12.2. Microsoft Network Access Protection (NAP)
Microsoft developed Network Access Protection (NAP) to ensure that networks remain free of malware and any vulnerability potentially delivered and distributed by endpoint devices that have antivirus applications with outdated signature files or operating systems that haven't been updated.
Microsoft NAP controls network access based on authentication and the security and access control policy compliance of users and endpoint devices. How Microsoft NAP controls a user and endpoint device's access depends on that user's identity, and associations or group membership, as well as the device's level of policy adherence. Not only can Microsoft NAP make sure that an endpoint device is healthy enough to access an organization's network, it can also quarantine and aid in the remediation of non-compliant endpoint devices.
|
Microsoft NAP comes as part of Microsoft Windows Vista, Windows Server 2008, and Windows XP Service Pack 3. It validates the security state and general state of health for a personal computer (PC) or device that runs Microsoft Windows Vista or Windows XP Service Pack 3 (or other operating systems that have third-party Microsoft partner support) while that device attempts network connection. NAP can also ensure devices are compliant with security and access control policies. NAP can automatically update noncompliant computers and devices, or even change their configurations through management software, such as Microsoft Systems Management Server (SMS). And if the system deems a computer or device that includes Microsoft NAP non-compliant, an organization can reduce the exposure of its network by simply limiting the areas of the network that the non-compliant device can access or restricting the amount of time that device may access the network. But, although Microsoft NAP can help to protect a network against access by non-compliant devices, it (like most NAC solution architectures and frameworks) can't protect against access by malevolent users bent on wreaking havoc to a network.
Microsoft NAP's extensible framework encompasses a number of components.
12.2.1. Microsoft NAP Agent
The Microsoft NAP Agent is embedded in Microsoft Windows Vista and Windows XP Service Pack 3. The NAP Agent aids the flow of data between other NAP components, including the Microsoft NAP enforcement clients (ECs) and System Health Agents (SHAs). Depending on the enforcement method for Microsoft NAP, the NAP Agent can be involved in the enforcement process by serving as a supplicant or 802.1X client.
12.2.2. System Health Agents (SHAs) & System Health Validators (SHVs)
System Health Agents (SHAs) are client-side components that monitor system security and, in general, the health state of the Windows computer or endpoint device that attempts to access the network. Windows Vista and Windows XP Service Pack 3 both include an SHA for the Windows Security Center (WSC), which checks and tracks changes in the state of the WSC. This SHA is in addition to other SHAs. Third-party vendors can develop SHAs through the Microsoft NAP application programming interface (API). Allowing third-parties to develop SHAs on their own via the NAP API enables Microsoft NAP to interoperate with virtually any third-party vendor application for which the vendor has developed an SHA. It also enables NAP to leverage the data collected by that SHA on the computer or device on which it's installed, as well as using the application for which the vendor developed the SHA in the access control decision-making process.
System Health Validators (SHVs) are the yin to the SHA's yang. SHVs are the server-side components against which an SHA compares the security and health state data it collects from a device and that device's specific application. SHVs validate the compliance of the device to predefined organizational security and access control parameters. An SHV for the WSC comes in Microsoft Windows Server 2008, which corresponds to the WSC SHA found in both Windows Vista and Windows XP Service Pack 3. And, like SHAs, third-party vendors can develop SHVs through the Microsoft NAP API, enabling Microsoft NAP to further integrate with most third-party vendor applications for which the vendor developed an SHA and SHV.
12.2.3. Microsoft NAP enforcement components
The Microsoft NAP framework includes a number of enforcement components.
12.2.3.1. Enforcement clients
Microsoft NAP enforcement clients (ECs) are part of the client-side components of Microsoft NAP. The NAP ECs are eponymous, providing client-based enforcement based on compliance to security and health requirements. NAP ECs are necessary ingredients in addressing various NAP enforcement methods, which are based on specific network access and internal communications types and standards. (We describe all these in the following sections.) Either Microsoft or third-party vendors may provide NAP ECs.
12.2.3.2. Enforcement servers
Microsoft NAP enforcement servers (ESs), like NAP ECs, are eponymous: NAP ESs, part of Microsoft NAP server components, deliver server-based enforcement of security and health rules determined by an organization. NAP ESs are part of the NAP server, which is an access device resident on a network — such as a switch, router, VPN appliance, NAC-specific appliance, and so on. NAP ESs can limit or deny network access for computers and other devices that are non-compliant with the security and access control policies of your organization. NAP servers, in conjunction with their resident NAP ESs, enforce these access control policies. And, like NAP ECs, the system needs NAP ESs to address the different available NAP enforcement methods.
12.2.3.3. Enforcement methods
Microsoft NAP enforcement methods are network access and communications methods for which NAP can control network access. You can find support for the following NAP enforcement methods in Microsoft Windows Vista, Windows XP Service Pack 3, and Windows Server 2008; you can use these NAP enforcement methods individually, in sets, or collectively to restrict or even deny network access for non-compliant PCs and other devices:
Internet Protocol Security (IPSec) traffic
IEEE 802.1X networks
Remote access/VPN connectivity
Dynamic Host Configuration Protocol (DHCP) configurations
Terminal server gateways
12.2.3.3.1. IPSec NAP enforcement
One of the most stringent forms of NAP-based enforcement, IPSec NAP enforcement, allows only compliant computers to communicate with other compliant computers, protected by IPSec — but only after those computers receive an IP address. The system can limit this level of IPSec communication by IP address or TCP/UDP port number. Microsoft NAP's IPSec enforcement method requires
A network device on the organization's network, running Microsoft Windows Server 2008, to serve as a Health Registration Authority (HRA)
That an EC (IPSec Relying Party EC) resides in the supported Windows platforms, as well as in Windows Server 2008
After the system deems a NAP-enabled system or device compliant with security and health mandates, the HRA gathers a certificate of health from the compliant system or device. When two compliant computers begin to communicate, protected by IPSec, these same certificates authenticate them as compliant NAP client devices.
12.2.3.3.2. 802.1X enforcement
Microsoft NAP's 802.1X enforcement enables a computer (or other device) that complies with an organization's health requirements — as established by and in Microsoft NAP — to receive network access via 802.1X compatible switches, wireless access points, or other access devices. Microsoft NAP 802.1X enforcement actively monitors a device's health state, so it can monitor a device both pre- and post-admission. Computers and other devices that aren't compliant, or which fall out of compliance post-admission, find their network access limited by a restricted network access profile, originated by Microsoft NAP and enforced by 802.1X-compliant access devices. The restricted access profile can identify and direct a non-compliant computer or device to a specific VLAN or particular IP packet filters, thereby limiting network access. Microsoft Network Policy Server (NPS), resident in Windows Server 2008 (replacing Internet Authentication Service [IAS]) acts as the policy server for Microsoft NAP. The system needs NPS, as well as an EC (EAP Quarantine EC) to use 802.1X NAP enforcement. Microsoft Windows XP Service Pack 3 installations require separate ECs for wired and wireless 802.1X access.
12.2.3.3.3. Enforcement over a VPN
Microsoft NAP's enforcement over a virtual private network (VPN) insists that a computer or other device comply with device health policies before it grants that device remote network access over a VPN. IP packet filters limit network access over a VPN for computers that aren't in compliance, whether the system determines non-compliance before or after granting remote network access; Microsoft NAP's VPN enforcement actively monitors the health state of the device. Microsoft NAP enforcement via remote access/VPN requires Microsoft NPS and an EC (Remote Access Quarantine EC).
12.2.3.3.4. DHCP enforcement
Computers that are compliant with network security and access policies may obtain an IPv4 address configuration from a DHCP server that provides unlimited network access. But computers that don't meet policy under Microsoft NAP's DHCP enforcement method receive a restricted IPv4 address configuration, limiting their accessibility to the network. Each time a DHCP client leases or renews an IP address configuration, it validates or revalidates device health. Active monitoring of the computer's health and adherence to policy dictates the open or limited nature of its network access. Microsoft NAP DHCP enforcement requires a DHCP ES (included as part of Windows Server 2008's DHCP Server service) and a complementary EC (DHCP Quarantine EC). The system considers this DHCP enforcement Microsoft NAP's weakest form of NAC enforcement because a user who has appropriate access rights can easily compromise or subvert it.
12.2.4. Microsoft Network Policy Server (NPS)
Microsoft Network Policy Server (NPS) is Microsoft NAP's policy server, where your organization can define your network security and access baseline — which Microsoft calls system health requirements — and where SHVs developed by third parties can reside, individually or collectively. NPS determines and validates a client device's health state. If a device doesn't comply with the health requirements set by your organization, NPS can also deliver remediation instructions for the non-compliant device. Microsoft NPS is the replacement in Microsoft Windows Server 2008 for Microsoft Internet Authentication Server (IAS), which was found in Windows Server 2003. And, like its predecessor, Microsoft NPS is also a RADIUS server, delivering authentication, authorization, and accounting (AAA) capabilities. NPS verifies user and device credentials — also referred to as network credentials — against Microsoft Active Directory for devices attempting local network connectivity via 802.1X or remote connection via VPN. The system can use NPS's duties as the NAP policy server, and its AAA and RADIUS capabilities, separately or together — for example, with Microsoft NAP 802.1X or VPN enforcement.
12.2.5. Third-party remediation servers
Third-party remediation servers include servers or other resources that update antivirus signatures, update software versions, or provide patches for applications or operating systems. They provide non-compliant computers and other devices with an organization's system health requirements, as defined and enforced by Microsoft NAP. These servers also supply the services and resources to bring those non-compliant devices back into policy compliance. The system can assign the SHAs developed by Microsoft and third-party developers, which you can find in Microsoft NAP, to communicate with either the remediation server or the application software installed on the device.
12.2.6. Third-party policy servers
Third-party policy servers can include antivirus management servers, patch management servers, and nearly any other anti-malware application servers. Policy for specific, third-party security applications are defined on these servers. These policy servers interface with Microsoft NAP via an SHV, typically developed by a third party — commonly the application developer — by using the Microsoft NAP API. Also, each policy server likely also has an associated, complementary security application that has a third-party SHA with which it communicates to Microsoft NAP and which matches the policy server's SHV.