Network Access Protection (NAP) in Windows Server 2008 is a technology and a technique that allows computers to be evaluated on the basis of their health. It prevents problematic machines from communicating with healthy hosts on your network, which stops a lot of malware in its tracks.
For all of its benefits, NAP has some negatives to it, namely that its weak enforcement methods (like DHCP-based protection) can get in the way of the effectiveness of the NAP concept itself and that difficulties in detecting when new hosts come online can result in a lot of expense and headaches to administer. IPsec solves a lot of these problems -- but the question is how?
IPsec and Network Access Protection
Consider DHCP enforcement, where access to a network protected by NAP is fundamentally regulated by a client (who wants an IP address) and the special type of server (that leases the addresses to valid clients). The server, which is usually the target of the connection request, determines whether to allow a potential client to access the network.
IPsec, in conjunction with NAP, alters the flow of this relationship, transforming the client-server attempt into more of an end-to-end attempt. IPsec applies to any and all individual hosts in a network, not just to the host protecting access and entry into a network. That way, you're guarding all computers, not just trying to harden one that will be exposed to potentially unhealthy clients. In addition, the Health Registration Authority that is part of NAP makes the ultimate call about whether a host is healthy or not, not the server that is the target of the client's requests.
The beautiful part about IPsec with NAP is the ability for hosts to simply drop incoming attempts from unhealthy hosts if VPN enforcement is inadequate because the host is local or if you don't have an infrastructure that can immediately detect when a new machine comes online. That happens whether or not the troubled machine trying to come online gets around DHCP enforcement by issuing himself a valid static IP address.
If your machines, or at least the computers you most want to protect, only speak IPsec and only talk to healthy computers (by way of the system health certificate that the Health Registration Authority gives to vetted clients), then traffic from bad machines is never heard. Never.
Benefits in a nutshell
Here's an at-a-glance reference of how NAP, with IPsec at its side, is a fantastic health and security solution for your network:
- It's resistant to tampering: Nefarious clients can't reconfigure themselves, can't issue themselves a self-signed health certificate that is valid and can't make remote computers talk to them even if they have local administrator access. IPsec is end-to-end. A problematic client can yell and scream all it wants, but no one will listen to it.
It's encrypted: At the very heart of IPsec is encryption, so communications are secure. That's not necessarily your primary aim when looking at IPsec in the context of NAP, but it's a valuable byproduct.
It's inexpensive, in capital terms, to implement: You already have all of the tools if you have valid licenses for your operating system. No need to upgrade your network infrastructure.
You can be choosy: IPsec isn't an all-or-nothing affair. You can allow healthy computers to talk to unhealthy machines without allowing unhealthy computers to communicate with healthy computers. With IP filters, you can be as broad or as granular as your circumstances warrant.
NAP, when used in conjunction with IPsec, easily addresses nearly all of the disadvantages or limitations of NAP itself, while it also introduces an inexpensive way to secure communications across your network. It is, in my opinion, the coolest new security feature in Windows Server 2008.