Addendum to the ProCurve Access Control Security Design Guide
Microsoft NAP
■NAP health policy server (NPS)
The NPS runs on Windows Server 2008 and has the same function as a RADIUS or IAS server. (NPS replaces IAS in Windows Server 2008.) It contains all of the network security policies and health state information.
■Health requirement servers
A health requirement server provides antivirus signature files, software updates and patches, and other health state information to the NPS.
■Restricted network
The restricted network is logically or physically separate from the corpo- rate LAN. It contains the remediation servers and any endpoints that do not comply with network policy.
■Remediation servers
Remediation servers contain the latest software updates, antivirus signa- tures, and other resources that a NAP client needs to become compliant.
■Active Directory domain service
The Active Directory domain service is not required for health state validation, but it is necessary for VPN, DHCP, and 802.1X authentication.
Table
Microsoft NAP Term | AAA or NAC Term | Meaning |
NAP agent | NAC EI agent | An application on the endpoint that interacts with |
|
| the network access control system |
NAP enforcement point | Policy enforcement point (PEP) | A network component that enforces policies, such |
|
| as a switch or access point |
NAP health policy server | Policy decision point (PDP) | A server that accepts access requests from |
|
| endpoints and decides whether they can connect |
Health requirement server | n/a | Provides health state information to the NPS |
Active Directory | Policy repository | A database, flat file, or directory that stores |
|
| account credentials and security policies |
Restricted network | Quarantine network | A network that is separate from the corporate LAN |
|
| to which untested or failed endpoints are confined |
|
| until they conform to security policies |
Health certificate | n/a | A certificate that permits an endpoint to |
|
| authenticate to the network |
Health state | Integrity posture | The state of an endpoint in terms of its compliance |
|
| with network policies |
System Statement of Health | n/a | A message sent by the NAP Agent that documents |
(SSoH) |
| the endpoint’s health state for each setting |
|
|
|
