Module 9:
Designing Network Access
Protection
Scenarios for Implementing NAP
Verifying the health of:
• Roaming laptops
• Desktop computers
• Visiting laptops
• Home computers used for remote access
Lesson: NAP Architecture
• Network Components and Services for NAP
• NAP Architecture Overview
• Network Layer Protection with NAP
• Host Layer Protection with NAP
• NAP and Certificate Services
Network Components and Concepts for NAP
Component
NAP client
Description
• Presents health status to an
enforcement point
Enforcement point
• Controls access to the network
NAP health policy
server
• NPS server that checks compliance
Remediation servers
Health registration
authority (HRA)
with policies
• Servers that can be accessed by non-
compliant computers to become
compliant
• Issues health certificates for IPSec
enforcement
NAP Architecture Overview
Remediation Servers
Client
System Health Servers
Network Access
Requests
Health Statements
Health Policy
Server (NPS)
System Health Agent (SHA)
MS and 3rd Parties
NAP Agent
Health Certificate
Enforcement Client (EC)
(DHCP, IPSec, 802.1X, VPN)
System Health Validator
NAP Server
Network Access Devices
and Servers
Network Layer Protection with NAP
Unrestricted access
granted
Remediation
Server
Restricted network
created
NPS
Server
Client
802.1x
switch
NAP and Certificate Services
Certificate Services is:
• Used for IPSec enforcement to
generate health certificates
• Contacted by an HRA
• Health certificates should have a short
expiry of 24-48 hours
Lesson 3: NAP Enforcement
• NAP Enforcement Methods
• IPsec Enforcement
• VPN Enforcement
• DHCP Enforcement
NAP Enforcement Methods
Enforcement methods available for NAP are:
Internet Protocol
security (IPsec)
communications
Extensible
Authentication
Protocol (EAP) for
IEEE 802.1X
connections
Remote access for
VPN connections
Dynamic Host
Configuration
Protocol (DHCP)
TS Gateway
• Enforces health policies when a client computer
attempts to communicate with another
computer using IPsec
• Enforces health policies when a client computer
attempts to access a network using EAP through
an 802.1X wireless connection or an
authenticating switch connection
• Enforces health policies when a client computer
attempts to gain access to the network through
a VPN connection
• Enforces health policies when a client
computer attempts to obtain an IP address from
a DHCP server
• Enforces health policies when a client computer
attempts to communicate through a TS Gateway
IPsec Enforcement
Secure
Secure
Network
Network
Boundary
Boundary Network
Network
Restricted
Restricted Network
Network
VPN Enforcement
RADIUS Messages
PEAP Messages
Client
VPN Server
Remediation
Servers
NPS Server
DHCP Enforcement
Client
Client Access Granted and
given a new IP Address
Client not within the
Health Policy requirements
DHCP Server
DHCP Server
Client obtains
updates
Remediation
Remediation
Servers
Servers
NPS Server
NPS Server
System Health Agents and Validators
System Health Agent (SHA):
 Is present on clients
 Publishes health status
 Includes Windows SHA
 Can be obtained from third-parties
System Health Validator (SHV):
• Is the server-side complement to an SHA
• Compares client health to required status
Lesson: Designing NAP Enforcement and
Remediation
• Considerations for Designing DHCP Enforcement
• Considerations for Designing VPN Enforcement
• Considerations for Designing 802.1X Enforcement
• Considerations for Designing IPsec Enforcement
• Discussion: Selecting an Enforcement Method
• Discussion: Selecting Remediation Servers
Considerations for Designing DHCP Enforcement
Non-compliant computers are:
 Given 0.0.0.0 as a default gateway
 Given 255.255.255.255 as a subnet mask
 Given static host routes to remediation
servers
Some considerations for DHCP enforcement are:
 Must use Windows Server 2008 DHCP server
 IPv6 is not supported for NAP and Windows Server
2008 DHCP server
 Health status is sent as part of the lease request
 Can be circumvented by using a static IP address
Considerations for Designing VPN Enforcement
Non-compliant computers are:
• Limited by IP packet filters
Considerations for VPN enforcement are:
 Must use NAP-integrated RRAS
 Health status is sent as part of the authentication
process
 Best suited for remote connections where a VPN is
already used
Considerations for Designing 802.1X Enforcement
Non-compliant computers are:
• Limited by packet filters enforced by the switch
• Limited by a VLAN enforced by the switch
Considerations for 802.1X Enforcement:
 More secure than DHCP enforcement
 Switches must support 802.1X
 Health status is sent as part of the authentication
process
Considerations for Designing IPsec Enforcement
Non-compliant computers are:
• Limited by IPSec polices
Considerations for IPsec Enforcement:
• Offers the highest level of security
• Can provide encryption of data
• Requires no additional hardware
• Can be used for both IPv4 or IPv6
• Requires a CA and HRA