Thursday, December 04, 2008

IPsec NAP: Network Address Protection in Server 2008

Let’s do some napping. Although (unfortunately) not the kind of napping you do in your seat in front of the TV.

I guess this is one of the coolest new features that comes with Server 2008. Before, no matter how secure you made your network from the outside, if a computer brought in, by a consultant for example, had a virus and connected it to the network, the whole thing could get infected.
Now with Network Address Protection (NAP) it is possible to elimate, or at least seriously reduce this threat.

I think that by now we’ve all seen lots of examples of DHCP NAP Enforcements. Instead I’d like to take a look at the most interesting kind of Network Address Protection: IPsec NAP.

A short summary of theorie of IPsec NAP:
1. by implementing IPsec NAP you divide your physical network into 3 logical networks: secure, boundary and restricted network.
2. A computer can be member of only one network at any time, depending on the health certificate it has
3. Non-compliant computers remain isolated until they are remedied.

Types of logical networks:
1. Secure: computers that have health certificates and require them as well on incoming communication attempts
2. Boundary: computers that have health certificates but DO NOT require them on incming communication attemps
3. Restricted: computers that do not have a health certificate


The involved NAP processes:
1. Policy validation: System Health Validators (SHV’s) analyze the health status of a computer
2. NAP enforcement and network restriction: limit network access of noncompliant computers
3. Remediation: noncompliant computers on the restricted network can access a remediation server to meet the current health requirements.
4. Ongoing monitoring to ensure compliance: enforce health compliance on computers that already have connection to the secure network

Unfortunately, IPsec NAP can only be implemented on NAP-capable computers: Windows Server 2008, Vista & XP SP3 clients. This is because the Windows Security Health Validator (WSHV) and Windows Security Health Agent (WSHA) are used to enforce the IPsec NAP.
Of course, you can choose to allow non NAP-capable computers access to the secure part of the network.

Also, and this is very important for test setups:

NAP WILL ONLY FUNCTION IF YOUR SERVERS AND CLIENTS ARE ACTIVATED!!

In my next post, I’ll install a IPsec NAP policy in my test environment and include a step-by-step guide here.

Network Address Protection (NAP) posts:
Configuring IPsec NAP (Network Address Protection) - Part 1: Certificates

Configuring IPsec NAP (Network Address Protection) - Part 2: Installation of the NPS (Network Policy Server)

Configuring IPsec NAP (Network Address Protection) - Part 3: Configuring the NPS as NAP HRA (Health Registration Authority)

Configuring IPsec NAP (Network Address Protection) - Part 4: Testing with a NAP client

No comments: