NAP (Network Access Protocol) is a new security feature that comes with Windows Server 2008 server technology, wherein an administrator can limit network access to client computers based on various health checks like Service Pack Levels, Antivirus definition, updated patches and other security options.The Access be limited by denying VPN access, by allowing DHCP lease to compliant systems only or by using techniques like VLAN or IPSEC
NAP can be implemented or enforced in the below mentioned ways.
-NAP with IPSEC
-NAP with 802.1x
-NAP with DHCP
-NAP with VPN
-NAP-NAC enforcement –Interoperability between NAP and Cisco’s AccessControl Server (ACS) which is a component of Cisco’s Network Admission Control (NAC)
Typically NAP has a few logical components which technically vary depending upon the choice of security that is taken into implementation by the organisation’s security team.
– NAP Agent – a windows service that collects and manages health information for client systems.
– NAP Client Systems – A windows system that has NAP Agent service configured and running.
*Currently Windows Server 2008, Windows Vista and Windows XP with SP3 come in the valid client systems list.
NAP Health Policy Server – Server running Windows server 2008 with NPS (Network policy server) role installed and configured for NAP.
– SHA – System Health Agents are agents on the client who generate statement of health and forward it to NAP health policy server.Windows Vista, Windows Server 2008 and Windows XP with SP3 include a default SHA the monitors Windows Security Center Settings.
– SHV – System Health Validators is configurable set of standards against which Network Policy Server (NPS) validates the statement of health forwarded by client.
*In Windows 2008 SHV can be configured in a single way, however in Windows 2008 R2 SHV supports multiple configurations.
– Remediation Server Group – A collection of servers usually defined by IP address that non compliant computers can access. This usually has WSUS and servers hosting latest antivirus and antispyware software definitions.
*Remediation server groups are used with Network Access Protection if you are using DHCP Network Access Protection enforcement or VPN Network Access Protection enforcement