Selecting the Right Network Access Protection Architecture

1. Selecting the Right Network Access Protection Architecture Infrastructure Planning and Design Series

2. What Is IPD? Guidance that aims to clarify and streamline the planning and design process for Microsoft® infrastructure technologies IPD…in 50 pages: • Defines decision flow • Describes decisions to be made • Relates decisions and options for the business • Frames additional questions for business understanding • Replaces Windows Server System™ Reference Architecture (WSSRA) Download the IPD Guides at www.microsoft.com/ipd

3. Getting Started Selecting the Right nAP Architecture

4. Purpose and Agenda • Purpose • To assist in the decision-making process regarding which enforcement methods to use in conjunction with Network Access Protection (NAP) to meet business and technical requirements • Agenda • Determine which components to use in a NAP architecture

5. What Is NAP? • Network Access Protection is a policy-based solution that: • Validates whether computers meet health policies • Can limit access for noncompliant computers • Automatically remediates noncompliant computers • Continuously updates compliant computers to maintain health state • Offers administrators a wide range of choice and deployment flexibility to better secure their Windows networks

6. NAP Architecture

7. Why Implement NAP? • Controlled access for guests, vendors, partners • Improved resilience to malware as network health increases • More robust update infrastructure • Managed compliance

8. Key Messages for NAP • The NAP client can be Windows Server® 2008, Windows Vista®, Windows® XP SP3, or third-party (Linux + Macintosh) • NAP is built into Windows that you enable via GP/script • NAP requires a minimum of one Windows Server 2008 machine to get started

9. NAP Enforcement Options

10. Decision Flow • Determine the client connectivity • Determine enforcement layer • If enforcement is at network layer, select enforcement options

11. Determine Client Connectivity • Type of network connectivity dictates appropriate enforcement methods. Client devices connect two ways: • Locally—via wired or wireless • Remotely—such as VPN

12. Determine VPN Platform • Will the VPN platform be Microsoft or third-party? • Microsoft VPN selected: • If IT selects RRAS to provide remote access, VPN server must run Windows Server 2008 • Low level of complexity and cost to implement • Third-party VPN selected: • If IT selects a third-party VPN, IPsec can be used to restrict client device access • High level of complexity and medium cost to implement

13. Enforcement Layer Decision • Enforce NAP restrictions at each host or enforce on network? • Enforce restrictions at hosts selected: • Using IPsec provides robust security • High level of complexity and medium cost to implement • Enforce restrictions on network selected: • Depending on specific network-based enforcement method, security level less robust than IPsec • Medium level of complexity and highcost to implement

14. NAP Restrictions – Host vs. Network Enforcement • Use the table below to select between: • IPsec – host-based • 802.1X – network-based • DHCP – network-based

15. Additional Considerations for NAP • Determine system compliance requirements • Combining NAP technologies • Dependencies

16. Summary and Conclusion • NAP flexibility provides choice • NAP is deployment ready Provide feedback to satfdbk@microsoft.com

17. Find More Information • Download the full document and other IPD guides: • www.microsoft.com/ipd • Contact the IPD team: • satfdbk@microsoft.com • Visit the Microsoft Solution Accelerators Web site: • www.microsoft.com/technet/SolutionAccelerators