Network Access Protection (NAP) : design

Network Access Protection Design Guide wins big at Society of Technical Communication (STC) awards!

MS NAP Team — Thu, 05 Feb 2009 02:47:00 GMT

Greg Lindsay (writer) and Allyson Adley (editor) won the Online Best of Show award for the NAP Design Guide at the Puget Sound Chapter of the Society for Technical Communication (STC) awards ceremony on January 29th.

Congratulations Greg and Allyson for the fantastic technical documentation on NAP!

NAP Product Team

What is NAP traffic?

MS NAP Team — Tue, 06 Jan 2009 03:59:00 GMT

Here is a question posed by a member of the NAP community:

· What new traffic will there be on the network when I deploy NAP?

A NAP deployment can have the following additional sets of network traffic:

· Traffic between the NAP client and the NAP enforcement point. The nature of this traffic depends on the NAP enforcement method.

o For IPsec enforcement, the NAP client communicates to the HRA using HTTP or HTTPS to indicate its identity and health state and to receive the system health evaluation results and the health certificate.

o For 802.1X enforcement, the NAP health evaluation is done over PEAP-TLV, resulting in a small amount of additional EAPOL traffic to send the health state and health evaluation results between the NAP client and the switch or wireless access point.

o For VPN enforcement, the NAP health evaluation is done over PEAP-TLV, resulting in small amount of additional PPP traffic to send the health state and health evaluation results between the NAP client and the VPN server.

o For DHCP enforcement, the NAP health evaluation is done using the same DHCP messages that are already being used for DHCP address allocation, resulting in larger payloads for some DCHP messages, but not additional messages.

o For TS Gateway enforcement, the NAP health evaluation is done over the Remote Procedure Call (RPC) over HTTP protocol that is used for connections to a TS Gateway server, resulting in a small amount of additional traffic to send the health state from the TS Gateway client and the TS Gateway server.

· Traffic between the NAP enforcement point and the NAP health policy server. This is RADIUS traffic, consisting of one or multiple exchanges of RADIUS request and response messages. RADIUS traffic is UDP-based and adds minimal additional traffic on your network.

· Traffic between the NAP enforcement point and other servers. The most obvious example is the traffic between the Health Registration Authority (HRA) and an Active Directory domain controller and a certification authority (CA) to authenticate the NAP client and obtain a health certificate.

· Traffic between the NAP health policy server and health requirement servers. This traffic depends on the SHVs running on the NAP health policy server. The Windows Security Health Validator (WSHV) does not require communication with health requirement servers.

Joe Davies
Senior Program Manager

The no enforcement design for NAP

MS NAP Team — Tue, 23 Dec 2008 02:20:00 GMT

Although NAP can be used to enforce restricted access for noncompliant NAP clients and non-NAP-capable clients, NAP can also be used to provide you with information about the overall level of health compliance on your network and correct system health problems automatically without notifying the user or restricting their access. This latter configuration of a NAP deployment is known as the no enforcement design and consists of deploying NAP in reporting mode with autoremediation enabled.

The value of the no enforcement design was echoed to me by attendees at a recent McAfee regional security event, where I helped present an overview of NAP and McAfee Network Access Control 3.0 integration to IT staff and security architects (this is the same presentation that I gave at McAfee’s FOCUS 08 event). Some attendees said that they were very interested in the no enforcement design of NAP because they did not want their users notified of noncompliance (via the NAP notification message) and definitely did not want their users’ access to be restricted. They would rather determine and fix any system health issues in the background without disturbing their users. One of the benefits of the no enforcement design is that you do not have to set up a restricted network with remediation servers.

To configure a no enforcement design, use the Configure NAP wizard in the Network Policy Server snap-in for the appropriate NAP enforcement method. On the Define NAP Health Policy page, select the Enable Auto-Remediation of Client Computers check box and specify that NAP ineligible computers are allowed full access. After the Configure NAP wizard is complete, modify the network policy for noncompliant NAP clients by selecting Allow Full Network Access for the NAP Enforcement settings.

Note For the 802.1X enforcement method, specify the same VLAN or ACL settings for both full access and restricted access on the Configure Virtual LANs (VLANs) page of the Configure NAP wizard.

For more information, see the No Enforcement Design topic in Greg Lindsay’s excellent NAP Design Guide.

Joe Davies

Microsoft Assessment and Planning Toolkit 3.2 Released

MS NAP Team — Wed, 05 Nov 2008 19:37:00 GMT

The Microsoft Assessment and Planning (MAP) Toolkit is an integrated platform with tools and guidance that make it easier for you to assess your current IT infrastructure and determine the right Microsoft technologies for your needs. The MAP Toolkit 3.2 has been released and is available here. It includes a new feature to perform readiness assessment for a deployment of NAP with Microsoft Forefront.

Consume and enjoy!

Joe Davies
Senior Program Manager

FYI: In a previous blog post (located here), I described the beta of the MAP Toolkit 3.2.

Microsoft Assessment and Planning Toolkit 3.2 Beta Released

MS NAP Team — Thu, 16 Oct 2008 19:13:00 GMT

The existing MAP Toolkit 3.1 is located here and includes desktop Windows Security Center assessment, which is instrumental in analyzing your network prior to a NAP deployment. Click here for the NAP blog post that describes this in detail.

The MAP Toolkit 3.2 beta includes a new feature to perform readiness assessment for a deployment of NAP with Microsoft Forefront.

Click here to get on the MAP 3.2 beta and try it out!

Joe Davies
Senior Program Manager

Network Access Protection Design Guide is live!

MS NAP Team — Thu, 09 Oct 2008 23:27:00 GMT

Hey NAP friends!

The Network Access Protection Design Guide, authored by our very own technical writer and NAP Forum hero Greg Lindsay, is now live!

http://go.microsoft.com/fwlink/?LinkId=130154

The NAP Design Guide explains the advantages, disadvantages, requirements, recommendations, and design considerations for deploying NAP for the IPsec, 802.1X, VPN, and DHCP enforcement methods.

The NAP Design Guide contains the following sections:

· Understanding the NAP Design Process

· Identifying Your NAP Deployment Goals

· Mapping Your Deployment Goals to a NAP Design

· Evaluating NAP Design Examples

· Planning a NAP Deployment Strategy

· Planning the Placement of a NAP Health Policy Server

· Planning the Placement of a NAP Enforcement Server

· Planning the Placement of a NAP CA Server

· Planning the Placement of a NAP Remediation Server

· Planning the Placement of a NAP Health Requirement Server

· NAP Capacity Planning

· Additional NAP Resources

· Appendix A: NAP Requirements

· Appendix B: Reviewing Key NAP Concepts

· Appendix C: Documenting Your NAP Design

· Appendix D: NAP-NAC Design

You can provide feedback on individual pages of the NAP Design Guide by clicking “Click to Rate and Give Feedback” just above the content pane.

Huge thanks to Greg for his authoring efforts over the last year and to many NAP product team reviewers for helping to ensure that the content is technically accurate and complete.

Enjoy!

Joe Davies
Senior Program Manager

General NAP policy design considerations

MS NAP Team — Wed, 17 Sep 2008 00:24:00 GMT

Greetings, citizens of NAPville!

Here is some information to take into account when designing your policies for NAP, adapted from a section in the upcoming Network Access Protection Design Guide and written by our own Greg Lindsay:

Consider the following rules when configuring connection request policies and network policies in the Network Policy Server (NPS) snap-in:

· A RADIUS client access request can only match one connection request policy and one network policy. When the access request successfully matches a policy, no other policies are used to evaluate the access request.

· Policies are evaluated based on processing order and source:

o RADIUS access requests from Windows-based RADIUS clients can contain the MS-Network-Access-Server-Type RADIUS attribute, which specifies the source of the request. For example, access requests from a Windows Server 2008-based VPN server specify the source of Remote Access Server (VPN-Dial up).

o Access requests are evaluated against policies with the same source.

o If the source is not specified in the access request, the NPS service will evaluate it against the policies with a source of Unspecified.

o If there are no policies with the same source as the access request, the NPS service will evaluate it against the policies with a source of Unspecified.

o If there are multiple policies with the same source as the access request, the NPS service will evaluate it against the policy with the same source that is highest in the processing order (that is, the policy with the lowest Processing Order number). If the access request does not match the conditions of the policy, the NPS service evaluates the policy next highest in the processing order with the same source. This continues until the access request matches a policy or all policies with the same source have been evaluated.

The following table lists the NAP enforcement methods and their corresponding source.

NAP enforcement method	Source
IPsec	Health Registration Authority
802.1X	Unspecified
VPN	Remote Access Server (VPN-Dial up)
DHCP	DHCP Server
Terminal Server (TS) Gateway	Terminal Server Gateway

You can select a source from Type of network access server on the Overview tab in the properties of the policy.

Thanks Greg!

Joe Davies
Senior Program Manager