A NAP Is Good for Your Health
Windows Server 2008's built-in Network Access Protection makes sure only healthy computers get into your network.
- By Greg Shields
I'll admit it. I occasionally read Men's Health
magazine. Although their Abs Diet Pro Plan -- or whatever they call it from month to month -- seems a little silly at times, there are a few tips they recommend that I take to heart. Like getting enough sleep, for one. My quads or abs might not make it onto a magazine cover, but I'll gladly be their poster boy for the occasional nap.
All this talk of sleep and taking a nap got me thinking about Microsoft's Network Access Protection, or NAP, built into Windows Server 2008. With this new technology, computers connected to your network must prove their health status before they're allowed full access. This goes a long way toward solving the problem of a random infected laptop skirting your external firewall and walking right through the front door of your business.
Think about how this works. Before a computer can talk with others on a network, that machine needs an IP address. Typically, getting that IP address involves little more than the computer asking for one from a server. For internal machines, that server might be a DHCP server. For those coming in via VPN, that server might be a remote access server.
Using this old method, your servers effectively granted every request for an address-a major security loophole. This was a good thing for the networks of yesteryear. Back then, all we wanted was to ease the process of managing IP addresses. Tools like DHCP were created to do just that.
Today's networks are very different. Users don't necessarily spend all their time at the same desktop computer in the same cubicle any more. Laptops come on and off the network. Those same laptops connect to networks in other companies, public access points like coffee shops and in other users' homes.
[Click on image for larger view.]
| Figure 1. Windows Server 2008's default System Health Validator is like a doctor. It runs the system health check.
When those laptops are away from your controlled environment for an extended period of time, they might not get the latest anti-virus signatures or patches. Your users might also have disabled the firewall.
NAP considers this situation "unhealthy" in much the same way Men's Health considers missing your daily nap or multi-vitamin to be unhealthy. In a network with NAP enabled, systems that don't pass the health check won't be allowed to communicate with other computers on the network.
Server 2008 implements the health check through a tool called a System Health Validator (SHV). The default SHV that ships with Server 2008 (see Figure 1) can query Windows Vista or XP machines for the status of the firewall and virus and spyware protection, as well as automatic updates. If a server doesn't pass any of these tests, NAP will remand that server to a special network where it will work with the client to nurse it back to health.
You'll immediately notice that the level of granularity with the default SHV isn't all that great. While you can configure it to query for presence and functionality of anti-virus or anti-spyware applications, the default SHV digs no deeper.
Microsoft is working with third-party vendors to supply SHVs for those vendors' products, presumably with greater levels of granularity. The efficacy of NAP will be determined by which vendors provide SHVs and the extent of their capability to manage individual configurations.
Enforcing a NAP
Once you've set a policy that defines what "healthy" means in your network, the next step is to determine the mechanism in which it's enforced. With Microsoft's implementation of NAP in Windows Server 2008, you can control this through one of five ways:
DHCP enforcement: Augmenting DHCP with NAP is the easiest policy to configure. This adds the Network Policy and Access Services Role to the DHCP server and configures it to watch for address assignment. Before granting a request for a new address, the DHCP server will require the client to submit health information. If they don't pass the health check, DHCP won't give them a production address.
VPN enforcement: In the same way that DHCP assigns addresses, computers that access the VPN from outside the network receive addresses from the Routing and Remote Access Services (RRAS) role service. Adding NAP forces external machines to prove their health before RRAS connects them to the internal network.
TS Gateway enforcement: With Terminal Services in Server 2008, you can use TS Gateway. This IPSec-based tool enables secure Terminal Services sessions over the Internet.
802.1x enforcement: This method of authentication occurs at the individual network device and requires protocol support to work. Although it's a more complicated configuration, DHCP enforcement will miss clients with a manually entered IP addresses. 802.1x enforcement can ensure all clients are verified.
IPSec enforcement: Server and Domain Isolation (SDI) can enable a secondary computer-to-computer authentication before allowing access to resources. Combining SDI's IPSec enforcement with NAP is the most secure implementation.
Once you've completed this configuration at the server level, the last step is to enable NAP on individual clients. Windows Vista computers natively include the NAP client. For Windows XP, client software is currently being developed and is expected to be included as a part of Windows XP Service Pack 3.
Just like an occasional snooze is good for your personal health, NAP is good for the health of your network. Now it's time to go count some sheep.
[This article is based on pre-release information.-Ed.]
Greg Shields is an Author Evangelist with www.PluralSight.com, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @ConcentratdGreg.