In Preview of NAP in Windows Server 2008, I took a look at Network Access Protection (NAP) as a technology and as a technique that allows computers to be evaluated on the basis of their
In that same tip, I mentioned that, for all of its benefits, NAP has some negatives to it, namely that its weak enforcement methods (like DHCP-based protection) can get in the way of the effectiveness of the NAP concept itself and that difficulties in detecting when new hosts come online can result in a lot of expense and headaches to administer. I left you with the tantalizing hook that IPsec solves a lot of these problems -- but the question is how?
IPsec and Network Access Protection
Consider DHCP enforcement, where access to a network protected by NAP is fundamentally regulated by a client (who wants an IP address) and the special type of server (that leases the addresses to valid clients). The server, which is usually the target of the connection request, determines whether to allow a potential client to access the network.
IPsec, in conjunction with NAP, alters the flow of this relationship, transforming the client-server attempt into more of an end-to-end attempt. IPsec applies to any and all individual hosts in a network, not just to the host protecting access and entry into a network. That way, you're guarding all computers, not just trying to harden one that will be exposed to potentially unhealthy clients. In addition, the Health Registration Authority that is part of NAP makes the ultimate call about whether a host is healthy or not, not the server that is the target of the client's requests.
The beautiful part about IPsec with NAP is the ability for hosts to simply drop incoming attempts from unhealthy hosts if VPN enforcement is inadequate because the host is local or if you don't have an infrastructure that can immediately detect when a new machine comes online. That happens whether or not the troubled machine trying to come online gets around DHCP enforcement by issuing himself a valid static IP address.
If your machines, or at least the computers you most want to protect, only speak IPsec and only talk to healthy computers (by way of the system health certificate that the Health Registration Authority gives to vetted clients), then traffic from bad machines is never heard. Never.
Benefits in a nutshell
Here's an at-a-glance reference of how NAP, with IPsec at its side, is a fantastic health and security solution for your network:
- It's resistant to tampering
NAP, when used in conjunction with IPsec, easily addresses nearly all of the disadvantages or limitations of NAP itself, while it also introduces an inexpensive way to secure communications across your network. It is, in my opinion, the coolest new security feature in Windows Server 2008.
About the author:Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro magazine, SecurityFocus, PC Pro and Microsoft's TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration. He can be reached at firstname.lastname@example.org.
This was first published in February 2008