Jump to content

  • 0

Network Access Protection (NAP)


NAP - What is it ?


In simple terms, Network Access Protection is a client server technology for identifying compliant or non-compliant computers and then deciding what level of access they can have to the network (thereby stopping others from getting infected by viruses and such).


If you think for example about remote users dialing in from their home pcs using a VPN connection, those computers are not directly controlled by the network administrator, at least not until now, if you enforce NAP then they could be denied access to your network resources until they are compliant.


Note: NAP is not designed to protect a private network from malicious users. It is designed to help administrators maintain the system health of the computers on a private network. NAP is used in conjunction with authentication and authorization of network access, such as using IEEE 802.1X for wireless access. NAP does not prevent an authenticated and authorized user with a compliant computer from spreading a malicious program to the private network or engaging in other inappropriate behavior.


But who decides the level of compliancy ? that of course is up to the network administrator, they decide upon a health policy which specifies what criteria you must meet in order to be compliant, for example having a certain level of Security patches and Antivirus updates. The health policy can decide 3 ways of interacting with your network, namely:-


* If the system is non-compliant, patch it to the required level first before allowing access to the network

* If the system is non-compliant, deny or restrict the user/system access until they meet the health policy criteria

* If the system is non-compliant let the user/system have access but make a note of their non-compliance in a report (called reporting mode)


In order for the 'health' of the client system to be determined there are two requirements that must be met, the client system (Enforcement Client or EC) must have a client component installed and the server must have a corresponding server component.


For example, on the client a System Health Agent has the job of assessing the current state of the health of the client, and the server has a corresponding System Health Validator which checks over the report received from the System Health Agent in order to proceed. these two client/server components are reffered to as SHA and SHV. The information that the SHA sends to the SHV is called the Statement of Health (SoH), the SHV then checks this information and validates it to determine if the EC is compliant or not. The SHV then sends back a response to the client system (EC), this response is called the Statement of Health Response or SoHR. Statement of Health Responses (SoHr) are collected from all System Health Validators (SHV) so that a decision can be made about a clients network access, the decision is sent back to the client so that it knows whether it is compliant or non-compliant.


What computers support NAP ?


On Windows Vista and Windows Server 2008 computers, the Windows NAP agent is built into the operating system, with Windows XP you need Service Pack 3 installed to use the NAP client for XP, however, the NAP Client Configuration console and NAP product help are only available on Windows Vista and Windows Server 2008. Linux users too are supported with a Linux NAP client from Avenda Systems.


How does NAP get enforced ?


NAP enforcement mechanisms include DHCP, VPN, IPsec, 802.1X and Terminal Services Gateway, you can use one or many depending on your needs and each would require specific setup and configuration so you need to choose wisely. For more details on Network Access Protection mechanisms see the NAP page on Technet.


How do I get NAP help ?


Client help is available on computers running Windows Server 2008 or Windows Vista by typing the following at the command line:-


hh nap.chm


Alternatively you could of course open the NAP Client Configuration console and press F1.


What is the Network Policy Server ?


The Network Policy Server is a Windows Server 2008 computer that has a role called Network Policy Server installed on it. This server has policies configured on it which determine the network access that is allowed to the client depending on it's SoH from the SHA. This network access can only be decided by first configuring policies on the Network Policy Server, the three different policies are called Connection Request Policy (allows network access with at least one condition), Health Policy (identifies which SHV's are being used to determine the health of computers. You will normally setup two Health Policies, one for compliant (health checks pass) and the other for non-compliant (health checks fail) clients. Finally we have Network Policy which determines the level of network access a client will be given (or denied) based on the SHA checks.


The policies on the Network Policy server ultimately determine whether non-compliant computers are remediated (patched) or whether they get full or restricted network access, so whoever defines the policies determines how non-compliant computers are treated.


When the Network Policy Server is being used with Network Access Protection it is referred to as a NAP health policy server.


How can I setup NAP in a test lab environment ?


Here are 4 whitepapers from Microsoft detailing how to setup NAP:




• Step-by-Step Guide: Demonstrate IPsec NAP Enforcement in a Test Lab


• Step By Step Guide: Demonstrate 802.1X NAP Enforcement in a Test Lab


• Step-by-Step Guide: Demonstrate VPN NAP Enforcement in a Test Lab


• Step-by-Step Guide: Demonstrate DHCP NAP Enforcement in a Test Lab


For a NAP Intro written by Microsoft, take a look at the following document.

Share this post

Link to post
Share on other sites

2 answers to this question

Recommended Posts

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...