What NAP Does

If you want a short definition of NAP, it’s this: NAP is a platform that can enforce compliance by computing devices with predetermined health requirements before these devices are allowed to access or communicate on a network. By itself, NAP is not designed to protect your network and is not intended to replace firewalls, AV products, patch management systems, and other protection elements. Instead, it’s designed to work together with these different elements to ensure devices on your network comply with policy that you have defined. And by devices I mean client computers (Windows Vista and soon Windows XP as well), servers running Windows Server 2008, PDAs running Windows Mobile (soon), and eventually also computers running other operating systems such as Linux and the Apple Macintosh operating system (using NAP components developed by third-party vendors).

Let’s unpack this a bit further. NAP supplies an infrastructure (components and APIs) that provides support for the following four processes:

• Health policy validation NAP can determine whether a given computer is compliant or not with a set of health policy requirements that you, the administrator, can define for your network. For example, one of your health requirements might be that all computers on your network must have a host-based firewall installed on them and enabled. Another requirement might be that all computers on your network must have the latest software updates installed on them.

• Network access limitation NAP can limit access to network resources for computers that are noncompliant with your health policy requirements. This limiting of access can range from preventing the noncompliant computer from connecting to any other computers on your network to quarantining it on a subnet and restricting its access to a limited set of machines. Or you can choose to not limit access at all for noncompliant computers and merely log their presence on the network for reporting purposes; it’s you’re choice-NAP puts you, the administrator, in control of how you limit network access based on compliance.

• Automatic remediation NAP can automatically remediate noncompliant computers that are attempting to access the network. For example, say you have a laptop that doesn’t have the latest security updates installed on it. You try to connect to corpnet, and NAP identifies your machine as noncompliant with corpnet health requirements, and it quarantines your machine on a restricted subnet where it can interact only with Windows Server Update Services (WSUS) servers. NAP then points your machine to the WSUS servers and tells it to go and get updates from them. Your machine downloads the updates, NAP then verifies that your machine is now healthy, and you’re let in the door and can access corpnet. Automatic remediation like this allows NAP to not just prevent unhealthy machines from connecting to your network, but also help those machines become healthy so that they can have access to needed network resources without bringing worms and other malware into your network. Of course, NAP puts you, the administrator, in the driver’s seat, so you can turn off auto-remediation if you want to and instead have NAP simply point the noncompliant machine to an internal Web site that gives the user instructions on what to do to make the machine compliant (or simply states why the noncompliant machine is not being allowed access to the network). Again, it’s your choice how you want NAP to operate with regard to how remediation is performed.

• Ongoing compliance Finally, NAP doesn’t just check for compliance when your computer joins the network. It continues to verify compliance on an ongoing basis to ensure that your machine remains healthy for the entire duration of the time it’s connected to your network.

As an example, let’s say your NAP health policy is configured to enforce compliance with the requirement that Windows Firewall be turned on for all Windows Vista and Windows XP clients connected to the network. You’re on the road and you VPN into corpnet, and NAP-after verifying that Windows Firewall is enabled on your machine- lets you in. Once you’re in, however, you decide for some reason to turn Windows Firewall off. (You’re an administrator on your machine, so you can do that-making users local administrators is not best practice, but some companies do that.) So you turn off Windows Firewall, which means the status of your machine has now changed and it’s out of compliance. What does NAP do? If you’ve configured it properly, it simply turns Windows Firewall back on! How does this work? The client computer has a NAP agent running on it and this agent detects this change in health status and tries to immediately remediate the situation. It can be a bit more complicated than that (for example, agent detects noncompliance, health certificate gets deleted, client goes into quarantine, NAP server remediates, agent confirms compliance, client becomes healthy again and regains access to the network) but that’s the basic idea-we’ll talk more about the NAP architecture in a moment.

Source of Information : Introducing Windows Server 2008