health policy requirements any time a computer attempts to lease or renew an IP address configuration on the network. DHCP Enforcement is the easiest enforcement to deploy because all DHCP client computers must lease IP addresses. Because DHCP Enforcement relies on entries in the IP routing table, it is the weakest form of limited network access in Network Access Protection.

NPS/RADIUS
The Remote Authentication Dial-In User Service (RADIUS) component of Windows Server "Longhorn," NPS, does not have a NAP ES or NAP EC component. Instead, it works as a policy server in conjunction with NAP ES and NAP EC components. Administrators must define system health requirements in the form of policies on the NPS server. NPS servers provide health policy checks and coordinate with the Active Directory® directory service any time a computer attempts to obtain a health certificate or to connect to an 802.1X access point, a VPN server, or a DHCP server.