Would you like to have a NAP?

In our days, we experience more and more deeply the following feeling: we need to be permanently connected to everything. It is surfing over the Internet, reading work emails at home, or even accessing an intranet during a trip. Let us assume that you are an IT administrator. On one hand you have to open more and more gates - for the users to be able to use these services - however on the other hand you have to face complex and sophisticated threats.

This dilemna already led us to a point where the firewall on the internal gateway is not enough. Just think about the following laptop scenario. The user has a remote VPN access thanks to which he is able to connect to the corporation intranet. Then the laptop gets infected. Since most of IT network administrators currently define network policy by topology, the laptop has a full network access and therefore is able infect other computers in the domain. And this is mainly because it is connected to the VPN, which is bypassing the firewall, as shown on this picture.


We do have a REAL PROBLEM: how to enforce the network security regardless of the location of the computer?

And here comes Microsoft's answer: NAP and UAG. (altough I will only blog about NAP in this post).

You probably already guessed it, NAP actually stands for Network Access Protection. This technology - also called the "network health layer" - aims at providing a controlled network access regarding of the "Health State" of the computers. Depending of its health status (a parameter defined by the administrator, regarding to rules like "the client firewall is on", "the client antivirus has the latests available definitions", "all important and critical windows security updates have been made"), it will have a full or limited network access.

In case of restricted access, we can define "remediations servers". A client with limited access will still be able to communicate with these servers (for instance in order to install updates via Windows Server Update Services, Windows Update, or the antivirus definitions websites). The goal is to fix the health state of that computer for it to be healthy, and then be able to access the full network.


There are 5 methods to enforce the network access: DHCP, VPN, 802.1x, IPSec or TS.

In a future post, we will study more precisely this mechanism, and especially analize some possible hacks of a Network Access Protection infrastructure.

If you are interested in knowing more about Network Access Protection, just check the previous link on technet.