Windows Server 2008 security aided by NAP and IPsec

In Preview of NAP in Windows Server 2008, I took a look at Network Access Protection (NAP) as a technology and as a technique that allows computers to be evaluated on the basis of their health. NAP prevents problematic machines from communicating with healthy hosts on your network, which stops a lot of malware in its tracks.

In that same tip, I mentioned that, for all of its benefits, NAP has some negatives to it, namely that its weak enforcement methods (like DHCP-based protection) can get in the way of the effectiveness of the NAP concept itself and that difficulties in detecting when new hosts come online can result in a lot of expense and headaches to administer. I left you with the tantalizing hook that IPsec solves a lot of these problems -- but the question is how?

IPsec and Network Access Protection

Consider DHCP enforcement, where access to a network protected by NAP is fundamentally regulated by a client (who wants an IP address) and the special type of server (that leases the addresses to valid clients). The server, which is usually the target of the connection request, determines whether to allow a potential client to access the network.

IPsec, in conjunction with NAP, alters the flow of this relationship, transforming the client-server attempt into more of an end-to-end attempt. IPsec applies to any and all individual hosts in a network, not just to the host protecting access and entry into a network. That way, you're guarding all computers, not just trying to harden one that will be exposed to potentially unhealthy clients. In addition, the Health Registration Authority that is part of NAP makes the ultimate call about whether a host is healthy or not, not the server that is the target of the client's requests.

The beautiful part about IPsec with NAP is the ability for hosts to simply drop incoming attempts from unhealthy hosts if VPN enforcement is inadequate because the host is local or if you don't have an infrastructure that can immediately detect when a new machine comes online. That happens whether or not the troubled machine trying to come online gets around DHCP enforcement by issuing himself a valid static IP address.

If your machines, or at least the computers you most want to protect, only speak IPsec and only talk to healthy computers (by way of the system health certificate that the Health Registration Authority gives to vetted clients), then traffic from bad machines is never heard. Never.

Benefits in a nutshell

Here's an at-a-glance reference of how NAP, with IPsec at its side, is a fantastic health and security solution for your network:

• It's resistant to tampering: Nefarious clients can't reconfigure themselves, can't issue themselves a self-signed health certificate that is valid and can't make remote computers talk to them even if they have local administrator access. IPsec is end-to-end. A problematic client can yell and scream all it wants, but no one will listen to it.
• It's encrypted: At the very heart of IPsec is encryption, so communications are secure. That's not necessarily your primary aim when looking at IPsec in the context of NAP, but it's a valuable byproduct.
• It's inexpensive, in capital terms, to implement: You already have all of the tools if you have valid licenses for your operating system. No need to upgrade your network infrastructure.
• You can be choosy: IPsec isn't an all-or-nothing affair. You can allow healthy computers to talk to unhealthy machines without allowing unhealthy computers to communicate with healthy computers. With IP filters, you can be as broad or as granular as your circumstances warrant.

NAP, when used in conjunction with IPsec, easily addresses nearly all of the disadvantages or limitations of NAP itself, while it also introduces an inexpensive way to secure communications across your network. It is, in my opinion, the coolest new security feature in Windows Server 2008.

About the author:Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro magazine, SecurityFocus, PC Pro and Microsoft's TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration. He can be reached at jhassell@gmail.com.

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Windows Vista security How to use Group Policy to control wireless access Minasi talks Vista security, Windows Server 2008 features Windows Resource Protection (WRP) protects critical system resources The finer points of User Account Control (UAC) in Windows Vista Vista SP1 vs. XP SP3 -- upgrade or business as usual? How to secure BitLocker configurations How to recover from lost BitLocker PINs and startup keys PatchGuard defends against rootkits in Windows Vista Windows Vista security: Top 10 tips of 2007 Run legacy applications with Windows Vista security Authentication DHCP Client Service error affects network security Correct improperly assigned user rights in Windows XP Do old certificates pose a Windows security threat? What's hot in Windows security: Ins and outs of Windows Server 2008 Manage administrator rights in Windows Server 2003 Security tools that limit user logon in Windows Have I experienced a Windows security breach? Windows security management: Ask the security expert roundup Set write permissions in Windows network folders Password cracking, network rights and Windows Firewall expert advice Authentication Research Protocols Data protection on the Web: Windows SSL security and other myths How to use Windows SBS to manage Internet security What do you know about Microsoft Internet security? ISA Server and RADIUS Updates to ISA Server imminent Deflecting e-mail spoofing Blocking software installation at an Internet cafe Disallowing IE or Outlook from uploading data Protect WAN communications Learning Guide: Authentication RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.