Introduction to NAP (Network Access Protection)

NAP or Network Access Protection is a method of securing your internal network by providing connectivity criteria for network clients. With NAP configured you can control how a computer connects to your network and what are the resources available once the connection is established. This technology takes advantage of VLANs (Virtual Local Area Networks), IP subnets, filters and static routes. The combination of these elements provides a greater way to protect your network from external or internal attacks. One common way of using NAP is to protect against malware, worms or virus spreads within the network.
To apply Network Access Protection rules and restrictions you must configure NAP enforcement. There are multiple enforcement types available with NAP as follows:
802.1X using Access Points – this enforcement type is used by network devices such as switches or wireless APs to provide 802.1X authentication. Computers that were authenticated using this method will be able to access the network. This way you can control how are computers authenticated within the network and what happens when this process fails. You can use two methods of controlling network access using 802.1X authentication mode:
  • ACL (Access control Lists) – compliant computers will pass the ACL filters and non-compliant computers will not be allowed to connect to the network. I’ve talked previously about VLANs in this article.
  • VLANs (Virtual Local Area Networks) – these are groups of switch ports interconnected to provide “virtual” LANs within the same switch. VLANs cannot communicate between them unless you configure inter-vlan routing which basically means adding a router to your network and configuring it as the central point of communication between different VLANs. Using this method you can sent compliant computers to one VLAN to communicate with healthy devices while sending non-compliant computers to remediation VLANs. This separation is made using the unique VLAN ID configured on switch ports. Read more about VLAN and trunks and Inter-vlan routing in the Networking section from IT training day.
These two technologies are often used in networking so, you can use the same principals when configuring 802.1X NAP authentication. If your Acess Point supports authentication using ACLs and VLANS, it is recommended that you use ACLs because they provide a wider range of options and filters.
DHCP Server – while assigning network parameters to hosts, your DHCP server can apply NAP rules for allowing/blocking computers from accessing certain portions of the network. Non-compliant computers will not receive gateway and will not be able to connect to healthy computers. You can configure a remediation server that will be used by non-compliant hosts to receive and update their latest updates and patches. Health inspections are made periodically using DHCP renews and thus a computer can become compliant from a non-compliant state and vice-versa. You will need to install and configure the DHCP server role before configuring this NAP enforcement type.
VPN Server – using this method you control authentication of remote computers. Simply put, compliant computers will receive access to the network while computers that do not pass the health validation will be sent to a remediation network. You can also block access to remote machines that do not pass NAP filters. On your Windows Server you will need to install and configure Routing and Remote Access services and configure it as a VPN server. Note that only this VPN Server type supports NAP authentication.
IPSec Connection Security – before a host can connect to a specified resource, it must obtain a health certificate. This means that the computer must pass the health check imposed by the IPSec connection security rule. The filter can be configured based on the IP addres or the TCP/UDP ports. This way you can limit the access for hosts that do not pass the health validation or configure only healthy computers to communicate with each other. A Certification Authority (CA) is required to issue health certificates to enforce the IPSec connection security rule. Note that all computers must be IPSec compliant to be able to use this feature.
What exactly is NAP health validation and what happens in this process? We’ve talked about the health validation process that a host must pass before it receives network access. The health validation is made of two elements:
  • SHA (System Health Agent) – responsible for generating the Statement of Health (SoH) report for a particular host. A SoH will contain the state of all security elements configured and enabled on a particular host (firewall, anti spyware, updates, etc).
  • SHV (System Health Validator) – validates that the SoH is compliant with the network’s requirements. They generate a SoH Response (SoHR) which in turn determines what access will the host receive within the network.
When a client tries to connect to a network that uses NAP, the SHA on the host will create a SoH. Note that several SHAs can be installed and configured on a single NAP client. All the SoHs combined form a SSoH (System Statement of Health) which will be sent to the NAP health policy server using the NAP enforcement point configured on the NAP server. The SHVs installed on the NAP health policy server will check if the client is compatible with the network’s requirements. Each SHV will generate a SoHR (Statement of Health Response) which will be sent to the NAP client. Each SoHR is processed by the SHAs on the NAP client and they will try to make the necessary changes if the NAP client is not compatible with the server. If all these steps are completed successfully the host will receive network connectivity.
This was a short introduction to Network Access Protection, in the following articles we will further discover NAP’s features and we will install and configure all the elements that are part of this security measurement. Don’t forget to share your thoughts about this topic and stay tuned for the following articles.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s