Although VPN connections have been a staple of enterprise environments for many years now, security concerns have increased exponentially in recent years. Some of those concerns are related to the various federal regulations affecting IT departments, but many more of the concerns have to do with the machines from which users connect to the network. Although policies differ from one company to another, it is not at all uncommon for users to use their own personal computers to connect to the corporate VPN.
One of the problems with allowing such connections is that since the company does not own the user’s personal machines, they have a limited ability to impose security standards on those machines. In the past this has been problematic, because although some companies try to impose security standards for any machine that the users use to connect to the corporate VPN, there usually hasn’t been a practical way of enforcing those standards.
This is where Network Access Protection comes into play. Network Access Protection, or NAP, is a Windows 2008 security feature that allows organizations to compare a machine’s configuration to the organization’s security policy. Although there are several variations of this technique, the most commonly used form of Network Access Protection is something called VPN Enforcement.
VPN enforcement works by comparing a client’s health to a network health policy requirement. If a client is found to be non compliant with the network health policy, then IP filters are used to prevent the client from gaining full network access until the problem has been fixed.
In some cases, a technique called remediation can be used to fix the client’s health problem automatically. For example, if a network health policy requires the Windows Firewall to be enabled, and a client connects to the VPN without its Windows Firewall enabled, NAP can turn the client’s firewall on instead of just blocking access to the network.
It is worth noting that Windows Server 2003 offered a similar feature called Network Access Quarantine Control. Network Access Quarantine Control is completely different from NAP. Both are used to ensure that VPN clients meet the organization’s security health policy, but Network Access Quarantine Control is much more difficult to configure. It involves a lot of custom scripting, whereas you can point and click your way through a NAP deployment.
A VPN based NAP deployment consists of several different components. Obviously, the deployment requires a VPN server, but it also requires a Windows Server 2008 box that is acting as a network policy server. There are also some client requirements that I will talk about in the next section.
Obviously, there have to be some initial requirements for the client machines that are connecting to the corporate VPN. These machines, known as NAP Clients, have to be running Windows Vista, Windows XP with SP3 or higher, or Windows Server 2008.
Although these are the only types of NAP clients that are currently supported, it probably won’t be that way forever. Microsoft has released an Application Programming Interface called the NAP API. This API will allow independent software vendors (ISVs) to make other operating systems NAP compliant.
I would not be surprised to see a Linux based NAP client released eventually, and Microsoft has already stated that the next version of Windows Mobile will contain a NAP client.
System Health Agents
The main reason why NAP only works with Windows Vista and Windows XP SP3 is because the NAP clients use a special mechanism known as system health agents (sometimes referred to as SHAs). System Health Agents are responsible for monitoring the Windows Security Center to see how the various security options are set at a given moment.
The system health agents are designed to communicate with a server side component known as a system health validator (sometimes abbreviated as SHV). For every system health agent, there is a corresponding SHV. There are SHAs that monitor the status of the Windows Firewall, the machine’s antivirus software, and the Microsoft Update Service.
Another client component is something called the NAP Agent. The NAP agent (sometimes called the quarantine agent) runs on each client machine. Its job is to facilitate communications between the SHAs and the enforcement clients, which I will talk about in Part 2.
Although I have begun talking about the various NAP components, there are more components that are used by NAP. I will talk about these components in Part 2 of this series.
Got a question? Post it on our Windows Server 2008 forums!