by Greg Shields

Network Access Protection (NAP) is yet another one of those no-added-cost technologies that I can’t believe isn’t installed everywhere. NAP, admittedly, suffers under the weight of an outwardly-complex installation. It has a number of moving parts, depending on what kinds of connections you want it to protect. However, Microsoft’s NAP is a fantastically-useful technology that saves you money by eliminating a major source of risk: improperly secured computers.

First, a little discussion on why NAP exists: The primary job of Microsoft’s NAP is enforcement . Although this technology can and does make configuration changes to desktops, laptops, and servers, its primary reason for existence is as a mechanism to positively ensure that your security policies are followed. If they’re not, your computers simply don’t get access to your LAN until they do.

Consider the following situation that probably happens every day on your network: A user who has been off the network for an extended period has missed a few very critical patches. But not only are they missing updates, they may have also disabled their firewall due to some need at a client site. They may have turned off antivirus or anti-malware protection because “they don’t like it.” This laptop, which has been in the wild-and-wooly world outside your protected network is about to walk in the front door and reconnect.

In the unenforced world, this event occurs all the time and without recourse for the user or remediation for the laptop. Because that laptop isn’t protected, and because it’s been on “bad” networks, there is a greater potential that it is infected. At the very least, it is not meeting your corporate standards for security settings.

That’s why NAP exists. With just an antivirus infrastructure or a WSUS-based patching infrastructure alone, getting that laptop back to your security policy’s definition of health could take hours or even days. NAP sits between that unhealthy computer and one or more network services that help it get on your LAN. If the computer doesn’t pass your security requirements, it is relocated to a special network where it can be remediated . This remediation process uses various automation techniques to automatically bring it back to health.

Right out of the box, NAP can enforce settings through any of five enforcement mechanisms. DHCP enforcement validates configurations before handing out DHCP addresses to laptops. VPN and Remote Desktop Gateway enforcement limits inbound connections as they attempt to connect from the outside. IPSec creates a “domain isolation” boundary around your domain, using a certificate infrastructure, only allowing access to devices that have proper certificates of health. Lastly, 802.1x can be used in both port-based and wireless networks to verify health prior to even enabling connections. If your network supports laptops that roam around with wireless connections, you really should add this capability if you want to remain protected over time.

NAP’s cost savings come in the form of disaster prevention. By implementing a NAP infrastructure today, you create a zone of enforcement around your network. This zone of enforcement enables you to validate whether certain settings are configured. Right out of the box, firewall, antivirus, anti-malware, and update settings can be enforced, although only with some admittedly-coarse options: firewalls, antivirus, and anti-malware can all be verified to ensure that they’re turned on. Antivirus and anti-malware can both be verified to ensure that the system is up to date. Updates are verified to ensure that all updates of a particular type have been installed.

If you need more granularity, get it through third-party add-ons. For example, if your environment uses Symantec ( www.symantec.com ) for antivirus, this company provides a NAP System Health Validator (SHV), which provides options for more granular verifications. If you use Shavlik ( www.shavlik.com ) as your solution for deploying updates, it has its own NAP SHV as well. The same holds true for CheckPoint’s ZoneAlarm Pro ( www.checkpoint.com ) host firewall.

Check your vendor’s list of features to determine whether they’ve jumped on the NAP bandwagon. Because once you’ve got a NAP infrastructure in place, adding SHVs for further verification becomes a very easy process.

About the Author

Greg Shields is an independent author, speaker, and IT consultant, as well as a Partner and Principal Technologist with Concentrated Technology. With 15 years in information technology, Greg has developed extensive experience in systems administration, engineering, and architecture specializing in Microsoft OS, remote application, systems management, and virtualization technologies. He is a Contributing Editor and columnist for TechNet Magazine and Redmond Magazine, and serves as the Series Editor for Realtime Publishers, the world’s leading provider of high-quality content for the IT market. Greg is a highly sought-after and top-ranked speaker for both live and recorded events, and is seen regularly at conferences like TechMentor Events, Microsoft Tech Ed, VMworld, and more. He is a multiple recipient of Microsoft “Most Valuable Professional” award.