If IT decides to enforce NAP restrictions at the network layer, the organization must choose between two methods: 802.1X and DHCP. Both methods are viable, and each has pros and cons that must be carefully considered. The 802.1X standard can be more complex and expensive, but DHCP provides less security. To use 802.1X as the enforcement method, the switches and wireless access points must support the 802.1X authentication protocol, which means that the devices support Extensible Authentication Protocol (EAP) authentication pass-through to RADIUS, 802.1X authentication, traffic segmentation, and/or dynamic VLAN switching over RADIUS. Many vendors now offer hardware with these capabilities, but it is likely that organizations will have older hardware that must be upgraded or replaced if 802.1X is going to be used in conjunction with NAP. If such hardware is only partially deployed or not deployed at all, the cost of using 802.1X will rise—perhaps considerably, depending on the size of the network.
Like IPsec, 802.1X is a robust choice that offers a high degree of protection. Until a client device has demonstrated that it meets the organization’s compliance requirements, the network switches and wireless access points will restrict its access to the network. These restrictions will be difficult to bypass, even by a determined malicious user.
The potential drawback of using 802.1X for enforcement is that it may be more complex and costly to implement than DHCP. The potential cost will vary from one organization to the next, depending on the size of the network and whether the infrastructure devices are capable of supporting 802.1X and NAP. If the network switches and wireless access points do not fully support 802.1X, the organization will have to weigh the expense of upgrading or replacing these network devices versus the benefits of using 802.1X for enforcement. It may be necessary to purchase additional hardware or software, or it may be as simple as downloading and installing new firmware.
DHCP is the simplest and least-expensive enforcement option. Until a computer has been proven to meet the organization’s health policies, the DHCP server assigns it an IPv4 address configuration that restricts its access to a portion of the network. DHCP enforcement requires that Windows Server 2008 be used to provide DHCP services on the network. Many organizations begin their testing and pilot deployments of NAP using DHCP enforcement, because it can be deployed quickly.
There is one significant drawback to using DHCP with NAP: It is easily bypassed by a user who has administrative privileges on his or her computer. This means that it is trivial for a malicious user and relatively easy for a technically savvy one.
Technical criteria are not the only factors that should be considered during an infrastructure design decision. The decision should also be mapped to appropriate operational criteria or characteristics. The following tables compare each option according to the characteristics applicable to choosing a method for enforcing NAP.
|
Security | ||
|
802.1X |
802.1X adds defense-in-depth protection by helping to isolate VLANs from one another. |
↑ |
|
DHCP |
DHCP offers little defense-in-depth protection. |
↓ |
|
Complexity | ||
|
802.1X |
Deployment of 802.1X is moderately complex in most situations. |
Medium |
|
DHCP |
DHCP is the simplest enforcement method to implement. |
Low |
|
Cost | ||
|
802.1X |
The cost of using 802.1X varies depending on two factors: the size of the network, and whether existing hardware can be used or upgraded (versus new hardware purchased). |
High |
|
DHCP |
DHCP tends to be less expensive, especially if the DHCP service in Windows Server 2008 is already deployed. |
Low |
In addition to evaluating the decision in this step against IT-related criteria, planners should validate the effect of the decision on the business. The following questions have been known to affect NAP design decisions:
Which is more important: implementation cost or security? Although DHCP is less expensive to deploy, it offers a much lower level of protection than 802.1X.
How important is it to minimize the risk of malicious users accessing the network? Malicious users can easily bypass restrictions that DHCP enforce, but 802.1X is much more robust and difficult for attackers to overcome.
If either 802.1X enforcement or DHCP enforcement is chosen, the decision-making process is complete.
"Network Access Protection Platform Architecture" at http://www.microsoft.com/technet/network/nap/naparch.mspx.
Chapter 15, "Preparing for Network Access Protection," in Windows Server 2008 Networking and Network Access Protection (NAP). Microsoft Press, 2008. This information is also available as part of the Windows Server 2008 Resource Kit. Microsoft Press, 2008.
Chapter 17, "802.1X Enforcement," in Windows Server 2008 Networking and Network Access Protection (NAP). Microsoft Press, 2008. This information is also available as part of the Windows Server 2008 Resource Kit. Microsoft Press, 2008.
Chapter 19, "DHCP Enforcement," in Windows Server 2008 Networking and Network Access Protection (NAP). Microsoft Press, 2008. This information is also available as part of the Windows Server 2008 Resource Kit. Microsoft Press, 2008.