In previous steps, it was determined that clients connect to the network locally. The purpose of this step is to determine whether to enforce NAP restrictions at each host using IPsec or to enforce it on the network. Each approach has unique strengths and weaknesses.
With IPsec enforcement, hosts on the network will ignore traffic from client devices that have not proven that they meet the organization’s health policies. This is a powerful method of protecting compliant computers from other computers. Additionally, it can be combined with server and domain isolation to ensure that when a system has demonstrated its compliance, it will still be restricted to communicating only with authorized hosts. IPsec provides other benefits, as well. For example, network packets are digitally signed, which reduces the risk of man-in-the-middle and replay attacks. Also, traffic can be encrypted with IPsec, which provides a high degree of protection from eavesdropping attacks.
Windows Server includes tools for managing and monitoring IPsec that eliminate much of the associated complexity. Nevertheless, IPsec enforcement is more complex than DHCP enforcement. The cost of acquiring IPsec technology is low, however, because support for it is built into all the versions of the Windows operating systems that support NAP.
Enforcing restrictions on the network means that either 802.1X or DHCP will be used to prevent clients that do not meet the organization’s health policies from accessing the network. The pros and cons of each of these technologies are discussed in the next step. One advantage they both have over IPsec, however, is that noncompliant devices are able to communicate only with hosts on the remediation network, because they are unable to send traffic to any other segments of the network.
Technical criteria are not the only factors to be considered during an infrastructure design decision. The decision should also be mapped to appropriate operational criteria or characteristics. The following tables compare each option according to the characteristics that are applicable to choosing a method for enforcing NAP.
|
Security | ||
|
Host using IPsec |
IPsec can isolate individual hosts and entire segments of the network from potentially noncompliant hosts. In addition, the IPsec policies continue to protect portable computers, regardless of where they may travel. IPsec provides robust defense-in-depth protection by digitally signing and encrypting network traffic. |
↑ |
|
Network |
Depending on the specific network-based enforcement method, the level of security can be good, but not quite as robust as IPsec. |
↑ |
|
Complexity | ||
|
Host using IPsec |
For many organizations, IPsec would be the most complex approach. However, for those organizations that are already using IPsec for server and domain isolation or other purposes, the level of complexity will seem much lower. |
High |
|
Network |
The level of complexity varies depending on the specific network-enforcement method, but it tends to be lower than that of IPsec. |
Medium |
|
Cost | ||
|
Host using IPsec |
Acquiring IPsec technology costs little, because it is built into Windows operating systems. But the overall project costs can be somewhat more expensive than DHCP due to greater complexity. |
Medium |
|
Network |
The cost varies depending on the size of the network and on whether existing resources can be used or upgraded (versus new technology purchased). For example, if new network equipment must be deployed to use 802.1X, the cost will be high, but if existing servers can be used to enforce the restrictions through DHCP, the cost will be low. |
High |
In addition to evaluating the decision in this step against IT-related criteria, planners should validate the effect of the decision on the business. The following questions have been known to affect NAP design decisions:
What level of risk is acceptable regarding non-compliant devices gaining access to the network? Although IPsec provides very strong protection for managed hosts, it cannot protect unmanaged hosts from non-compliant devices. For example, if someone establishes an internal Web server that the IT team does not manage, that server will have no protection from a mobile user who reconnects a non-compliant computer to the network. Is this a risk that the business can tolerate?
Are there other compelling reasons to consider enforcement at the hosts? Using IPsec enforcement enables other possibilities. When IPsec is deployed across the enterprise, an organization can also use IPsec policies to protect critical business assets from unauthorized access. For example, IPsec policies could be created that allow only members of the legal department to directly access the file server on which documents concerning litigation are stored. All other employees could be prevented from even seeing the server on the network.
If IPsec enforcement at the hosts is chosen, the decision-making process is complete unless a hybrid solution is required as outlined in "Combining NAP Technologies" later in this guide. If network enforcement is chosen, continue to Step 4.
"Network Access Protection Platform Architecture" at http://www.microsoft.com/technet/network/nap/naparch.mspx
Chapter 15, "Preparing for Network Access Protection," in Windows Server 2008 Networking and Network Access Protection (NAP). Microsoft Press, 2008. This information is also available as part of the Windows Server 2008 Resource Kit. Microsoft Press, 2008.
Chapter 16, "IPsec Enforcement," in Windows Server 2008 Networking and Network Access Protection (NAP). Microsoft Press, 2008. This information is also available as part of the Windows Server 2008 Resource Kit. Microsoft Press, 2008.
Chapter 17, "802.1X Enforcement" in Windows Server 2008 Networking and Network Access Protection (NAP). Microsoft Press, 2008. This information is also available as part of the Windows Server 2008 Resource Kit. Microsoft Press, 2008.
Chapter 19, "DHCP Enforcement," in Windows Server 2008 Networking and Network Access Protection (NAP). Microsoft Press, 2008. This information is also available as part of the Windows Server 2008 Resource Kit. Microsoft Press, 2008.