Choose an Enforcement Method

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

To choose the right NAP enforcement method for your network, review the following sections of this guide to understand the details of how each enforcement method works and determine which method best meets your deployment goals:

• Identifying Your NAP Deployment Goals

• Mapping Your Deployment Goals to a NAP Design

• Evaluating NAP Design Examples

You might also consider the following when choosing an enforcement method:

• Infrastructure. How well does your current network support the enforcement method?

• Cost. Which aspect of your NAP deployment is more important: cost or flexibility?

• Complexity. Do you have the expertise to implement and maintain your deployment?

• Security. How secure is the enforcement method?

Infrastructure

All NAP enforcement methods can be implemented using a minimum of one computer running Windows Server 2008 R2 or Windows Server 2008. All enforcement methods require that NPS is installed on this computer and configured to evaluate the health of NAP clients. Additional required services depend on the enforcement method. For example, IPsec, VPN, and DHCP enforcement methods require a NAP enforcement server running Windows Server 2008 R2 or Windows Server 2008. The 802.1X enforcement method requires network hardware that supports the 802.1X authentication method and is capable of controlling port characteristics using RADIUS tunnel attributes. For more information, see NAP Configuration Overview.

Cost

Because support for it is built into the Windows operating system, the cost of deploying NAP is typically low, but depends on how well your existing network hardware and software support your design. If you have deployed Windows Server 2008 R2 or Windows Server 2008 on your network, then you already have some or all of the components required to deploy NAP. Some NAP enforcement methods might require an upgrade of the components of your network infrastructure. For example, deploying NAP with 802.1X enforcement can be costly if you do not already have hardware that supports 802.1X authentication. If you already have hardware that supports 802.1X, then it is likely that you can deploy NAP with 802.1X enforcement at minimal cost. If your hardware does not support NAP, in some cases adding support can be as simple as downloading and installing new firmware. To determine the costs associated with a NAP deployment, review hardware and software requirements for the enforcement methods you have chosen and determine whether server and network hardware upgrades are required. Additional costs that might also be associated with a NAP deployment include planning and design costs and the training of support personnel.

Complexity

NAP with IPsec enforcement is generally the most complex enforcement method to deploy because it requires a public key infrastructure (PKI) and IPsec policies to create logical networks. However, Windows Server 2008 R2 and Windows Server 2008 include tools for managing and monitoring IPsec that eliminates much of this complexity. The 802.1X enforcement method is next in terms of complexity, followed by VPN enforcement. DHCP enforcement is the least complex enforcement method to deploy.

Security

IPsec enforcement is a powerful method for protecting compliant computers from any others; it can be combined with server and domain isolation to ensure that after a computer has demonstrated it is compliant, it will still be restricted to communicating only with authorized hosts. IPsec provides other benefits, too. Network packets are authenticated, which reduces the risk of man-in-the-middle and replay attacks, and traffic can be encrypted with IPsec, providing a high degree of protection from eavesdropping attacks.

Like IPsec, 802.1X offers a high degree of protection. Several enhancements to 802.1X are also available that provide improved security. Until a client has demonstrated that it complies with the organization’s health requirements, its access to the network will be restricted by the network switches and wireless access points. These restrictions can be very difficult to bypass, even by a determined malicious user.

VPN enforcement is a good choice for protecting remote access to the corporate network. Clients that connect to a NAP-enabled VPN server can be granted restricted access to the network at the point of entry using IP packet filters. The health of remote client computers is evaluated when the client connects and it is monitored during the VPN session. If a client computer becomes noncompliant, then access is restricted until the computer is compliant.

DHCP enforcement restricts noncompliant computers by providing a limited IPv4 address configuration. It is the least secure NAP enforcement method. It is easily bypassed by an advanced user who has administrative privileges on the computer.

Combining NAP enforcement methods

It is possible to use more than one enforcement method simultaneously. An organization might invest additional resources into combining these enforcement technologies because they have complementary strengths and weaknesses. NAP with VPN enforcement can be used to enforce organizational compliance policies on remote clients, while NAP with IPsec enforcement can be used for local clients. 802.1X and IPsec offer a particularly robust combination because together they can restrict network connectivity at multiple layers of the network protocol stack. The following table shows which enforcement methods can be combined. Keep in mind that the complexity of your NAP deployment will increase when you combine enforcement methods.

	IPsec	802.1X	VPN	DHCP
IPsec
802.1X			X
VPN		X		X
DHCP			X