Windows Server 2008 - NAP (Network Access Protection)
Windows Server 2008 - NAP (Network Access Protection)
Don't make the mistake of confusing Network Access Protection (NAP)
with *Network Center. Microsoft's NAP is a client server technology designed to protect your network from 'unhealthy' machines.
The way that NAP works is for
Windows Server 2008 to compare the Vista clients SoH (statement of health) with
their policies. You can also configure NAP to only allow compliant
computers on to the main network; one day, such clients could include XP with
SP3.
*(The Network Center is a Control Panel container for troubleshooting IP settings and negotiating Wireless connections.)
Let us consider how computer viruses spread? I take it that as read this
article, you minimise virus attack by protecting the Internet connection with firewalls.
In addition, you scan Email attachments; what else can you do? Ah yes, examine those laptops and other mobile devices that itinerant associates bring
onto your network. Thanks to Network Access Protection,
you can isolate viruses which would otherwise attacks from via
laptops. An even better alternative is to specify a policy, which
cleans the affected machines and when they are healthy, permits them access to
parts of your production network.
NAP is
a client server technology which identifying machines that don't have the latest virus signatures, service packs or security patches. Such machines are most likely
to be laptops that have been offsite for a while, or home computers trying to connect
via
a VPN. Apparently hackers, in commons with all cowards, target the older weaker members of the computer society.
Validating Machines:
The mission of NAP is to preserve the integrity of your network by allowing only healthy machines
to have IP addresses that can connect to the main subnet. You may find
that validating machines is an ongoing task as your NAP policy will evolve
over time with the release of new service packs, and sadly, new viruses.
Restricting Network Access: Visiting laptops which don't meet your policy standards, whether or not they are riddled with viruses, can be restricted to the
repair subnet. As I hinted earlier, for safety, you may also need to
exclude desktops that have missed a security patch until they have been
remediated.
Fixing Unhealthy Machines:
NAP provides a range of strategies once it detects such 'unhealthy' machines.
For example, you could configure
the NAP servers to restrict all machines
until they pass muster. Or a
better tactic is to direct them to a remediation server, which could apply SMS packages containing antivirus signatures, and thus cure their
computer illnesses. Another alternative would be to allow machines which don't meet all the criteria, limited access, for example visiting consultants laptops' get
internet access only.
Remember that NAP is for validating a computer's software, unfortunately, it
cannot protect against malicious hackers with a valid IP address. For that
you need different tactics.
Guy Recommends: A Free Trial of the Network Performance Monitor
(NPM)
SolarWinds'
Network Performance Monitor
will help you discover what's happening on your network. This
utility will also guide you through troubleshooting; the dashboard will
indicate whether the root cause is a broken link, faulty equipment or
resource overload.
Perhaps the NPM's best feature is the way it suggests solutions to network
problems. Its second best feature is the ability to monitor the health of individual VMware
virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you
give this Network Performance Monitor a try.
NAP is a classic client server technology. All the necessary NAP components will be built into Vista clients and
Windows 2008 Servers.
In addition, XP with SP3 will also be able to benefit from NAP. What is
unusual is that Microsoft are encouraging third party anti-virus vendors to
participate in the technology in general, and the SHA (System Health Agent) in
particular.
Remember that NAP is designed to protect your network from 'unhealthy' machines. Tactics involve identifying what constitutes a healthy machine,
configuring one or more policies and deciding what do about computers that fail to match your criteria.
When a Vista machines boots-up, a conversation takes place with the Health
Registration Authority Server. The client SHA sends a SoH (Statement of Health) to the
Windows 2008 server. This
packet contains details of software updates and anti-virus signatures. The server
then compares the SoH with one or more of its policies. If the Vista
client lacks any of the components, you can predetermine what action to take. For example, whether to
ban it from the production subnet, or try and remediate by adding patches.
NAP Server Components
(Windows
Server 2008 or Windows Server 2003)
Whenever you see lots of acronyms - as here with the NAP family, slow down
the going gets tough. It all begins to make sense if you install the
Network Policy and Access Services Role (NPAS) on your Server 2008.
Incidentally, NPAS replaces IAS (Internet Authentication Service) in Windows
2003.
Microsoft's NAP Administration Server. This
main NAP Server checks the network policies (formerly RAS Policies), analyzes
the Vista laptops or XP desktops and then decides whether or not to allow access
to the network. While it is a Windows Server 2008 machine, it does not
have to be a domain controller, but as I mentioned earlier, do install the NPAS
role.
System Health Validator (SHV). This component determines whether the the SoH (Statement of Health) issued by the client's SHA (System Health Agent), matches the required health
policy criteria on the server.
Quarantine Agent (QA). This reports the client's health
status.
Health Policy. This
is a list
of conditions, you can have a different policy for each of these technologies; IPSEC, DHCP, 802.1 or VPN.
Accounts Database. This is a portion of Active Directory that stores NAP properties for a computer or user.
Health Certificate Server, IIS on Windows Server 2008.
Remediation server (Optional). This server is designed to help treat unhealthy clients, consequently it has
the patches, virus signature updates, which may cure an unhealthy machine. However, further policies decide which
machines get the patches, for example, it would be too intrusive to add software
patches to visitors' machines. In practice, this remediation server could
also be the anti-virus / update server.
Monitor Your Network with the Real-time Traffic Analyzer
The main reason to monitor your network is to check that
your all your servers are available. If there is a network problem you
want an interface to show the scope of the problem at a glance.
Even when all servers and routers are available, sooner or later you will be curious to
know who, or what, is hogging your precious network's bandwidth. A GUI
showing the top 10 users makes interesting reading.
Another reason to monitor network traffic is to learn more about your
server's response times and the use of resources. To take the pain out of
capturing frames and analysing the raw data, Guy recommends that you download a copy of
the SolarWinds
free Real-time NetFlow Analyzer.
You may have seen similar to these Network Policies in W2K3 RAS policies and
profiles.
IPSec
This
creates the most secure configuration. IPSec and NAP work in tandem to ensure that all machines are healthy, and
furthermore they only communicate using the
encrypted IPSec protocol.
DHCP
Probably the most common implementation
of NAP, every time the client asks to renew its IP address DHCP enforces health compliance.
802.1 (EAPHost)
Restricts access at the wireless access points until the clients are confirmed as healthy.
Windows 8 Wireless
VPN
The VPN server enforces the policies
whenever a client computer attempts a connection over the
VPN.
NPS (Network Policy Server) / Radius
Similar to VPN.
You can also apply NAP and its policies to Terminal Server connections.
The idea of Network Access Protection (NAP) is to identify and then to isolate 'unhealthy' computers.
To be frank, the most likely source of 'unhealthy' computers is likely to be a visiting laptop. NAP
is a client server technology which gives you a range of options for dealing with machines that lack up-to-date virus signatures, patches or service packs.
Windows Server 2008 provides NP (Network Protection) policies and enforces
their implementation. As a result there is no excuse for virus ridden
laptops to infect your network. However NAP is not all 'bad guy', it can
be configured to apply patches and so bring machines up to the standards
required to communicate with your servers.
With NAP you configure policies for IPsec enforcement, 802.1X enforcement,
VPN enforcement, DHCP , depending on their needs. Microsoft provides an
infrastructure and an API, which vendors and software developers can use to
build their own health validation components.
If you like this page then please share it with your friends
Guy Recommends:
SolarWinds' NPM - Network Performance Monitor
SolarWinds' performance monitor is designed for detecting network outages,
making it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps; it also helps
identifying whether the
root cause is faulty equipment, or resource overload. Give NPM a try.
