NAP allows IT to enforce organizational policies when client computers attempt to connect to the corporate network. These policies are referred to as health policies. When a client device meets the health policy requirements, it is considered compliant. Four methods are available for restricting client devices until they have demonstrated that they meet the policy requirements. IT pros can implement a single method or combine several methods to increase the robustness of the solution.
When IPsec is used, the client device is able to communicate with only a limited number of servers until it has demonstrated its compliance. Other managed systems will ignore network traffic from these client devices unless they prove their compliance or are exempted from compliance checks. When compliance has been confirmed, the client device achieves unrestricted access, because the managed systems are able to recognize that its compliance status has been established. IPsec enforcement can be complex to deploy, because it relies on IPsec and certificates issued from a public key infrastructure (PKI). However, it is robust and does not involve upgrading infrastructure components such as Ethernet switches or DHCP servers.
When 802.1X is used—over either wired or wireless networks—the client device’s access is restricted by network infrastructure devices such as wireless connection points and switches. Until the device has demonstrated its compliance, client access is restricted. Restriction is enforced on the network access device using an access control list (ACL) or by placing the client device on restricted virtual local area networks (VLANs). The 802.1X standard is more complex to deploy than DHCP, but it provides a high degree of protection.
When VPN enforcement is used, the VPN server itself restricts the client device’s access by using IP filters until the client device has demonstrated its compliance. When compliance has been proven, the VPN server lifts the restrictions and grants the client device full access. VPN enforcement is less complex than either IPsec or 802.1X, but it can restrict only remote client devices and is not appropriate for controlling access to client devices that connect locally. VPN enforcement requires the RRAS service in Windows Server 2008 and the Microsoft VPN client included with Windows XP with SP3, Windows Server 2008, and Windows Vista.
When DHCP is used, the DHCP server assigns an Internet Protocol version 4 (IPv4) address configuration to client devices that allows them limited access to the network until they have demonstrated compliance with the organization’s health policies. When a client device has proven its compliance, it receives a new configuration that grants it unrestricted access. Although DHCP enforcement is the simplest to deploy, it is also the easiest for malicious users to bypass if they have administrative privileges on their computer, because they can manually configure their computer with a static IP address, which avoids all DHCP enforcement capabilities.