Voorpagina > Windows Server 2008 > Network Access Protection (NAP)

Network Access Protection (NAP)

13/07/2009 shadowman Plaats een reactie Go to comments

Network Access Protection (NAP) is one of the most desired and highly anticipated features of Windows Server 2008. NAP is a new platform and solution that controls access to network resources based on a client computer’s identity and compliance with corporate governance policy. NAP allows network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access.

How NAP Works

NAP is designed so that administrators can configure it to meet the individual needs of their networks. Therefore, the actual configuration of NAP will vary according to the administrator’s preferences and requirements. However, the underlying operation of NAP remains the same. This section describes how NAP works on an example intranet.

nap

This example intranet is configured for the following:

  • Health state validation, health policy compliance, and limited network access for noncompliant NAP clients
  • IPsec enforcement, 802.1X enforcement, VPN enforcement, and DHCP enforcement

When obtaining a health certificate, making an 802.1X-authenticated or VPN connection to the intranet, or leasing or renewing an IPv4 address configuration from the DHCP server, each NAP client is classified in one of the following ways:

  • NAP clients that meet the health policy requirements are classified as compliant and allowed unlimited access or normal communication on the intranet.
  • NAP clients that do not meet the health policy requirements are classified as noncompliant and have their access limited to the restricted network until they meet the requirements. A noncompliant NAP client does not necessarily have a virus or some other active threat to the intranet, but it does not have the software updates or configuration settings as required by health policy. Therefore, noncompliant NAP client pose health risks to the rest of the intranet. The SHAs on NAP clients can automatically update computers with limited access with the software or configuration settings required for unlimited access.

The example intranet in Figure 1 contains a restricted network. A restricted network can be defined logically or physically. IP filters, static routes, or a VLAN identifier are placed on the connection of NAP clients with limited access to define the remediation servers with which they can communicate.
Because most intranets contain a heterogeneous mixture of computers and devices, an administrator might choose to exempt some computers or devices from health policy requirements. For example, computers running versions of Windows prior to Windows XP and operating systems other than Windows do not support NAP. In a limited access environment, these computers will always have limited access. To prevent limited access for these computers, the administrator can configure an exception health policy on the NAP health policy server; exempted computers are not checked for compliance and have unlimited access to the intranet.

How IPsec Enforcement Works

The following process describes how IPsec enforcement works for a NAP client that is starting on the example intranet shown in Figure 1:

1.  The IPsec Relying Party EC component sends its current health state to the HRA.

2.  The HRA sends the NAP client’s health state information to the NAP health policy server.

3.  The NAP health policy server evaluates the health state information of the NAP client, determines whether the NAP client is compliant, and sends the results to the HRA. If the NAP client is not compliant, the results include health remediation instructions. The HRA sends the NAP client the health evaluation results.

4.  If the health state is compliant, the HRA obtains a health certificate for the NAP client. The NAP client can now initiate IPsec-protected communication with other compliant computers using its health certificate for IPsec authentication, and respond to communications initiated from other compliant computers that authenticate using their own health certificate.

5.  If the health state is not compliant, the HRA does not issue a health certificate. The NAP client cannot initiate communication with other computers that require a health certificate for IPsec authentication. However, the NAP client can initiate communications with remediation servers to correct its health state.

6.  The NAP client sends update requests to the appropriate remediation servers.

7.  The remediation servers provision the NAP client with the required updates for compliance with health requirements. The NAP client updates its health state information.

8.  The NAP client sends its updated health state information to the HRA and the HRA sends the updated health state information to the NAP health policy server.

9.  Assuming that all the required updates were made, the NAP health policy server determines that the NAP client is compliant and sends that result to the HRA.

10.The HRA obtains a health certificate for the NAP client. The NAP client can now initiate IPsec-protected communication with other compliant computers.

How 802.1X Enforcement Works

The following process describes how 802.1X enforcement works for a NAP client that is initiating an 802.1X-authenticated connection on the example intranet shown in Figure 1:

1.  The NAP client and the Ethernet switch or wireless AP begin 802.1X authentication.

2.  The NAP client sends its user or computer authentication credentials to the NAP health policy server, which is also acting as a AAA server.

3.  If the authentication credentials are not valid, the connection attempt is terminated.

4.  If the authentication credentials are valid, the NAP health policy server requests the health state from the NAP client.

5.  The NAP client sends its health state information to the NAP health policy server.

6.  The NAP health policy server evaluates the health state information of the NAP client, determines whether the NAP client is compliant, and sends the results to the NAP client and the Ethernet switch or wireless AP. If the NAP client is not compliant, the results include a limited access profile for the Ethernet switch or wireless AP and health remediation instructions for the NAP client.

7.  If the health state is compliant, the Ethernet switch or wireless AP completes the 802.1X authentication and the NAP client has unlimited access to the intranet.

8.  If the health state is not compliant, the Ethernet switch or wireless AP completes the 802.1X authentication but limits the access of the NAP client to the restricted network. The NAP client can send traffic only to the remediation servers on the restricted network.

9.  The NAP client sends update requests to the remediation servers.

10.The remediation servers provision the NAP client with the required updates for compliance with health policy. The NAP client updates its health state information.

11.The NAP client restarts 802.1X authentication and sends its updated health state information to the NAP health policy server.

12.Assuming that all the required updates were made, the NAP health policy server determines that the NAP client is compliant and instructs the Ethernet switch or wireless AP to allow unlimited access.

13.The Ethernet switch or wireless AP completes the 802.1X authentication and the NAP client has unlimited access to the intranet.

How VPN Enforcement Works

The following process describes how VPN enforcement works for a NAP client that is initiating a remote access VPN connection to the example intranet shown in Figure 1:

1.  The NAP client initiates a remote access connection to the VPN server.

2.  The NAP client sends its user authentication credentials to the NAP health policy server, which is also acting as a AAA server.

3.  If the authentication credentials are not valid, the VPN connection attempt is terminated.

4.  If the authentication credentials are valid, the NAP health policy server requests the health state from the NAP client.

5.  The NAP client sends its health state information to the NAP health policy server.

6.  The NAP health policy server evaluates the health state information of the NAP client, determines whether the NAP client is compliant, and sends the results to the NAP client and the VPN server. If the NAP client is not compliant, the results include a set of packet filters for the VPN server and health remediation instructions for the NAP client.

7.  If the health state is compliant, the VPN server completes the VPN connection and the NAP client has unlimited access to the intranet.

8.  If the health state is not compliant, the VPN server completes the VPN connection but, based on the packet filters, limits the access of the NAP client to the restricted network. The NAP client can send traffic only to the remediation servers on the restricted network.

9.  The NAP client sends update requests to the remediation servers.

10.The remediation servers provision the NAP client with the required updates for compliance with health policy. The NAP client updates its health state information.

11.The NAP client restarts authentication with the VPN server and sends its updated health state information to the NAP health policy server.

12.Assuming that all the required updates were made, the NAP health policy server determines that the NAP client is compliant and instructs the VPN server to allow unlimited access.

13.The VPN server completes the VPN connection and the NAP client has unlimited access to the intranet.

How DHCP Enforcement Works

The following process describes how DHCP enforcement works for a NAP client that is attempting an initial DHCP configuration on the example intranet shown in Figure 1:

1.  The NAP client sends a DHCP request message containing its health state information to the DHCP server.

2.  The DHCP server sends the health state information of the NAP client to the NAP health policy server.

3.  The NAP health policy server evaluates the health state information of the NAP client, determines whether the NAP client is compliant, and sends the results to the NAP client and the DHCP server. If the NAP client is not compliant, the results include a limited access configuration for the DHCP server and health remediation instructions for the NAP client.

4.  If the health state is compliant, the DHCP server assigns an IPv4 address configuration for unlimited access to the NAP client and completes the DHCP message exchange.

5.  If the health state is not compliant, the DHCP server assigns an IPv4 address configuration for limited access to the restricted network to the NAP client and completes the DHCP message exchange. The NAP client can send traffic only to the remediation servers on the restricted network.

6.  The NAP client sends update requests to the remediation servers.

7.  The remediation servers provision the NAP client with the required updates for compliance with health policy. The NAP client updates its health state information.

8.  The NAP client sends a new DHCP request message containing its updated health state information to the DHCP server.

9.  The DHCP server sends the updated health state information of the NAP client to the NAP health policy server.

10.Assuming that all the required updates were made, the NAP health policy server determines that the NAP client is compliant and instructs the DHCP server to assign an IPv4 address configuration for unlimited access to the intranet.

11.The DHCP server assigns an IPv4 address configuration for unlimited access to the NAP client and completes the DHCP message exchange.

Source: Microsoft Technet
Categories: Windows Server 2008 Tags:,
  1. Nog geen reacties.
  1. Nog geen trackbacks
Je moet zijn ingelogd om een reactie te plaatsen.