Microsoft Network Access Protection (NAP) is a policy-based platform that lets you vet a system’s configuration according to a set of standards designed to protect healthy systems and networks by detecting and optionally limiting access to network resources those systems deemed vulnerable. NAP uses a client/server architecture (as do the other products in the main review) and includes an API that lets developers and vendors customize the capabilities of NAP with additional health validation, compliance, and enforcement mechanisms. NAP is incorporated into Windows Vista and the upcoming Longhorn Server. It will also be supported in Windows XP by a NAP Client for Windows XP.
Microsoft is quick to point out that NAP isn't designed to protect networks from malicious users, and NAC does nothing to prevent malware from running on a policy-compliant system. Rather, the idea is to promote network health by monitoring the configuration of managed systems to ensure, among other things, the presence of policy-compliant versions of security applications, firewall implementations, and anti-spyware, for example. As provided by Microsoft, NAP monitors the settings of the Microsoft Security Center, including Windows Firewall, Automatic Updates, and Windows Defender. Using the NAP API, others can extend NAP to support policy compliance for third-party products. NAP is designed to enable reporting or enforcement of policy compliance for dial-up, VPN, wireless, and wired network connections.
NAP supports IPsec enforcement, IEEE 802.1X enforcement, VPN enforcement, and DHCP enforcement. IPsec is NAP’s strongest form of enforcement, letting you configure Ipsec-secured communication between network endpoints, and control by IP address and TCP or UDP port who a compliant system may communicate with. Endpoints connecting through an 802.1x-authenticating device are enforced according to 802.1x protocols, receiving a limited-access profile when non-compliant and unlimited network access when compliant. With VPN enforcement, NAP assigns a set of IP packet filters to a non-compliant computer’s VPN connection at the VPN server. DHCP enforcement, implemented in the DHCP Client and DHCP Server services on supported platforms, causes non-compliant systems to receive a restricted-access IPv4 network configuration. Because anyone with administrative rights can assign fixed IP addressing to Windows systems, DHCP is the weakest enforcement mode. Administrators are free to implement any and all enforcement modes in their networks. NAP actively monitors policy compliance for all compliant systems and enforces limited access when a system becomes non-compliant.
Network Policy Server (NPS) in Longhorn Server acts as a health-policy server for all of these NAP enforcement methods. It also acts as a RADIUS server and proxy, replacing the Internet Authentication Service (IAS) present in Windows Sever 2003. On an NPS server, you configure health policies, specifying requirements for compliant systems. For non-compliant systems, you can also configure a set of remediation actions that a NAP client must perform to become compliant.
