Selecting the Right Network Access Protection ArchitectureInfrastructure Planning and Design Series
What Is IPD?Guidance that aims to clarify and streamline the planning and design process for Microsoft® infrastructure technologies
IPD…in 50 pages: Defines decision flow Describes decisions to be made Relates decisions and options for the business Frames additional questions for business understanding Replaces Windows Server System™ Reference Architecture (WSSRA)
Page 2 |
Download the IPD Guides atwww.microsoft.com/ipd
SELECTING THE RIGHT NAP ARCHITECTURE
Getting Started
Page 3 |
Purpose and AgendaPurpose
To assist in the decision-making process regarding which enforcement methods to use in conjunction with Network Access Protection (NAP) to meet business and technical requirements
AgendaDetermine which components to use in a NAP architecture
Page 4 |
What Is NAP?Network Access Protection is a policy-based solution that:
Validates whether computers meet health policiesCan limit access for noncompliant computersAutomatically remediates noncompliant computers Continuously updates compliant computers to maintain health stateOffers administrators a wide range of choice and deployment flexibility to better secure their Windows networks
Page 5 |
NAP Architecture
Why Implement NAP?
Controlled access for guests, vendors, partnersImproved resilience to malware as network health increasesMore robust update infrastructureManaged compliance
Page 7 |
Key Messages for NAP
Page 8 |
The NAP client can be Windows Server® 2008, Windows Vista®, Windows® XP SP3, or third-party (Linux + Macintosh)NAP is built into Windows that you enable via GP/scriptNAP requires a minimum of one Windows Server 2008 machine to get started
NAP Enforcement OptionsEnforcement options CapabilitiesIPsec – implemented at host layer
Restricts client device communication to a limited number of servers until compliance is demonstrated
802.1X – implemented at network layer
Client device’s access is restricted by network infrastructure devices. Client access is restricted until device has demonstrated compliance
VPN – Microsoft VPN VPN server restricts client device’s access by using IP filters until client device has demonstrated compliance
DHCP – implemented at network layer
DHCP client is restricted by providing a 32-bit netmask and removing the default gateway
Page 10 |
Decision Flow
Determine the client connectivityDetermine enforcement layerIf enforcement is at network layer, select enforcement options
Type of network connectivity dictates appropriate enforcement methods. Client devices connect two ways:
Locally—via wired or wirelessRemotely—such as VPN
Page 11 |
Determine Client Connectivity
Determine VPN Platform
Page 12 |
Will the VPN platform be Microsoft or third-party? Microsoft VPN selected:
If IT selects RRAS to provide remote access, VPN server must run Windows Server 2008Low level of complexity and cost to implement
Third-party VPN selected:If IT selects a third-party VPN, IPsec can be used to restrict client device accessHigh level of complexity and medium cost to implement
Enforcement Layer Decision
Page 13 |
Enforce NAP restrictions at each host or enforce on network?
Enforce restrictions at hosts selected:Using IPsec provides robust securityHigh level of complexity and medium cost to implement
Enforce restrictions on network selected:Depending on specific network-based enforcement method, security level less robust than IPsecMedium level of complexity and high cost to implement
NAP Restrictions – Host vs. Network Enforcement
Use the table below to select between:IPsec – host-based802.1X – network-basedDHCP – network-based
Page 14 |
Method Security Level Complexity Cost
IPsec High High Medium
8021.1X High Medium High
DHCP Low Low Low
Additional Considerations for NAP
Determine system compliance requirementsCombining NAP technologiesDependencies
Page 15 |
Summary and Conclusion
NAP flexibility provides choiceNAP is deployment ready
Provide feedback to [email protected]
Page 16 |
Find More Information
Download the full document and other IPD guides:
www.microsoft.com/ipd
Contact the IPD team:[email protected]
Visit the Microsoft Solution Accelerators Web site:www.microsoft.com/technet/SolutionAccelerators
Page 17 |