I was reading Ari's blog this weekend and he discussed “NAP” Network Access Protection which is a new feature in Windows 2003 Release 2. I hadn't heard of this yet so I read a bit about it and it's a very cool concept!! Basically, NAP provides a means for adminsitrators and developers to validate the “health“ of a machine connecting to the network by validating it against a set of policies, providing a means to automatically update the machine to be compliant, as well as the ability to quarantine computers that don't meet the policy requirements by isolating these machines on a “quarantine network” which is highly secured.
Network Access Protection for Windows Server 2003 operating systems provides components and an application programming interface (API) set that help administrators enforce compliance with policies for network access. Developers and administrators can create solutions for validating computers that connect to their networks, can provide needed updates or access to needed resources (called health update resources), and can restrict the network access of computers that do not comply. The enforcement features of Network Access Protection can be integrated with software from other vendors or with custom programs. Administrators can customize the systems they develop and deploy, whether for monitoring the computers accessing the network for policy compliance, automatically updating computers with software updates to meet policy requirements, or isolating computers that do not meet policy requirements to a more secure portion of the network (called a quarantine network).
Network Access Protection has three important and distinct aspects:
· Network Policy Validation When a user attempts to connect to the network, the computer’s health state is validated against the network access policies as defined by the administrator. Administrators can then choose what to do if a computer is not compliant. In a monitoring-only environment, all authorized computers are granted access to the network even if some do not comply with network access policies, but the compliance state of each computer is logged. In an isolation environment, computers that comply with the network access policies are allowed access to the network, but computers that do not comply with network access policies or that are not compatible with Network Access Protection are isolated to a quarantine network. In both environments, administrators can define exceptions to the validation process. Network Access Protection will also include migration tools to make it easier for administrators to define exceptions that best suit their network needs.
· Network Policy Compliance Administrators can help ensure compliance with network access policies by choosing to automatically update noncompliant computers with the missing requirements through management software, such as Microsoft Systems Management Server (SMS). In a monitoring-only environment, computers will have access to the network even before they are updated with required software or configuration changes. In an isolation environment, computers that do not comply with network access policies are isolated until the software and configuration updates are completed. Again, in both environments, the administrator can define policy exceptions.
· Network Isolation Administrators can protect network assets by isolating computers that do not comply with network access requirements. Computers that do not comply will have their network access restricted as defined by the administrator, whether that access is limited to a quarantine network, to a single resource, or to no internal resources at all. If an administrator does not configure health update resources, the network isolation will last for the duration of the connection. If an administrator configures health update resources, the network isolation will last only until the computer is brought into compliance. Administrators might use both monitoring and network policy compliance in their networks, as well as configure exceptions.
Network Access Protection is an extensible platform that provides an infrastructure and an API set for adding components that verify and amend a computer’s health and that enforce existing policy systems. By itself, Network Access Protection does not provide components to verify or amend a computer's health. Other components, known as system health agents (SHAs) and system health validators (SHVs), will provide network policy validation and network policy compliance. For example, a future release of SMS will include an SHA and SHV that will be compatible with Network Access Protection.
Check out the rest of the above document here