Manage Risk Within the Network

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

A collaborative work environment often requires that different types of user access are allowed. Allowing guests, partners, and vendors access to corporate resources, while good for productivity, is associated with increased security risks. By adding a health evaluation component to requirements for network access, you can divide your network into independent, logical segments, each of which has its own traffic management and security policies.

Some examples of network segmentation include wireless LANs and customer extranets. Placing corporate users, customers, and vendors in their own policy-based segment allows you to manage the users and contain potential threats to the network. By combining NAP with good security practices, you can independently manage different areas of the network and implement customized health policies so that they will produce the most benefit. See the following figure.

Use of different health requirements for different users and devices on your network allows you to create and manage logical segments

Policy-based segmentation provides the ability to manage access to functional areas of the network without adding additional devices and the administrative burden associated with them. NAP also works with several common network technologies used to isolate network segments:

NAP enforcement method Access control method Description

IPsec enforcement

Server and domain isolation

Creates a trusted communication channel with ongoing integrity checking.

802.1X enforcement

Virtual LAN (VLAN) and access control list (ACL)

VLAN: Segments a switched network into broadcast domains

ACL: Restricts traffic based on IP address, TCP port, and UDP port.

VPN enforcement

IPv4 and IPv6 packet filters

Restricts traffic based on IPv4 or IPv6 address, TCP port, and UDP port.

DHCP enforcement

IP segmentation

Restricts routing of IP traffic from the host.

In addition, you can use NAP to further segment your network by requiring client computers or computers running Windows Server 2008 to meet specific configuration conditions, such as having an active firewall or critical security update installed.

Isolation scenarios

With NAP, access can be controlled by:

  • Client identity

  • Client health

  • Client identity and client health

Isolation based on identity

Identity-based isolation is performed by each client and server by validating credentials before allowing access to the network or before accepting an incoming network communication. Credentials can be provided in multiple forms as long as both hosts trust the credential provider. This type of network isolation provides clients and servers with protection by blocking access to client computers and users that cannot be authenticated. In this solution, hosts can initiate communication to other computers or accept communications from specific resources only if permitted by an identity-based network policy. NAP health policies can be configured for user- or computer-based identity verification, or a combination of both.

Isolation based on health

Like identity-based isolation, this concept uses a credential to control access to the isolated network. In this scenario, clients and servers within the isolated network need to know the health state of another host before accepting any network communication. Health state is defined by administrative policy using the NAP health policy server. A health policy might require specified antivirus signatures and update levels and other host security settings. Rather than using a corporate directory and authentication service, the client’s health status can provide the credentials for access to the isolated network. Clients and servers that are noncompliant with health requirements cannot communicate with hosts within the isolated network. However, remediation servers are available to those hosts to help them meet health requirements. After health requirements are met, the host can access the isolated network.

Isolation based on identity and health

By combining identity-based isolation with heath evaluation, you have the flexibility to create zones within your network with varied levels of accessibility, trust, and protection. You can confine access to users you trust or provide unrestricted user access. Regardless of the level of authentication required, you can improve levels of protection against network attacks by combining this authentication with health assurance.