Selecting the Right Network Access Protection ArchitectureInfrastructure Planning and Design Series

What Is Infrastructure Planning and Design?

Guidance that aims to clarify and streamline the planning and design process for Microsoft® infrastructure technologies

IPD…in 50 pages:

Defines decision flow

Describes decisions to

be made

Relates decisions and options for the business

Frames additional questions for business understanding

Replaces Windows Server System™ Reference Architecture (WSSRA)

Page 2 |

SELECTING THE RIGHT NAP ARCHITECTURE

Getting Started

Page 3 |

Purpose and Agenda

PurposeTo assist in the decision-making process regarding which enforcement methods to use in conjunction with Network Access Protection (NAP) to meet business and technical requirements

AgendaDetermine which components to use in a NAP architecture

Page 4 |

What Is NAP?

Network Access Protection is a policy-based solution that:

Validates whether computers meet health policiesCan limit access for noncompliant computersAutomatically remediates noncompliant computers Continuously updates compliant computers to maintain

health stateOffers administrators a wide range of choice and deployment

flexibility to better secure their Windows networks

Page 5 |

NAP Architecture

Why Implement NAP?

Controlled access for guests, vendors, partnersImproved resilience to malware as network health increasesMore robust update infrastructureManaged compliance

Page 7 |

Key Messages for NAP

Page 8 |

The NAP client can be Windows Server® 2008, Windows Vista®, Windows® XP SP3, or third-party (Linux + Macintosh)NAP is built into Windows that you enable via GP/scriptNAP requires a minimum of one Windows Server 2008 machine to get started

NAP Enforcement OptionsEnforcement options Capabilities

IPsec – implemented at host layer

Restricts client device communication to a limited number of servers until compliance is demonstrated

802.1X – implemented at network layer

Client device’s access is restricted by network infrastructure devices. Client access is restricted until device has demonstrated compliance

VPN – Microsoft VPN VPN server restricts client device’s access by using IP filters until client device has demonstrated compliance

DHCP – implemented at network layer

DHCP client is restricted by providing a 32-bit netmask and removing the default gateway

Page 10 |

Decision Flow

Determine the client connectivity

Determine enforcement layer

If enforcement is at network layer,

select enforcement options

Type of network connectivity dictates appropriate

enforcement methods. Client devices connect two

ways:

Locally—via wired or wireless

Remotely—such as VPN

Page 11 |

Determine Client Connectivity

Determine VPN Platform

Page 12 |

Will the VPN platform be Microsoft or third-party?

Microsoft VPN selected:

If IT selects RRAS to provide remote access, VPN server

must run Windows Server 2008

Low level of complexity and cost to implement

Third-party VPN selected:

If IT selects a third-party VPN, IPsec can be used to restrict

client device access

High level of complexity and medium cost to implement

Enforcement Layer Decision

Page 13 |

Enforce NAP restrictions at each host or enforce

on network?

Enforce restrictions at hosts selected:

Using IPsec provides robust security

High level of complexity and medium cost to implement

Enforce restrictions on network selected:

Depending on specific network-based enforcement

method, security level less robust than IPsec

Medium level of complexity and high cost to implement

NAP Restrictions – Host vs. Network Enforcement

Use the table below to select between:IPsec – host-based802.1X – network-basedDHCP – network-based

Page 14 |

Method Security Level Complexity Cost

IPsec High High Medium

8021.1X High Medium High

DHCP Low Low Low

Additional Considerations for NAP

Determine system compliance requirementsCombining NAP technologiesDependencies

Page 15 |

Summary and Conclusion

NAP flexibility provides choice

NAP is deployment ready

Provide feedback to satfdbk@microsoft.com

Page 16 |

Find More Information

Download the full document and other IPD guides:

http:/www.microsoft.com/ipd

Contact the IPD team:satfdbk@microsoft.com

The Microsoft Solution Accelerators Web site:http://www.microsoft.com/technet/SolutionAccelerators

Page 17 |