GET READY ...
As we unboxed NAP in our Boston Real-World Labs and studied Microsoft's implementation of the technology, it became clear that there are three design decisions that must be made before jumping in.
First, what type of enforcement do you want to employ in your NAP system? Microsoft NAP attempts to secure the network at five distinct points of entry: DHCP, IPsec, Remote Access/VPN, Terminal Services Gateway, and 802.1X. Methods can be used individually or in tandem, and each has advantages and disadvantages. For example, using DHCP as an exclusive enforcement point is easy and works well ... as long as your end users lack the sophistication to set static IP addresses for their systems as a means of circumventing the NAP health check. In the DHCP enforcement method, clients that pass the health check are given DHCP data that's valid for access to the production network. Clients that fail a health check are provided with an IP address and subnet mask, but no default gateway. However, these clients are provided with host routes to remediation servers, where updates can be downloaded and installed automatically or manually.
The IPsec enforcement method works by employing health certificates, which are issued by a Network Policy Server to clients upon login, after a successful health check. If a system that lacks a valid health certificate tries to connect to a network that requires one for access, the connection will be dropped.
VPN enforcement is most easily achieved through the use of Microsoft's Routing and Remote Access server, but third-party VPNs can be made to work with NAP. In much the same way that DHCP enforcement works, a failed health check results in packet filters that allow clients to connect to remediation servers only being applied to the VPN connection.
About This Rolling Review:
In this new breed of Rolling Review, we're analyzing the most intriguing new features of Windows Server 2008. Where competition exists, we'll run bake-offs in our Boston Real-World Labs. When a capability is unique, we'll put it through its paces and tell you what we find.
Previously tested:
Terminal Services, PowerShell, Server Core
Next Up:
Hyper-V
Other Vendors Invited:
The functionality of the Terminal Services Gateway enforcement method is still somewhat limited because auto-remediation is not supported through Terminal Services. Despite that drawback, it's possible to at least conduct health checks on clients trying to access your Microsoft Terminal Servers. The primary option for administrators who want to enforce system health though Terminal Services is to place the connection into quarantine for manual remediation.
Finally, Network Access Protection supports the use of dynamic virtual LAN steering via the 802.1X standard. This enforcement method is the most popular and versatile because it's effective both on the wire and wirelessly. NAP and 802.1X work like this: When a system attempts to log on, the NAP client packages its Statement of Health and logon credentials into an EAP authentication request. The 802.1X-capable switch accepts the client SoH/authentication request using a method called EAP over LAN, and forwards it to the NPS via the Radius protocol. If the NPS is not also your Radius server, then the NPS can act as a Radius client and direct the SoH/authentication request to the Radius server you specify. The authentication portion of a request is forwarded to the domain controller, but the SoH part of the request is vetted by the NPS to determine system health. If a client fails the health check but passes authentication, 802.1X dynamically switches VLAN membership to a DMZ, where the device can be auto-remediated and recertified to log back on to the production network.
The second design choice you'll need to make when implementing NAP is a policy decision: What factors will you use to determine system health?
Out of the box, you can check for the status of Windows firewall and antivirus/anti-spyware software, as well as Windows Updates and the update policy. Windows Updates themselves can be automatically installed from a dedicated server or via the Web or an intranet that you make available.
The final major architectural decision relates to how strictly you'll enforce policies. Microsoft recommends a phased implementation where NAP is initially deployed in a reporting-only mode. Once you're comfortable that enforcing health standards won't grind business to a halt, you can move gradually to an auto-remediated enforcement policy. Of course, shops with high security standards can implement immediate enforcement.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
Maintaining existing network infrastructures often incurs huge technical debt before newer technologies are adopted over time.
Amid ongoing regional uncertainties, telecom infrastructure in the Middle East has expand to include terrestrial low-latency network infrastructure, which offers resilience and agility in navigating political complexities without relying solely on undersea networks.
