Computers blogs
flyg till köpenhamn

MCC 2011 Awardee

MCC 2011 Awardee
MCC 2011 Awardee

Recommended Books and Devices

Saturday, October 9, 2010

Time for a NAP

As a kid, i used to be cajoled to take naps(or Siesta,as my mum called it) in the afternoons.Now as a System engineer/administrator i still need NAP, for my networks and the computers in my networks to meet certain compliance requirements for a healthy network.Did i hear u ask how?

 NAP, as i know it now, stands for Network Access Protection.NAP is a new set of operating system components in Windows Server 2008, Windows Vista, and Windows XP Service Pack 3 that provides a platform for system health validated access to private networks. The NAP platform provides an integrated way of validating the health state of a network client that is attempting to connect to or communicate on a network and limiting the access of the network client until the health policy requirements have been met. 

To control access to network resources,based on requesting computers health status,the following functionalities need to be put in place:

·         Health state validation  Determines whether the computers are compliant with health policy requirements.
·         Network access limitation  Limits access for noncompliant computers.
·         Automatic remediation  Provides necessary updates to allow a noncompliant computer to become compliant without user intervention.
·         Ongoing compliance  Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements.
Windows Server 2008, Windows Vista, and Windows XP Service Pack 3 provide the following NAP enforcement methods:
·         Internet Protocol security (IPsec) enforcement for IPsec-protected communications
·         802.1X enforcement for IEEE 802.1X-authenticated connections
·         Virtual Private Network (VPN) enforcement for remote access VPN connections
·         Dynamic Host Configuration Protocol (DHCP) enforcement for DHCP-based address configuration
·         Terminal Server (TS) Gateway connections.

Network access protection client-server architecture is depicted in the image below:
·         NAP clients  Computers that support the NAP platform for system health-validated network access or communication.
·         NAP enforcement points(VPN servers,DHCP servers,Network access devices)  Computers or network access devices that provide access to a resource and that use NAP or can be used with NAP to require the evaluation of a NAP client’s health state and provide restricted network access or communication. NAP enforcement points use a Network Policy Server (NPS) that is acting as a NAP health policy server to evaluate the health state of NAP clients, whether network access or communication is allowed, and the set of remediation actions that a noncompliant NAP client must perform. Examples of NAP enforcement points are the following:
·         Health Registration Authority (HRA)  A computer running Windows Server 2008 and Internet Information Services (IIS) that obtains health certificates from a certification authority (CA) for compliant computers.

·         NAP health policy servers  Computers running Windows Server 2008 and the NPS service that store health requirement policies and provide health state validation for NAP. NPS is the replacement for the Internet Authentication Service (IAS), the Remote Authentication Dial-In User Service (RADIUS) server and proxy provided with Windows Server 2003. NPS can also act as an authentication, authorization, and accounting (AAA) server for network access. When acting as a AAA server or NAP health policy server, NPS is typically run on a separate server for centralized configuration of network access and health requirement policies, as Figure 1 shows. The NPS service is also run on Windows Server 2008-based NAP enforcement points that do not have a built-in RADIUS client, such as an HRA or DHCP server. However, in these configurations, the NPS service is acting as a RADIUS proxy to exchange RADIUS messages with a NAP health policy server.
·         Health requirement servers  Computers that provide current system health state for NAP health policy servers. For example, a health requirement server for an antivirus program tracks the latest version of the antivirus signature file.
·         Active Directory® Domain Service  The Windows directory service that stores account credentials and properties and Group Policy settings. Although not required for health state validation, Active Directory is required for IPsec-protected communications, 802.1X-authenticated connections, and remote access VPN connections.
·         Restricted network (some people may choose to call this a DMZ network(Demilitarized zone) A separate logical or physical network that contains:
·         Remediation servers  Computers that contain health update resources that NAP clients can access to remediate their noncompliant state. Examples include antivirus signature distribution servers and software update servers.
·         NAP clients with limited access  Computers that are placed on the restricted network when they do not comply with health requirement policies.


The NAP client uses the appropriate security or authentication protocol (SSL(Secure socket layer),PEAP(Protected extensible authentication protocol),(Extensible authentication protocol)EAP,(Point-to-point) protocol )PPP...) depending on the resource the client is trying to access to craete protected session to send its current system health state to the HRA and request a health certificate. The HRA also uses the appropriate protocol  to send remediation instructions (if the NAP client is noncompliant) or a health certificate to the NAP client(if compliant).

While the NAP client has unlimited access to the intranet, it accesses the remediation server to ensure that it remains compliant. For example, the NAP client periodically checks an antivirus server to ensure that it has the latest antivirus signature file or a software update server, such as Windows Update Services, to ensure that it has the latest operating system updates.
If the NAP client has limited access, it can communicate with the remediation server to become compliant, based on instructions from the NAP health policy server. For example, if during the health validation process the NAP health policy server determined that the NAP client does not have the most current antivirus signature file, the NAP health policy server instructs the NAP client to update its local signature file with the latest file that is stored on a specified antivirus server.
The HRA sends RADIUS(Remote authentication dial-in user service) messages to the NAP health policy server that contain the NAP client's system health state. 
The NAP health policy server sends RADIUS messages to:
·         Indicate that the NAP client has unlimited access because it is compliant. Based on this response, the HRA obtains a health certificate and sends it to the NAP client.
·         Indicate that the NAP client has limited access until it performs a set of remediation functions. Based on this response, the HRA does not issue a health certificate to the NAP client.
Because the HRA in Windows Server 2008 does not have a built-in RADIUS client, it uses the NPS service as a RADIUS proxy to exchange RADIUS messages with the NAP health policy server.

When performing network access validation for a NAP client, the NAP health policy server might have to contact a health requirement server to obtain information about the current requirements for system health. For example, the NAP health policy server might have to contact an antivirus server to check for the version of the latest signature file or to contact a software update server to obtain the date of the last set of operating system updates.

So whether you'r instructing your kids or doing your million Naira/dollar job of instructing your network,taking a NAP really does pay-off.