More secure network access point (NAP) Mechanism

Source: Internet
Author: User

NAP is a Windows mechanism that ensures that only computers that meet security requirements allow access to the network. Using NAP can make the network more secure. Unfortunately, when Microsoft launched this mechanism for the first time, NAP only checked some configuration settings and was difficult to execute. However, the NAP has been improved, and Windows Vista and Windows Server 2008 have been combined. Therefore, it is easy to deploy a full-scale NAP.

NAP Basics

To enforce network connection security requests on all computers, NAP must be able to control access regardless of the computer connection. In this case, a VPN connection is required. DHCP handles the allocation and connection of wired and wireless switches and other access methods. Microsoft allows you to include these content by configuring multiple "execution points", and "execution points" play the role of the network gatekeeper. A VPN or DHCP Server running on Windows Server 2008 may be executed, which can solve the issue of certification issued by the certification authority and 802.1x compatible with wireless and wired switches.

The task at the execution point is: when the client connects to the network, it will prompt whether all network access meets the security policy. The execution point will only forward the result named "health" to the network policy server (NPS), which is the execution of Microsoft remote verification dial-up User Service Server (RADIUS.

According to the different answers returned by NPS, the execution point can access the network, deny access, or only connect the client to the correction server, in this way, you can access resources that may be used to fix client security defects. A healthy policy server checks the configuration information of the client, compares it with the policy settings, and generates a response for the execution point.

Statement NAP

The reason why NAP is so attractive is that all the current Microsoft Client operating systems include the NAP client function that requires health check, so you do not have to perform other configuration and installation on the network client. From a network perspective, NAP covers most network access points. Do not consider that you must consider all access methods. Instead, you only need to force a health check on an access point, such as a VPN Server, to gradually extend the NAP to other execution points.

You only need to add the "Network policy and Access Service" function to the running Windows Server 2008. Then, run the NAP Wizard to configure the policy, which defines which type of client should be checked, and which type of corrective server can be used if possible. Next, you must define the System Health validators (SHVs ). These are the settings that the client needs to report, such as whether a patch or anti-virus software is required.

Once the NPS server and policy are in place, you need to configure the execution point. This includes two parts: First, you need to connect the execution point to the NPS server. To do this, you need to configure it as a RADIUS client. Then, you need to configure how the execution point responds to the client when the check is successful or fails.

Extended NAP

Once you have installed NAP for each type of access, it is very easy to extend it to other connection types. From this perspective, you should explore additional SHVs from Microsoft and third-party resources to perform health checks on more clients. NAP may seem complicated. Otherwise, if it is deployed in a step-by-step manner, its execution is relatively simple.

  1. Standard importance in network access control NAC
  2. Security Mechanism in WLAN

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.