The Cable Guy - July 2005
Network Access Protection Platform Overview
Network administrators have the challenge of ensuring that computers that connect to and communicate on a private network are compliant with system health requirements. For example, compliant computers have the correct security software installed (such as antivirus protection), the current operating system updates, and the correct configuration (such as host-based firewalls enabled). This challenge is made daunting by the portable nature of laptop computers that can roam to various Internet hotspots and other private networks and the use of remote access connections made from home computers. If a connecting computer is not compliant, it can expose the private network to attacks by malicious software such as network-level viruses and worms. To provide protection against noncompliant computers, administrators need to do the following:
Centrally configure a set of policies that specify system health.
Verify system health before allowing access to the private network or to private network resources.
Isolate unhealthy computers on a restricted network containing resources to return the unhealthy computer to a healthy state.
The Network Access Protection (NAP) platform for Microsoft Windows Server 2008, Windows Vista, and Windows XP with Service Pack 3 provides components and an infrastructure that help administrators validate and enforce compliance with system health policies for network access and communication. Administrators can create solutions for validating computers that connect to or communicate on their networks, provide needed updates or access to needed resources, and limit the network access of computers that are noncompliant. The validation and enforcement features of NAP can be integrated with software from other vendors or with custom programs.
Note NAP is not designed to protect a private network from malicious users. It is designed to help administrators maintain the system health of the computers on a private network. NAP is used in conjunction with authentication and authorization of network access, such as using IEEE 802.1X for wireless access. NAP does not prevent an authenticated and authorized user with a compliant computer from spreading a malicious program to the private network or engaging in other inappropriate behavior.
For the details of NAP architecture for both the client and server, see the Network Access Protection Platform Architecture white paper
Comparing NAP with Network Access Quarantine Control
Despite their similar names, Network Access Quarantine Control, a feature of Windows Server 2003, is very different from NAP. Network Access Quarantine Control allows network administrators to perform limited health enforcement, but only for remote access connections (dial-up or VPN).
When a Network Access Quarantine Control client connects, it is restricted to a subset of reachable destinations through IP packet filters that the remote access server applies to the client's connection. The remote access client runs a script to verify system health using a custom dialer, such as a Connection Manager profile created with the Connection Manager Administration Kit (CMAK). The remote access server removes the restrictions after a notifier component on the remote access client sends a notification message to a listener component on the remote access server. The notification message indicates that the remote access client has passed all of its system health tests. All processing of whether the connecting client is compliant with system health policy is done on the client via the script. Changes in system health policy might require a new script, in which case a new Connection Manager profile must be created and distributed to all remote access clients.
When a NAP VPN client connects, its health is evaluated before the VPN connection completes. If the NAP VPN client is healthy, it has full access to the private network. If the NAP VPN client is unhealthy, the client is restricted to a subset of reachable destinations through IP packet filters that the VPN server applies to the client's connection. The restrictions are removed after the client sends its list of SoHs that comply with network policy settings. The IAS server performs the processing of whether the connecting client is compliant with system health policy. Changes in system health policy are automatically implemented by requiring that the NAP VPN client perform new correction actions.
The differences between the NAP platform and Network Access Quarantine Control are the following:
Network Access Quarantine Control is only for remote access connections (dial-up and VPN). NAP is a platform to enforce system health compliance for a variety of network access and network communication methods. VPN Quarantine in NAP only applies to remote access VPN connections.
Network Access Quarantine Control requires the creation of a script to check system health policy compliance. NAP does not require a script. Instead, you configure system health policies on the IAS server.
Network Access Quarantine Control places a remote access client in quarantine while the script is determining the client's system health. A VPN NAP client's health is evaluated during the connection establishment and is only quarantined if the client is unhealthy.
For more information, see Network Access Quarantine Control, the February 2003 The Cable Guy article.
The following table compares the components of Network Access Quarantine Control to the corresponding component in NAP for VPN quarantine.
|Network Access Quarantine Control component||NAP component|
Connection Manager profile
With NAP, a Connection Manager profile is not required. NAP capability built into the VPN QEC on the NAP client.
Notifier component on the remote access client
With NAP, there is no equivalent to the notifier component on the remote access client. The IAS server evaluates whether the VPN client is compliant with system health policy and notifies the VPN server.
With NAP, there is no script that is run on the VPN client. The IAS server determines system health based on the configured system health policy.
Routing and Remote Access service
Routing and Remote Access service with the VPN QES
Quarantine remote access policy
System health policy
Listener component on the remote access server
With NAP, there is no equivalent to the listener component that listens for a notification from the VPN client.
For More Information
For more information about NAP or Network Access Quarantine Control, consult the following resources:
For a list of all The Cable Guy articles, click here.