Network Access Protection(NAP)

1. Introduction

Network Access Protection (NAP) is a new set of operating system components in Windows Server 2008, Windows Vista, and Windows XP Service Pack 3 that provides a platform for system health validated access to private networks. The NAP platform provides an integrated way of validating the health state of a network client that is attempting to connect to or communicate on a network and limiting the access of the network client until the health policy requirements have been met.

To validate access to a network based on system health, a network infrastructure needs to provide the following areas of functionality:

  • Health state validation Determines whether the computers are compliant with health policy requirements.
  • Network access limitation Limits access for noncompliant computers.
  • Automatic remediation Provides necessary updates to allow a noncompliant computer to become compliant without user intervention.
  • Ongoing compliance Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements.

Windows Server 2008, Windows Vista, and Windows XP Service Pack 3 provide the following NAP enforcement methods:

  • Internet Protocol security (IPsec) enforcement for IPsec-protected communications
  • 1X enforcement for IEEE 802.1X-authenticated connections
  • Virtual Private Network (VPN) enforcement for remote access VPN connections
  • Dynamic Host Configuration Protocol (DHCP) enforcement for DHCP-based address configuration
  • Terminal Server (TS) Gateway connections

The NAP platform provides a client and server-side architecture through which policy validation, network access limitation, automatic remediation, and ongoing compliance can occur through additional components supplied by third-party software vendors or Microsoft.

The NAP platform requires servers running Windows Server 2008 and clients running Windows Vista, Windows Server 2008, or Windows XP with Service Pack 3.

2. NAP Platform Architecture

Figure shows the components of a NAP-enabled network infrastructure.

Figure : Components of a NAP-enabled network infrastructure

The components of a NAP-enabled network infrastructure consist of the following:

  • NAP clients Computers that support the NAP platform for system health-validated network access or communication.
  • NAP enforcement points Computers or network access devices that use NAP or can be used with NAP to require the evaluation of a NAP client’s health state and provide restricted network access or communication. NAP enforcement points use a Network Policy Server (NPS) that is acting as a NAP health policy server to evaluate the health state of NAP clients, whether network access or communication is allowed, and the set of remediation actions that a noncompliant NAP client must perform. Examples of NAP enforcement points are the following:
  • Health Registration Authority (HRA) A computer running Windows Server 2008 and Internet Information Services (IIS) that obtains health certificates from a certification authority (CA) for compliant computers.
  • VPN server A computer running Windows Server 2008 and Routing and Remote Access that allows remote access VPN connections to an intranet.
  • DHCP server A computer running Windows Server 2008 and the DHCP Server service that provides automatic Internet Protocol version 4 (IPv4) address configuration to intranet DHCP clients.
  • Network access devices Ethernet switches or wireless access points that support IEEE 802.1X authentication.
  • NAP health policy servers Computers running Windows Server 2008 and the NPS service that store health requirement policies and provide health state validation for NAP. NPS is the replacement for the Internet Authentication Service (IAS), the Remote Authentication Dial-In User Service (RADIUS) server and proxy provided with Windows Server 2003. NPS can also act as an authentication, authorization, and accounting (AAA) server for network access. When acting as a AAA server or NAP health policy server, NPS is typically run on a separate server for centralized configuration of network access and health requirement policies, as Figure 1 shows. The NPS service is also run on Windows Server 2008-based NAP enforcement points that do not have a built-in RADIUS client, such as an HRA or DHCP server. However, in these configurations, the NPS service is acting as a RADIUS proxy to exchange RADIUS messages with a NAP health policy server.
  • Health requirement servers Computers that provide current system health state for NAP health policy servers. For example, a health requirement server for an antivirus program tracks the latest version of the antivirus signature file.
  • Active Directory® Domain Service The Windows directory service that stores account credentials and properties and Group Policy settings. Although not required for health state validation, Active Directory is required for IPsec-protected communications, 802.1X-authenticated connections, and remote access VPN connections.
  • Restricted network A separate logical or physical network that contains:
  • Remediation servers Computers that contain health update resources that NAP clients can access to remediate their noncompliant state. Examples include antivirus signature distribution servers and software update servers.
  • NAP clients with limited access Computers that are placed on the restricted network when they do not comply with health requirement policies.

Figure: Interactions between NAP platform components

3. NAP Client Architecture

A NAP client is a computer running Windows Vista, Windows Server 2008, or Windows XP with Service Pack 3 that includes new components and updated versions of existing components for the NAP platform. Figure 3 shows the architecture of the NAP platform on a NAP client.

 

Figure : NAP platform architecture on the NAP client

4. NAP Enforcement Client

A NAP EC requests some level of access to a network, passes the computer’s health status to a NAP enforcement point that is providing the network access, and indicates the limited or unlimited network access status of the NAP client to other components of the NAP client architecture.

The NAP ECs for the NAP platform supplied in Windows Vista, Windows Server 2008, and Windows XP Service Pack 3 are the following:

  • An IPsec NAP EC for IPsec-protected communications
  • An EAPHost NAP EC for 802.1X-authenticated connections
  • A VPN NAP EC for remote access VPN connections
  • A DHCP NAP EC for DHCP-based IPv4 address configuration
  • A TS Gateway NAP EC for TS Gateway connections

5. System Health Agent

An SHA performs system health updates and publishes its status in the form of an SoH to the NAP Agent. The SoH contains information that the NAP health policy server can use to verify that the client computer is in the required state of health.

An SHA is matched to a System Health Validator (SHV) on the server-side of the NAP platform architecture. The corresponding SHV returns a statement of health response (SoHR) to the NAP client, which is passed by the NAP EC and the NAP Agent to the SHA, informing it of what to do if the SHA is not in a required state of health. For example, the SoHR sent by an antivirus SHV could instruct the corresponding antivirus SHA to request the latest version of the antivirus signature file from an antivirus signature server. The SoHR can also include the name or IP address of the antivirus signature server.

An SHA can use a locally installed system health component (not shown in Figure 3) to assist in system health management functions in conjunction with a remediation server. For example, a software update SHA can use the locally installed software update client software to perform version checking and installation and update functions with the software update server (the remediation server).

6. NAP Agent

The NAP Agent provides the following services:

  • Collects the SoHs from each SHA and caches them. The SoH cache is updated whenever an SHA supplies a new or updated SoH.
  • Stores the SsoH and supplies it to the NAP ECs upon request.
  • Passes notifications to SHAs when the limited network access state changes.
  • Passes SoHRs to the appropriate SHAs.

7. NAP Server-side Architecture

Figure 4 shows the NAP server-side architecture consists of NAP enforcement points and a NAP health policy server. The NAP platform server-side architecture includes new components and updated versions of existing components.

Figure : The server-side NAP platform architecture

Figure : Relationships between NAP platform components

Notice the matching of the following sets of components:

  • NAP ECs and NAP ESs can be matched.
  • SHAs and remediation servers can be matched.
  • SHVs and health requirement servers can be matched.

8. Server-side NAP Platform Components

The following sections describe the server-side NAP platform components in greater detail.

8.1. NAP Enforcement Server

A NAP ES allows some level of network access or communication, can pass a NAP client’s health status to a NAP health policy server for evaluation, and, based on the response, can provide the enforcement of limited network access.

The NAP ESs included with Windows Server 2008 are the following:

  • An IPsec NAP ES for IPsec-protected communications

For IPsec-protected communication, the HRA passes the NAP client’s health status information to the NAP health policy server.

  • A DHCP NAP ES for DHCP-based IP address configuration

The DHCP NAP ES is new functionality in the DHCP Server service that uses industry standard DHCP messages to communicate with the DHCP NAP EC on a NAP client. DHCP enforcement for limited network access is done through DHCP options.

  • A TS Gateway NAP ES for TS Gateway server-based connections

For remote access VPN and 802.1X-authenticated connections, new functionality in the NPS service uses PEAP-TLV messages between NAP clients and the NAP health policy server. VPN enforcement is done through IP packet filters that are applied to the VPN connection. 802.1X enforcement is done at the 802.1X network access device by applying IP packet filters to the connection or by assigning the connection a VLAN ID corresponding to the restricted network.

8.2. NAP Administration Server

The NAP Administration Server component provides the following services:

  • Obtains the SSoH from the NAP ES through the NPS service.
  • Distributes the SoHs in the SSoH to the appropriate SHVs.
  • Collects the SoHRs from the SHVs and passes them to the NPS service for evaluation.

8.3. NPS Service

RADIUS is a widely deployed protocol enabling centralized authentication, authorization, and accounting for network access that is described in Requests for Comments (RFCs) 2865 and 2866. Originally developed for dial-up remote access, RADIUS is now supported by wireless access points, authenticating Ethernet switches, VPN servers, Digital Subscriber Line (DSL) access servers and other network access servers.

NPS is the implementation of a RADIUS server and proxy in Windows Server 2008. NPS replaces the Internet Authentication Service (IAS) in Windows Server 2003. For the NAP platform, the NPS service has been updated to include the NAP Administration Server component, support for the SHV API and installable SHVs, and options for configuring health policies.

Based on the SoHRs from the SHVs and the configured health policies, the NPS service creates a System Statement of Health Response (SSoHR), which indicates whether the NAP client is compliant or noncompliant and includes the set of SoHRs from the SHVs.

8.4. System Health Validator

An SHV receives an SoH from the NAP Administration Server and compares the system health status information in the SoH with the required system health state. For example, if the SoH is from an antivirus SHA and contains the version number of the last virus signature file, the corresponding antivirus SHV can check with the antivirus health requirement server for the latest version number to validate the NAP client’s SoH.

9. Communication Between Client and Server NAP Components

The NAP Agent component can communicate with the NAP Administration Server component through the following process:

  • The NAP Agent passes the SSoH to the NAP EC.
  • The NAP EC passes the SSoH to the NAP ES.
  • The NAP ES passes the SSoH to the NPS service.
  • The NPS service passes the SSoH to the NAP Administration Server.

The NAP Administration Server can communicate with the NAP Agent through the following process:

  • The NAP Administration Server passes the SoHRs to the NPS service.
  • The NPS service passes the SSoHR to the NAP ES.
  • The NAP ES passes the SSoHR to the NAP EC.
  • The NAP EC passes the SSoHR to the NAP Agent.

An SHA can communicate with its corresponding SHV through the following process:

  • The SHA passes its SoH to the NAP Agent.
  • The NAP Agent passes the SoH, contained within the SSoH, to the NAP EC.
  • The NAP EC passes the SoH to the NAP ES.
  • The NAP ES passes the SoH to the NAP Administration Server.
  • The NAP Administration Server passes the SoH to the SHV.

The SHV can communicate with its corresponding SHA through the following process:

  • The SHV passes its SoHR to the NAP Administration Server.
  • The NAP Administration Server passes the SoHR to the NPS service.
  • The NPS service passes the SoHR, contained within the SSoHR, to the NAP ES.
  • The NAP ES passes the SoHR to the NAP EC.
  • The NAP EC passes the SoHR to the NAP Agent.
  • The NAP Agent passes the SoHR to the SHA.

Figure 22 shows the communication process from NAP client components to NAP server-side components.

Figure : Communication process from NAP client components to NAP server-side components

Figure 24: Communication process from NAP server-side components to NAP client components

10. How NAP Works

The following sections describe how the components of the NAP platform provide for system health status reporting, network policy compliance verification, network access limitation, and automatic remediation for IPsec-protected communication, IEEE 802.1X-authenticated connections, remote access VPN connections, and DHCP IP address configuration.

10.1. IPsec-protected Communication

IPsec enforcement limits communication for IPsec-protected NAP clients by dropping incoming communication attempts that are sent from computers that cannot negotiate IPsec protection using health certificates. Unlike 802.1X and VPN enforcement, IPsec enforcement is performed by each individual computer, rather than at the point of entry into the network. Because you can take advantage of IPsec policy settings, the enforcement of health certificates can be done for all the computers in a domain, specific computers on a subnet, a specific computer, a specific set of Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports, or for a set of TCP or UDP ports on a specific computer.

IPsec enforcement defines the following logical networks:

  • Secure network The set of computers that have health certificates and require that incoming communication attempts use health certificates for IPsec authentication. On a managed network, most server and client computers that are members of the Active Directory domain would be in the secure network.
  • Boundary network The set of computers that have health certificates but do not require that incoming communication attempts use health certificates for IPsec authentication. Computers in the boundary network must be accessible to computers on the entire network.
  • Restricted network The set of computers that do not have health certificates that include noncompliant NAP client computers, guests on the network, or computers that are not NAP-capable such as computers running versions of Windows that do not support NAP or Apple Macintosh or UNIX-based computers.

Figure  summarizes the logical networks and the types of initiated communications that are allowed.

Figure 25: Logical networks with IPsec enforcement

To obtain a health certificate and become a member of the secure network, a NAP client using IPsec enforcement starts up on the network and uses the following process:

  1. When the computer starts, the host-based firewall is enabled but does not allow any exceptions so that no other computer can initiate communications with it. At this point, the computer is in the restricted network because it does not have a health certificate. The computer can communicate with other computers in the restricted and boundary networks and can access the Internet. However, it cannot initiate communications with computers in the secure network.
  2. The NAP client obtains network access and an IP address configuration.
  3. The IPsec NAP EC sends its credentials and its SSoH to the HRA using HTTP or a protected HTTP over SSL session.
  4. The HRA passes the SSoH to the NAP health policy server in a RADIUS Access-Request message.
  5. The NPS service on the NAP health policy server receives the RADIUS Access-Request message, extracts the SSoH, and passes it to the NAP Administration Server component.
  6. The NAP Administration Server receives the SSoH and forwards the SoHs to the appropriate SHVs.
  7. The SHVs analyze the contents of their SoHs and return SoHRs to the NAP Administration Server.
  8. The NAP Administration Server passes the SoHRs to the NPS service.
  9. The NPS service compares the SoHRs to the configured set of network and health policies and creates the SSoHR.
  • The NPS service constructs and sends a RADIUS Access-Accept message with the SSoHR as a RADIUS VSA to the HRA.
  • The HRA sends the SSoHR back to the IPsec NAP EC.
  • The IPsec NAP EC passes the SSoHR to the NAP Agent.
  • The NAP Agent passes the SoHRs in the SSoHR to the appropriate SHAs.
  • If the NAP client is compliant, the HRA also issues a health certificate.

The NAP client removes any existing health certificates if needed and adds the newly-issued health certificate to its computer certificate store. The IPsec NAP EC configures IPsec settings to authenticate using the health certificate for IPsec-protected communications and configures the host-based firewall to allow incoming communications from any peer that uses a health certificate for IPsec authentication. The NAP client is now a member of the secure network.

The IPsec NAP EC performs steps 3-14 whenever new SoH information arrives at the NAP Agent or when the health certificate is about to expire.

10.2. 802.1X-Authenticated Connections

IEEE 802.1X enforcement instructs an 802.1X-capable access point to use a limited access profile, either a set of IP packet filters or a VLAN ID, to limit the traffic of the noncompliant computer so that it can reach only resources on the restricted network. For IP packet filtering, the 802.1X-capable access point applies the IP packet filters to the IP traffic that is exchanged with the 802.1X client and silently discards all packets that do not correspond to a configured packet filter. For VLAN IDs, the 802.1X-capable access point applies the VLAN ID to all of the packets exchanged with the 802.1X client and the traffic does not leave the VLAN corresponding to the restricted network.

10.3. Remote Access VPN Connections

VPN enforcement uses a set of remote access IP packet filters to limit the traffic of the VPN client so that it can only reach the resources on the restricted network. The VPN server applies the IP packet filters to the IP traffic that is received from the VPN client and silently discards all packets that do not correspond to a configured packet filter.

10.4. DHCP Address Configuration

DHCP address configuration limits network access for the DHCP client through its IPv4 routing table. DHCP enforcement sets the DHCP Router option value to 0.0.0.0, so the noncompliant computer does not have a configured default gateway. DHCP enforcement also sets the subnet mask for the allocated IPv4 address to 255.255.255.255, so that there is no route to the attached subnet. To allow the noncompliant computer to access the remediation servers on the restricted network, the DHCP server assigns the Classless Static Routes DHCP option, which contains a set of host routes to the computers on the restricted network, such as the DNS and remediation servers. The end result of DHCP limited network access is a configuration and routing table that allows connectivity only to specific destination addresses corresponding to the restricted network. Therefore, when an application attempts to send to a unicast IPv4 address other than those supplied via the Classless Static Routes option, the TCP/IP protocol returns a routing error.