Understanding NAP IPsec Enforcement
Updated: March 29, 2012
Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Network Access Protection (NAP) Internet Protocol security (IPsec) enforcement provides the strongest and most flexible method for maintaining client computer compliance with network health requirements.
IPsec enforcement confines the communication on your network to those computers that are considered compliant and have acquired health certificates. By leveraging IPsec and its configuration flexibility, this NAP enforcement method allows to you to define requirements for secure communications with compliant clients on a per-IP address or port number basis. For more information about IPsec, see http://go.microsoft.com/fwlink/?LinkId=50170.
Benefits of IPsec enforcement
IPsec enforcement is commonly used when you want a stronger and more robust enforcement mechanism than 802.1X, DHCP, or VPN enforcement provide. The following are the benefits of IPsec enforcement:
IPsec enforcement cannot be bypassed by reconfiguring a NAP client. A NAP client cannot receive a health certificate or initiate communication with a compliant computer by manipulating settings on the local computer, even if a user has local administrator privileges. Additionally, IPsec enforcement cannot be bypassed through the use of hubs or virtual computer technologies.
No infrastructure upgrade required
IPsec enforcement works at the Internet layer of the TCP/IP protocol suite and is therefore independent of physical network infrastructure components, such as hubs, switches, and routers.
Network access limited on per-server or per-application basis
With IPsec enforcement, compliant computers can initiate communications with noncompliant computers, but noncompliant computers cannot initiate communications with compliant computers. The administrator defines the type of traffic that must be authenticated with a health certificate and protected with IPsec through IPsec policy settings. IPsec policy allows for the creation of IP filters that can define traffic by source IP address, destination IP address, IP protocol number, source and destination TCP port, and source and destination UDP port. With IPsec policy and IP filter definition, it is possible to limit network access on a per-server or per-application basis.
Optional end-to-end encryption
By specifying IPsec policy settings, you can encrypt IP traffic between IPsec peers for highly sensitive traffic. Unlike IEEE 802.11 wireless local area networks (LANs), which only encrypt frames from the wireless client to the wireless access point, IPsec encryption is between IPsec peer computers.
IPsec enforcement and logical networks
IPsec enforcement divides a physical network into three logical networks. A computer is a member of only one logical network at any time. The logical networks are defined in terms of which computers have health certificates and which computers require IPsec authentication for incoming communication attempts. Logical networks allow you to limit access of computers that do not meet health requirements and provide compliant computers with a level of protection from noncompliant computers. IPsec enforcement defines the following logical networks:
Computers on the secure network have health certificates and require that incoming communication is authenticated with these certificates. They use a common set of IPsec policy settings for providing IPsec protection. For example, most server and client computers that are members of an Active Directory® infrastructure would be in a secure network. NAP health policy servers, servers running Active Directory Certificate Services (AD CS), and e-mail servers are examples of network components that normally reside in a secure network.
Computers on the boundary network have health certificates, but do not require IPsec authentication of incoming communication attempts. Computers in the boundary network must be accessible to computers on the entire network. These types of computers are the servers required to assess and remediate NAP client health or otherwise provide network services for computers in the restricted network, such as HRA servers, antivirus update servers, read-only domain controllers, and DNS servers. Because computers in the boundary network do not require authentication and protected communication, they must be closely managed to prevent them from being used to attack computers in the secure network.
Computers on the restricted network do not have health certificates. These are computers that have not completed health checks, are guests, or are NAP-ineligible computers, such as computers running versions of Windows that do not support NAP, Apple Macintosh computers, or UNIX-based computers.
The following figure shows an example of IPsec logical networks.