Introduction to the NAP for Windows Server 2008

What is NAP?

Nap-network access Protection, network Access Protection. I think it is not complete, I think the complete should be called Network Policy Access Protection. His role is to use policy to protect the client's access to the network, to ensure that the entire network access process is to achieve a certain level of security. When I started doing 08 before the beginning of 07, the first reaction was the firewall. Think it's something like a firewall. Later found not, and completely different. Firewall is through the network communication interface, such as IP, port number and so on to control access to the connection or break. A simple understanding of firewalls is the control of network behavior, and NAP is a security policy that controls the state of all clients on the network. Perhaps it is not clear enough to say so. I think this thing should be viewed separately, that is, network-policy-access-protection.

Now let's look at the network. We understand that NAP networks can be broadly grouped into three categories: an extranet, or a network that is not managed by nap. The network may be the Internet, or it may be someone who just wants to connect to a computer on the network through a wireless network, because he is still in a request for IP or request access, so it should be counted as an external network; The second is the intranet, the network that is managed by the NAP. This network refers to the internal computers that we have access to, such as when the computer has been plugged in, it is now in an internal network, and the last one is a more special network, a DMZ in the firewall terminology, but there is a difference. It is a network more biased in the intranet, but not entirely. Of course you can define it, if a client is put into nap on this network, it may only access some network resources, perhaps no resources are accessible. We'll describe the network in detail later, and we'll start with a restricted network.

Network analysis is over, in speaking of strategy. Policies in NAP are called security policies, and some may be compared to the policies in the firewall. Then the policy in the firewall should be called the rule policy, for example, if it is a person, on a machine, through an application to access, then we can decide whether to allow through. This rule policy may be to allow user A to pass, b not to pass, or to allow a program to pass while program B cannot pass. However, the security policy in NAP is a requirement to verify that the client meets a security-related feature. For example, in nap, there are policies that require clients to turn on security update settings, some require a firewall to be enabled, some require that a system patch hit a certain level or a point in time, or whether the virus library for antivirus software reaches a specific version or a certain latest point in time, and so on. As you can see, the strategy is actually a ruler, in the firewall it is defined by the rules of the ruler, in nap it is by the security-related state or called attributes to define this ruler. With this ruler, we can measure whether a client or a certain factor in the network meets the requirements we expect in the process. This is the role of strategy.

Well, with a ruler, if we do not use it, is also in vain, the following is to say the question of access. My understanding should be called access monitoring or access verification. The idea here is to use the security policy just now to monitor all the clients in the network to compare them to the current state of the client. For example, a strategy is to require that the version of the virus library must reach version 2.0, and it turns out that there is a computer version of the virus or 1.8, then the NAP server will mark this computer as "noncompliant." In other words, the process of access verification is to use the policy to compare the client's state information with the policies we have defined. Emphasize that the validation process exists in real time, that is, once you have modified some of the security settings that contradict the policies in nap, you will immediately mark you as "noncompliant." Conversely, if you update certain configurations, such as the virus library version, NAP will immediately mark you from "not conforming" to "compliant". This kind of real-time protection is to prevent the malicious connection from entering the network through the camouflage to muddle through, and then start the destruction. As far as I know, many of the applications like VPN are only validated at the beginning of a network connection, and any subsequent operation will no longer be restricted once it is validated.

All computers have a "conforming" or "inconsistent" mark, and finally we can simply control it. In fact this process is very simple, is to define a rule, if it is "compliant", we allow it to connect to which network, do not allow him to connect to which network. If it is "inconsistent", we also allow it to connect to which network, do not allow him to connect to which network.