Guy Recommends
A solution to monitor, manage and archive thousands of
events that are generated by devices across the entire network.
Download FREE
trial
Guy's Top 10 Free Tools
1) FreePing
2) Network Monitor
3) Xobni
4) PuTTY (UNIX)
5) IP SLA Monitor
6) BgInfo
7) Net-SNMP
8) CatTools
9) Exchange Monitor
10) WinDiff
Windows Server 2008 - NAP (Network Access Protection)
Windows Server 2008 - NAP (Network Access Protection)
Don't make the mistake of confusing Network Access Protection (NAP) with *Network Center. Microsoft's NAP is a client server technology designed to protect your network from 'unhealthy' machines. The way that NAP works is for Windows Server 2008 to compare the Vista clients SoH (statement of health) with their policies. You can also configure NAP to only allow compliant computers on to the main network; one day, such clients could include XP with SP3.
*(The Network Center is a Control Panel container for troubleshooting IP settings and negotiating Wireless connections.)
NAP Topics
♦
What NAP Can Do for You
Let us consider how computer viruses spread? I take it that as read this article, you minimise virus attack by protecting the Internet connection with firewalls. In addition, you scan Email attachments; what else can you do? Ah yes, examine those laptops and other mobile devices that itinerant associates bring onto your network. Thanks to Network Access Protection, you can isolate viruses which would otherwise attacks from via laptops. An even better alternative is to specify a policy, which cleans the affected machines and when they are healthy, permits them access to parts of your production network.
NAP Philosophy
NAP is a client server technology which identifying machines that don't have the latest virus signatures, service packs or security patches. Such machines are most likely to be laptops that have been offsite for a while, or home computers trying to connect via a VPN. Apparently hackers, in commons with all cowards, target the older weaker members of the computer society.
Validating Machines: The mission of NAP is to preserve the integrity of your network by allowing only healthy machines to have IP addresses that can connect to the main subnet. You may find that validating machines is an ongoing task as your NAP policy will evolve over time with the release of new service packs, and sadly, new viruses.
Restricting Network Access: Visiting laptops which don't meet your policy standards, whether or not they are riddled with viruses, can be restricted to the repair subnet. As I hinted earlier, for safety, you may also need to exclude desktops that have missed a security patch until they have been remediated.
Fixing Unhealthy Machines:
NAP provides a range of strategies once it detects such 'unhealthy' machines. For example, you could configure the NAP servers to restrict all machines until they pass muster. Or a better tactic is to direct them to a remediation server, which could apply SMS packages containing antivirus signatures, and thus cure their computer illnesses. Another alternative would be to allow machines which don't meet all the criteria, limited access, for example visiting consultants laptops' get internet access only.
Remember that NAP is for validating a computer's software, unfortunately, it cannot protect against malicious hackers with a valid IP address. For that you need different tactics.
Guy Recommends: SolarWinds LANSurveyor
LANSurveyor will produce a neat diagram of your network topology. But that's just the start; LANSurveyor can create an inventory of the hardware and software of your machines and network devices. Other neat features include dynamic update for when you add new devices to your network. I also love the ability to export the diagrams to Microsoft Visio.
Finally, Guy bets that if you take a free trial of LANSurveyor then you will find a device on your network that you had forgotten about, or someone else installed without you realizing!
Download a Free Trial of LANSurveyor
Components of NAP
NAP is a classic client server technology. All the necessary NAP components will be built into Vista clients and Windows 2008 Servers. In addition, XP with SP3 will also be able to benefit from NAP. What is unusual is that Microsoft are encouraging third party anti-virus vendors to participate in the technology in general, and the SHA (System Health Agent) in particular.
Remember that NAP is designed to protect your network from 'unhealthy' machines. Tactics involve identifying what constitutes a healthy machine, configuring one or more policies and deciding what do about computers that fail to match your criteria.
When a Vista machines boots-up, a conversation takes place with the Health Registration Authority Server. The client SHA sends a SoH (Statement of Health) to the Windows 2008 server. This packet contains details of software updates and anti-virus signatures. The server then compares the SoH with one or more of its policies. If the Vista client lacks any of the components, you can predetermine what action to take. For example, whether to ban it from the production subnet, or try and remediate by adding patches.
NAP Server Components
(Windows
Server 2008 or Windows Server 2003)
Whenever you see lots of acronyms - as here with the NAP family, slow down the going gets tough. It all begins to make sense if you install the Network Policy and Access Services Role (NPAS) on your Server 2008. Incidentally, NPAS replaces IAS (Internet Authentication Service) in Windows 2003.
Microsoft's NAP Administration Server. This main NAP Server checks the network policies (formerly RAS Policies), analyzes the Vista laptops or XP desktops and then decides whether or not to allow access to the network. While it is a Windows Server 2008 machine, it does not have to be a domain controller, but as I mentioned earlier, do install the NPAS role.
System Health Validator (SHV). This component determines whether the the SoH (Statement of Health) issued by the client's SHA (System Health Agent), matches the required health policy criteria on the server.
Quarantine Agent (QA). This reports the client's health status.
Health Policy. This is a list of conditions, you can have a different policy for each of these technologies; IPSEC, DHCP, 802.1 or VPN.
Accounts Database. This is a portion of Active Directory that stores NAP properties for a computer or user.
Health Certificate Server, IIS on Windows Server 2008.
Remediation server (Optional). This server is designed to help treat unhealthy clients, consequently it has the patches, virus signature updates, which may cure an unhealthy machine. However, further policies decide which machines get the patches, for example, it would be too intrusive to add software patches to visitors' machines. In practice, this remediation server could also be the anti-virus / update server.
̃
Here are the NAP policy systems
You may have seen similar to these Network Policies in W2K3 RAS policies and profiles.
IPSec
This creates the most secure configuration. IPSec and NAP work in tandem to ensure that all machines are healthy, and furthermore they only communicate using the encrypted IPSec protocol.
DHCP
Probably the most common implementation of NAP, every time the client asks to renew its IP address DHCP enforces health compliance.
802.1 (EAPHost)
Restricts access at the wireless access points until the clients are confirmed as healthy.
VPN
The VPN server enforces the policies whenever a client computer attempts a connection over the VPN.
NPS (Network Policy Server) / Radius
Similar to VPN.
You can also apply NAP and its policies to Terminal Server connections.
Guy Recommends: The Orion Network Performance Monitor (NPM) 9.5
Orion's performance monitor is designed for detecting network outages. This NPM will guide you through troubleshooting by indicating whether the root cause is a broken link, faulty equipment or resource overload. Because it produces network-centric views, it is intuitive to navigate, and as result you can see easily what's working and what's not.
Perhaps Orion's best feature is the way it suggests solutions. Moreover, if problems arise out of the blue, then you can configure Orion NPM 9.5 to notify members of your team what's changed and how to fix it.
If you are interested in testing a professional performance monitor on your network, then I recommend that you take advantage of Solarwinds' offer of a download a free trial of Orion's Network Performance Monitor.
Summary of NAP (Network Access Protection)
The idea of Network Access Protection (NAP) is to identify and then to isolate 'unhealthy' computers. To be frank, the most likely source of 'unhealthy' computers is likely to be a visiting laptop. NAP is a client server technology which gives you a range of options for dealing with machines that lack up-to-date virus signatures, patches or service packs.
Windows Server 2008 provides NP (Network Protection) policies and enforces their implementation. As a result there is no excuse for virus ridden laptops to infect your network. However NAP is not all 'bad guy', it can be configured to apply patches and so bring machines up to the standards required to communicate with your servers.
With NAP you configure policies for IPsec enforcement, 802.1X enforcement, VPN enforcement, DHCP , depending on their needs. Microsoft provides an infrastructure and an API, which vendors and software developers can use to build their own health validation components.
Train Signal has
now released their
Windows Server 2008 Training Course. As an MCT
trainer, I am a huge advocate of Train Signals products. What particularly
impresses is me is the demonstrations. If
you are looking for a complete DETAILED coverage of Windows Server 2008, then I highly recommend that you give this course a try. I have reviewed their
6 hours plus of videos myself, and I guarantee that you will
not be disappointed!
Watch a Windows Server 2008 Training Video Demo.
Microsoft Windows Server 2008 Topics:
Server 2008 Home Overview What's New? Migration Advice Install Editions
AD DC Roles Features Hyper-V UAC IPv6 GP Preferences ipMonitor
^
|
|
|
|
Home Copyright © 1999-2009 Computer Performance LTD All rights reserved Please report a broken link, or an error.
| |
