Windows Server 2008 – NAP (Network Access Protection)
Don’t make the mistake of confusing Network Access Protection (NAP) with *Network Center. Microsoft’s NAP is a client server technology designed to protect your network from ‘unhealthy’ machines. The way that NAP works is for Windows Server 2008 to compare the Vista clients SoH (statement of health) with their policies. You can also configure NAP to only allow compliant computers on to the main network; one day, such clients could include XP with SP3.
*(The Network Center is a Control Panel container for troubleshooting IP settings and negotiating Wireless connections.)
Let us consider how computer viruses spread? I take it that as read this article, you minimise virus attack by protecting the Internet connection with firewalls. In addition, you scan Email attachments; what else can you do? Ah yes, examine those laptops and other mobile devices that itinerant associates bring onto your network. Thanks to Network Access Protection, you can isolate viruses which would otherwise attacks from via laptops. An even better alternative is to specify a policy, which cleans the affected machines and when they are healthy, permits them access to parts of your production network.
NAP is a client server technology which identifying machines that don’t have the latest virus signatures, service packs or security patches. Such machines are most likely to be laptops that have been offsite for a while, or home computers trying to connect via a VPN. Apparently hackers, in commons with all cowards, target the older weaker members of the computer society.
Validating Machines: The mission of NAP is to preserve the integrity of your network by allowing only healthy machines to have IP addresses that can connect to the main subnet. You may find that validating machines is an ongoing task as your NAP policy will evolve over time with the release of new service packs, and sadly, new viruses.
Restricting Network Access: Visiting laptops which don’t meet your policy standards, whether or not they are riddled with viruses, can be restricted to the repair subnet. As I hinted earlier, for safety, you may also need to exclude desktops that have missed a security patch until they have been remediated.
Fixing Unhealthy Machines:
NAP provides a range of strategies once it detects such ‘unhealthy’ machines. For example, you could configure the NAP servers to restrict all machines until they pass muster. Or a better tactic is to direct them to a remediation server, which could apply SMS packages containing antivirus signatures, and thus cure their computer illnesses. Another alternative would be to allow machines which don’t meet all the criteria, limited access, for example visiting consultants laptops’ get internet access only.
Remember that NAP is for validating a computer’s software, unfortunately, it cannot protect against malicious hackers with a valid IP address. For that you need different tactics.
SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
Perhaps the NPM’s best feature is the way it suggests solutions to network problems. Its second best feature is the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.
NAP is a classic client server technology. All the necessary NAP components will be built into Vista clients and Windows 2008 Servers. In addition, XP with SP3 will also be able to benefit from NAP. What is unusual is that Microsoft are encouraging third party anti-virus vendors to participate in the technology in general, and the SHA (System Health Agent) in particular.
Remember that NAP is designed to protect your network from ‘unhealthy’ machines. Tactics involve identifying what constitutes a healthy machine, configuring one or more policies and deciding what do about computers that fail to match your criteria.
When a Vista machines boots-up, a conversation takes place with the Health Registration Authority Server. The client SHA sends a SoH (Statement of Health) to the Windows 2008 server. This packet contains details of software updates and anti-virus signatures. The server then compares the SoH with one or more of its policies. If the Vista client lacks any of the components, you can predetermine what action to take. For example, whether to ban it from the production subnet, or try and remediate by adding patches.
NAP Server Components
(Windows Server 2008 or Windows Server 2003)
Whenever you see lots of acronyms – as here with the NAP family, slow down the going gets tough. It all begins to make sense if you install the Network Policy and Access Services Role (NPAS) on your Server 2008. Incidentally, NPAS replaces IAS (Internet Authentication Service) in Windows 2003.
Microsoft’s NAP Administration Server. This main NAP Server checks the network policies (formerly RAS Policies), analyzes the Vista laptops or XP desktops and then decides whether or not to allow access to the network. While it is a Windows Server 2008 machine, it does not have to be a domain controller, but as I mentioned earlier, do install the NPAS role.
System Health Validator (SHV). This component determines whether the the SoH (Statement of Health) issued by the client’s SHA (System Health Agent), matches the required health policy criteria on the server.
Quarantine Agent (QA). This reports the client’s health status.
Health Policy. This is a list of conditions, you can have a different policy for each of these technologies; IPSEC, DHCP, 802.1 or VPN.
Accounts Database. This is a portion of Active Directory that stores NAP properties for a computer or user.
Health Certificate Server, IIS on Windows Server 2008.
Remediation server (Optional). This server is designed to help treat unhealthy clients, consequently it has the patches, virus signature updates, which may cure an unhealthy machine. However, further policies decide which machines get the patches, for example, it would be too intrusive to add software patches to visitors’ machines. In practice, this remediation server could also be the anti-virus / update server.
The main reason to monitor your network is to check that your all your servers are available. If there is a network problem you want an interface to show the scope of the problem at a glance.
Even when all servers and routers are available, sooner or later you will be curious to know who, or what, is hogging your precious network’s bandwidth. A GUI showing the top 10 users makes interesting reading.
Another reason to monitor network traffic is to learn more about your server’s response times and the use of resources. To take the pain out of capturing frames and analysing the raw data, Guy recommends that you download a copy of the SolarWindsfree Real-time NetFlow Analyzer.
You may have seen similar to these Network Policies in W2K3 RAS policies and profiles.
This creates the most secure configuration. IPSec and NAP work in tandem to ensure that all machines are healthy, and furthermore they only communicate using the encrypted IPSec protocol.
Probably the most common implementation of NAP, every time the client asks to renew its IP address DHCP enforces health compliance.
Restricts access at the wireless access points until the clients are confirmed as healthy. Windows 8 Wireless
The VPN server enforces the policies whenever a client computer attempts a connection over the VPN.
NPS (Network Policy Server) / Radius
Similar to VPN.
You can also apply NAP and its policies to Terminal Server connections.
Summary of NAP (Network Access Protection)
The idea of Network Access Protection (NAP) is to identify and then to isolate ‘unhealthy’ computers. To be frank, the most likely source of ‘unhealthy’ computers is likely to be a visiting laptop. NAP is a client server technology which gives you a range of options for dealing with machines that lack up-to-date virus signatures, patches or service packs.
Windows Server 2008 provides NP (Network Protection) policies and enforces their implementation. As a result there is no excuse for virus ridden laptops to infect your network. However NAP is not all ‘bad guy’, it can be configured to apply patches and so bring machines up to the standards required to communicate with your servers.
With NAP you configure policies for IPsec enforcement, 802.1X enforcement, VPN enforcement, DHCP , depending on their needs. Microsoft provides an infrastructure and an API, which vendors and software developers can use to build their own health validation components.
If you like this page then please share it with your friends