Ensuring Security and Client Health with Network Access Protection
Great. Using whatever combination of technologies just covered, and maybe some others not covered, you can now enable any machine to connect to your corporate network. Really, great? Terrible is what my first impression would be. I’m now allowing everyone’s personal computers to connect to my corporate network via VPN, DirectAccess, or RD Gateway—are you nuts?! What websites has that machine visited? What as yet undiscovered viruses are lurking on the machine just waiting to connect to my corporate network and shut me down? Maybe that machine was last patched three years ago and has never had malware protection.
This is a very valid and sane reaction, and the solution comes in the form of another new Windows Server 2008 capability, Network Access Protection (NAP). NAP allows a machine to be queried for a Statement of Health (SoH), and only if that SoH meets the requirements of the organization is the machine allowed to complete its connectivity. NAP can be used for health checking with DHCP, 802.1x, IPSEC, RD Gateway, a VPN, and DirectAccess. The process works as shown in Figure 12-5 and is outlined at a high level in the following steps:
1. The client attempts communication, which in this example is RD Gateway but could be a VPN connection, requesting an IP from DHCP, DirectAccess, or any other supported service. In addition to requesting a connection, the client sends its SoH.
2. The SoH for the client is sent ...