Hosts
are allowed to communicate only with other hosts in the same zone or the adjacent zone.
Hosts in the boundary zone can talk to any system, while hosts in the quarantine zone
cannot talk to any system in the protected zone, and vice versa.
Figure 8-1 is sort of a 100,000-foot aerial view of how NAP works. NAP is built around
four major principles: policy validation (health checks), network restriction, remediation
(getting healthy), and ongoing compliance. Ongoing compliance means that in order to
remain in the protected zone, a system must continue to stay healthy. If a change in the
state of the system brings it out of compliance with your NAP policy, it is kicked back
into the quarantine zone and forbidden to talk to any protected zone hosts until the issue
has been remediated.
For example, let??™s say one of your policies states that the Windows Firewall must
be on at all times. A user plugs his laptop into the network with the Windows Firewall
enabled. It has now passed the health check and is given access to the protected zone
members. If during the course of its operation the user decides to shut off the Windows
Firewall, the next time the policy is evaluated it is no longer marked healthy and is
Figure 8-1. NAP logical network zones using IPSec
Quarantine
Zone
Boundary
Zone
Protected
Zone
256 Microsoft Windows Server 2008 Administration
disconnected from all protected hosts until either the user turns Firewall back on or your
remediation server turns it on for the user.
Pages:
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300