Selecting the Right Network Access Protection ArchitectureInfrastructure Planning and Design Series

What Is IPD?Guidance that aims to clarify and streamline the planning and design process for Microsoft® infrastructure technologies

IPD…in 50 pages: Defines decision flow Describes decisions to be made Relates decisions and options for the business Frames additional questions for business understanding Replaces Windows Server System™ Reference Architecture (WSSRA)

Page 2 |

Download the IPD Guides atwww.microsoft.com/ipd

SELECTING THE RIGHT NAP ARCHITECTURE

Getting Started

Page 3 |

Purpose and AgendaPurpose

To assist in the decision-making process regarding which enforcement methods to use in conjunction with Network Access Protection (NAP) to meet business and technical requirements

AgendaDetermine which components to use in a NAP architecture

Page 4 |

What Is NAP?Network Access Protection is a policy-based solution that:

Validates whether computers meet health policiesCan limit access for noncompliant computersAutomatically remediates noncompliant computers Continuously updates compliant computers to maintain health stateOffers administrators a wide range of choice and deployment flexibility to better secure their Windows networks

Page 5 |

NAP Architecture

Why Implement NAP?

Controlled access for guests, vendors, partnersImproved resilience to malware as network health increasesMore robust update infrastructureManaged compliance

Page 7 |

Key Messages for NAP

Page 8 |

The NAP client can be Windows Server® 2008, Windows Vista®, Windows® XP SP3, or third-party (Linux + Macintosh)NAP is built into Windows that you enable via GP/scriptNAP requires a minimum of one Windows Server 2008 machine to get started

NAP Enforcement OptionsEnforcement options CapabilitiesIPsec – implemented at host layer

Restricts client device communication to a limited number of servers until compliance is demonstrated

802.1X – implemented at network layer

Client device’s access is restricted by network infrastructure devices. Client access is restricted until device has demonstrated compliance

VPN – Microsoft VPN VPN server restricts client device’s access by using IP filters until client device has demonstrated compliance

DHCP – implemented at network layer

DHCP client is restricted by providing a 32-bit netmask and removing the default gateway

Page 10 |

Decision Flow

Determine the client connectivityDetermine enforcement layerIf enforcement is at network layer, select enforcement options

Type of network connectivity dictates appropriate enforcement methods. Client devices connect two ways:

Locally—via wired or wirelessRemotely—such as VPN

Page 11 |

Determine Client Connectivity

Determine VPN Platform

Page 12 |

Will the VPN platform be Microsoft or third-party? Microsoft VPN selected:

If IT selects RRAS to provide remote access, VPN server must run Windows Server 2008Low level of complexity and cost to implement

Third-party VPN selected:If IT selects a third-party VPN, IPsec can be used to restrict client device accessHigh level of complexity and medium cost to implement

Enforcement Layer Decision

Page 13 |

Enforce NAP restrictions at each host or enforce on network?

Enforce restrictions at hosts selected:Using IPsec provides robust securityHigh level of complexity and medium cost to implement

Enforce restrictions on network selected:Depending on specific network-based enforcement method, security level less robust than IPsecMedium level of complexity and high cost to implement

NAP Restrictions – Host vs. Network Enforcement

Use the table below to select between:IPsec – host-based802.1X – network-basedDHCP – network-based

Page 14 |

Method Security Level Complexity Cost

IPsec High High Medium

8021.1X High Medium High

DHCP Low Low Low

Additional Considerations for NAP

Determine system compliance requirementsCombining NAP technologiesDependencies

Page 15 |

Summary and Conclusion

NAP flexibility provides choiceNAP is deployment ready

Provide feedback to satfdbk@microsoft.com

Page 16 |

Find More Information

Download the full document and other IPD guides:

www.microsoft.com/ipd

Contact the IPD team:satfdbk@microsoft.com

Visit the Microsoft Solution Accelerators Web site:www.microsoft.com/technet/SolutionAccelerators

Page 17 |