……..
What Is Network Access Protection?
• Enforce health-requirement policies on client computers
• Ensure client computers are compliant with policies
• Offer remediation support for computers that do not meet health requirements
Network Access Protection cannot:
• Prevent authorized users with compliant computers from performing malicious activity
• Restrict network access for computers that are running
Windows versions previous to Windows XP SP2
NAP Scenarios
NAP benefits the network infrastructure by verifying the health state of:
• Roaming laptops
• Desktop computers
• Visiting laptops
• Unmanaged home computers
NAP Enforcement Processes
To validate network access based on system health, a network infrastructure must provide the following functionality:
• Health policy validation: Determines whether computers are compliant with health policy requirements
• Network access limitation: Limits access for noncompliant computers
• Automatic remediation: Provides necessary updates to allow a noncompliant computer to become compliant
• Ongoing compliance: Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements
How IPsec Enforcement Works
Key Points of IPsec NAP Enforcement:
• Comprised of a health certificate server and an IPsec NAP EC
• Health certificate server issues X.509 certificates to quarantine clients when they are verified as compliant
• Certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other
NAP clients on an intranet
• IPsec Enforcement confines the communication on a network to those nodes that are considered compliant
• You can define requirements for secure communications with compliant clients on a per-IP address or a per-TCP/UDP port number basis
How 802.1X Enforcement Works
Key Points of 802.1X Wired or Wireless NAP Enforcement:
• Computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection
• Noncompliant computers are limited through a restricted-access profile that the Ethernet switch or wireless AP place on the connection
• Restricted access profiles can specify IP packet filters or a virtual LAN (VLAN) identifier (ID) that corresponds to the restricted network
• 802.1X enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant
How VPN enforcement work ?
Key Points of VPN NAP Enforcement:
• Computer must be compliant to obtain unlimited network access through a remote access VPN connection
• Noncompliant computers have network access limited through a set of IP packet filters that are applied to the VPN connection by the VPN server
• VPN enforcement actively monitors the health status of the NAP client and applies the IP packet filters for the restricted network to the VPN connection if the client becomes non compliant VPN en forcement consists of NPS in Windows Server 2008 and a VPN EC as part of the remote access client in Windows Vista, Windows XP with SP2 (with the NAP Client for Windows XP), and Windows Server 2008