Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Server

Windows Server : Network Access Policy and Server and Domain Isolation (part 1) - Network Access Protection Overview

4/8/2013 6:44:25 PM
The IT industry long ago saw the issue of network vulnerability due to problematic computers connecting to the network coming and has been furiously investigating solutions to enforce company security policies physically. Network Access Control (NAC) was created to combat this very issue. NAC provides a framework for vendors to produce services and features that can interrogate a computer prior to a connection to the secure, internal network and ensure a computer’s compliance with stated health requirements and security settings.

Microsoft has introduced its version of controlling network access with NAP, which provides an enforcement service for health requirement policies prior to network access. NAP offers services, components, and an application programming interface (API) that provide an inherent solution for ensuring the health of servers and networks running Windows Server 2008 as well as of computers running Windows Vista and Windows XP Service Pack 3 as clients.

1. Network Access Protection Overview

Network Access Protection (NAP) provides a platform for validating the health of computer systems prior to allowing access to protected networks. In doing so, a level of assurance can be attained that a computer has at least been “inspected” prior to accessing the private network every time a new connection is made. The validation a computer undergoes can now be logically enforced.

Prior to NAP, a typical connection from an external computer would involve a client connecting across a public network such as the Internet, using a VPN connection. The client connection would initially pass through a firewall or be forwarded by a proxy using the appropriate communication ports required by the chosen security protocol. An authentication service would then examine the credentials of the remote access client. If the credentials were successfully authenticated, the client would be connected to whatever portion of the protected network the connection was previously set up to accomplish.

This scenario has a major flaw. If the remote access client is exactly who it purports to be, provides all the necessary credentials appropriately, and performs only the tasks on the private network that the connection was set up to do, would there still be a problem? Maybe. Suppose the remote access client performs unintended service requests, discovery, research, or—worse—invasive software installations without the knowledge of the user of the computer making the remote access connection. This has become one of the primary reasons for implementing a NAP solution.

Real World

Paul Mancuso

After spending a considerable amount of time, effort, and money, you have deployed across an entire network the following security services:

  • A top-of-the-line perimeter firewall device

  • An antivirus module inside the firewall device whose services you have configured to check for updates once every hour

  • An automated update service for workstations and servers to call upon periodically for updates to the operating system and installed applications

  • An enterprise anti-malware service that installed anti-malware agents on all client workstations and servers within the environment, with centralized management for setting and configuring changes and updating installed software and agents on deployed computers

Feeling that the enterprise has a reasonable level of security, you go home and think that tomorrow should now be a relatively peaceful day.

In the evening, a salesman visiting a branch office connects his laptop to the protected network. The salesman’s laptop is considered safe merely because it is corporate property. A worm that was released into the wild that day had infected the corporate offices of another corporation, where the salesman had plugged the laptop in while delivering a presentation. The worm can now perform functions inside the network from a device considered to be a secure system. Tomorrow comes, and virus reports are coming out of the woodwork.

Several factors could have caused the salesman’s laptop to become infected. First, it is presumed that the salesman does not alter the basic security settings of either the security software or the operating system. Also, the laptop is part of the domain; internal group policies were set to ensure the timely scheduling of updates to either the operating system or the security software on all computers, including those the salesman uses. This last presumption leads to missed updates when the salesman is traveling and not connected to the network.

These periodic lapses in acquiring updates provide opportunities for infections when the salesman connects the laptop to unknown environments. The salesman’s laptop can acquire all kinds of Trojan horse programs, viruses, and worms. The salesman travels back to the office, plugs the infected laptop into the protected network, and unknowingly unleashes the malicious programming on the laptop into the protected network. The salesman has bypassed all the security precautions the enterprise administrator has painstakingly set up in the network.

With a NAP solution, the possibilities of a traveling employee or guest unleashing an infection into your secured network are lessened. The standard communication flow from a computer being introduced to a network for its initial connection to the network would be altered to pass through a perimeter network as the components of the NAP platform engage. The NAP platform would now involve an entire NAP ecosystem with the connection request of an external client now referred to as a NAP client. The perimeter network would still include the same security services and devices as before, but now the NAP client’s request for access takes a detour as the various components of the NAP platform engage to determine the health status of the connecting client. Figure 1 shows the difference between a traditional remote access connection and one involving a NAP platform.

Figure 1. Remote access connection comparison with and without NAP

Figure 1 shows that not only are NAP components now involved in the communication flow, but also that the NAP client might be restricted to an external network referred to as the remediation network, where additional servers using health resources update the client and bring it into compliance.

A complete NAP solution involves three distinct features:

  • Health state validation

  • Health policy compliance

  • Limited access

Health state validation is the process of validating a computer’s health and determining its compliance. If the NAP platform is configured for a remediation network, a noncompliant computer is restricted to only the remediation network’s subnet until it meets compliance. If the NAP platform has been implemented initially with logging only to quantify compliance issues, the health compliance of a computer is logged, and it is allowed to proceed with the normal connection routine.

To monitor and possibly enforce health policy requirements, administrators create health policies. The health policy component is the heart of a NAP solution. Health policies mandate the level of software updates, operating system build, antivirus revision, and firewall features implemented among many other possible health compliance factors.

When computer systems do not meet the level of health compliance necessary to connect to the private network, an administrator can mandate one of two outcomes, either to allow the connection and log the noncompliant issues or to shunt the connection to a remediation network to configure and update any noncompliant aspect of the computer. This is the limited-access feature of NAP.

Note: Network Access Quarantine

Limited access has some similarities to Network Access Quarantine Control, but only in one principal feature: limiting access for noncompliant computers when making dial-up and VPN connections. Limited access when implemented with a NAP platform provides much capability and a standardized structure. This structure facilitates the addition of third-party enhancements and services. NAP also extends beyond VPN and dial-up communication to include protection when computer systems connect on the LAN. For more information, please visit the Cable Guy article on Network Access Quarantine at http://technet.microsoft.com/en-us/library/bb877976.aspx.

Overview of NAP Infrastructure

The NAP infrastructure for all types of enforcement provides a similar architectural overview as displayed in Figure 2. Only the devices and regions of interest to a NAP solution are pictured.

Figure 2. Overview of the NAP architecture

  • The Internet lies outside the perimeter network and is separated by the perimeter firewall. VPN clients access the internal network from this region.

  • The perimeter network is segregated by a perimeter and internal firewall.

    VPN servers reside here and provide the initial point of enforcement for a NAP VPN enforcement point. For security purposes, no other NAP service is needed in this location.

  • The restricted network is logically separated from the intranet for computers that, although having passed authentication for the NAP enforcement points that require authentication, have not yet acquired the necessary authorization to access the secure intranet. Servers deployed here can include quite a range of NAP support services:

    • The usual DNS, Windows Internet Name Service (WINS), Active Directory domain controllers, and DHCP servers along with other supporting network infrastructure devices can be deployed.

    • Servers supporting software updates such as Windows Server Update Services (WSUS) can be deployed.

    • For wired switches employing 802.1x enforcement, any switch ports can be associated logically with the restricted network.

    • For wireless access points employing 802.1x enforcement, the entire access point might be logically associated with the restricted network because, at any time, it can be servicing compliant and noncompliant computers.

      • The intranet is considered the secured network for most NAP enforcement methods and contains the corporate environment. NAP IPsec enforcement includes an additional logical boundary between two of its zones necessary for IPsec enforcement operation.

        • The boundary network is where Health Registration Authority servers and, possibly, NAP CAs, NPS servers, and IPsec remediation servers reside.

        • The secure network is where the remaining portion of all NAP enforcement components resides. These components are the NAP health policy servers, the health requirement servers, the RADIUS proxy servers, and the NPS servers’ endpoints.

Where NAP Works

NAP can be implemented in any scenario in which a computer or network device has left a network and requires a new connection when brought back to the network. Following are specific scenarios of this type of event.

  • Desktop computers that have been dormant for periods of time

  • Laptops for roaming users

  • Personal desktops and laptops of corporate users when connecting to the network to retrieve e-mail and other data

  • Laptops of guests

  • Laptops and desktops from users of partner firms connected by an extranet

This list comprises the general categories in which a NAP solution would provide a level of assurance of the health of a connected computer. Due to the diversity of these categories, the same level of enforcement of noncompliant computers might not be possible in all situations. Computers that are unmanaged, such as partner computers, home computers, laptops, and those of guests would be sent to the restricted network and, might not be required to undergo remediation, but also would not be allowed into the private network. Managed computers provided by the corporation could institute automatic remediation for any of its computers moved into the restricted network. Options to remediate would vary, depending on the situation.

Other -----------------
- Monitoring Windows Small Business Server 2011 : Using Performance Monitor
- Monitoring Windows Small Business Server 2011 : Using Event Viewer
- Windows Server 2008 : Promoting and Demoting a Domain Controller - Promoting a DC to an RODC with an Existing Account
- Windows Server 2008 : Promoting and Demoting a Domain Controller - Demoting a DC with dcpromo, Using dcpromo with an unattend File
- SharePoint 2010 : Configuring Search Settings and the User Interface - The Preferences Page: An Administrator's View
- SharePoint 2010 : Configuring Search Settings and the User Interface - Federated Search
- Windows Server 2008 R2 : Hyper-V feature focus - Planning for Hyper-V, Installing and Administering Hyper-V
- Windows Server 2008 R2 : Hyper-V feature focus - Introduction to Virtualization and Hyper-V, Hyper-V Changes
- Windows Server 2003 on HP ProLiant Servers : File Replication Service Design and Implementation (part 2) - Diagnostics and Troubleshooting Methods and Tools
- Windows Server 2003 on HP ProLiant Servers : File Replication Service Design and Implementation (part 1)
Top 10 video Game
-   Why We're Excited For the FFVII Remake
-   Mortal Kombat X | Predator Brutality
-   Mortal Kombat X | Predator Fatality
-   Poly Bridge [PC] Early Access Trailer
-   Silence: The Whispered World 2 [PS4/XOne/PC] Cinematic Trailer
-   Devilian [PC] Debut Trailer
-   BlazBlue Chrono Phantasma EXTEND | Launch Trailer
-   Allison Road | Prototype Gameplay
-   Clash of Clans | 'Dark Spell Factory' Update
-   Shoppe Keep [PC] Debut Trailer
-   Orcs Must Die! Unchained [PC] What's New in Endless Summer v2.3 Patch
-   Gunpowder [PC] Launch Trailer
-   Uncharted 4: A Thief's End | E3 2015 Extended Gameplay Trailer
-   V.Next [PC] Kickstarter Trailer
-   Renowned Explorers [PC] Launch Date Trailer
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
programming4us programming4us
PS4 game trailer XBox One game trailer
WiiU game trailer 3ds game trailer
Trailer game
Heroes Charge
Windows Vista
Windows 7
Windows Azure
Windows Server
Game Trailer