Monday, 31 October 2011

Network Access Control (NAC)

With Windows Server 2008, Windows Vista SP1, Windows 8 and Windows XP SP3 we have a simple and effective way to make sure that we have checked and validated systems before they are allowed to access critical files.

NAP allows us to have isolated network segments and quarantine zones using IPSec and the Windows Firewall to restrict untrusted hosts. Microsoft state that there are three (3) zones, but the reality is there are four(4) logical segments that can be constructed. These are the:

  1.  Restricted Zone: All hosts that have not been issued a health certificate lie in this zone. This will include every host that is yet to be validated. Any host that cannot become a part of the Secure zone (such as legacy devices that do not support IPSec) will also reside in this zone. Guest hosts (such as those from consultants and other third parties) will be located in this zone and will be restricted from network communications with the secured systems (hence limiting the effects of malware). Any hosts in the restricted zone are unable to initiate communications with secured hosts and are limited to communications with the hosts in the boundary zone.
  2.  Boundary: This zone contains a set of systems that have health certificate but also do not require those systems that communicate with them to have a health certificate. You would locate Proxy servers that are open to hosts in the network zone, enforcement servers and remediation servers in this zone.
  3.  Secure: This zone requires that all servers have valid health certificates. These health certificates are used to provide IPSec authentication. You can allow any Windows host or server to communicate with any other in this zone or you can use Group Policy and Security Groups to limit the access to either ports, folders or anything else you may wish to configure on a host and user basis.
  4. Isolated: This is not an official zone but an attacker can be logically isolated and blacklisted from communications with even the Boundary network.


The reality of this is that we can create more than these zones with layers of secure zones based on the access requirements as defined in security groups.

Users and hosts can be located anywhere. This means we can have global roaming users connecting to the secure system in full knowledge of how they have been validated and restricted from external access when connected into the secure network.


First, the “Secure Network” is by default allowed to connect to other networks.


Although default access is allowed from the Secure Trusted Zone to anywhere, we would want to restrict this to allowed hosts and servers (logically allowing us to create a secure zone as we are used to doing in the hardware firewall world).

To stop exfiltration of data, always force users (and servers) to exit the secure zone using enforcement points (including proxy servers). This means, only allow selected servers (again such as a proxy server) to send data from *3 to *1.

What is a “Health Certificate”?

A Health certificate is a locally created and signed X.509 certificate. This means that you will need to run the Windows CA (Certification Authority) Service to have NAP as this certificate is used to assert the health compliance of a NAP client host and also is used in authenticating to the secure zone computers using IPSec. Without a health certificate, your host cannot communicate to the systems in the secure zone directly.

In general, health certificates are configured with a short lifetime. This is configurable but is in  on the order of days or hours.

The hosts (NAP client) will use the Health Certificate Enrolment Protocol (HCEP) in order to request a certificate and to update a certificate from a server designated as a Health Registration Authority (HRA).

The HRA is a Windows Server 2008 system with the IIS (Internet Information Server) service running. This system is used to validate the “health” of  client systems. If these systems pass a health check (i.e. Anti virus signatures are up to date and the host has all the latest patches), the HRA will request a health certificates from the domain certification authority (CA). This is done on behalf of the compliant NAP client computers as until they have been issued with a health certificate, they cannot communicate directly with any host in the secure zone and are restricted to communications with hosts and servers located in the Boundary Network.

As a result, the HRA is critical to the implementation of an effective NAP Internet Protocol security (IPsec) enforcement strategy.

What NAP does…

NAP goes through several stages. These are:

  • 1. Policy Validation: System health validator (SHV) servers first check the “health” of client systems that are requesting access to the secure domain. Basically, this stage checks that the client is compliant with the policy used and enforced within the organisation.
  • A NAP health policy server software counterpart to a system health agent (SHA). An SHV verifies the statement of health (SoH) made by its corresponding SHA.

  • 2. NAP enforcement and network restriction: These systems limit network access. They act as go-between’s to the secure network for non-compliant servers and hosts and allow some limited but controlled access to the secure zone.
  • 3. Remediation: Non-compliant hosts can be placed into quarantine and forced to have patches, signature updates and more applied.
  • 4. Ongoing monitoring and auditing: A health certificate does not last forever and can also be revoked. If a system is seen to become non-compliant, it can be isolated from the secure network.


NOTE: This is important!

NAP only works with ACTIVATED hosts and servers. If you have not activated a system, it will not be allowed to play. This is a little something from Microsoft to try and make sure that people have valid software licencing.


Matthew said...

Consider the following scenario:
1. The Secure Trusted zone consists of a single AD domain, configured as you stated in this article.
2. A proxy server is situated in the Secure Trusted zone, which forwards requests to other servers in the Secure Trusted zone.
3. A non-domain client host, or a client host in another AD forest (no trusts between forests), requires access to the proxy server. The client host is not in the Secure Trusted zone, but is on the organization`s network (with appropriate network boundaries, etc, between zones).

How would you configure firewall policy to allow the client host to forward requests to servers in the Secure Trusted zone via the proxy server only? Can this scenario be secured?

If you are going to cover this in another post, that is fine; otherwise, an answer is appreciated.

Thank you,

Matthew said...

Sorry, I meanto to post my previous comment in response to your Firewall Policy Creation post, not this one.