What is NAP?

What is NAP?
NAP is a policy enforcement technology in the Windows Vista? and Windows Server? Code Name "Longhorn" operating systems. NAP provides components and an application programming interface (API) set that help administrators enforce compliance with health requirements for network access and communication. Developers and administrators can create solutions for validating computers that connect to their networks, can provide needed updates or access to needed resources (called remediation resources), and can restrict the network access of computers that do not comply. The enforcement features of NAP can be integrated with software from other vendors or with custom programs. Administrators can customize the systems they develop and deploy, whether for monitoring the computers accessing the network for policy compliance, automatically updating computers with software updates to meet policy requirements, or isolating computers that do not meet policy requirements to a restricted network.
NAP is not designed to secure a network from malicious users. It is designed to help administrators maintain the health of the computers on the network, which in turns helps maintain the network’s overall integrity. For example, if a computer has all the software and configuration settings that the network access policy requires, the computer is considered healthy, and it will be granted the appropriate access to the network. NAP does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior.
Network Access Protection has three important and distinct aspects:
Network Policy Validation
When a user attempts to connect to the network, the computer’s health state is validated against the network access policies as defined by the administrator. Administrators can then choose what to do if a computer is not compliant. In a monitoring-only environment, all authorized computers are granted access to the network even if some do not comply with network access policies, but the compliance state of each computer is logged. In an isolation environment, computers that comply with the network access policies are allowed access to the network, but computers that do not comply with network access policies or that are not compatible with NAP are isolated to a restricted network. In both environments, administrators can define exceptions to the validation process. NAP will also include migration tools to make it easier for administrators to define exceptions that best suit their network needs.
Network Policy Compliance
Administrators can help ensure compliance with network access policies by choosing to automatically update noncompliant computers with the missing requirements through management software, such as Microsoft Systems Management Server (SMS). In a monitoring-only environment, computers will have access to the network even before they are updated with required software or configuration changes. In an isolation environment, computers that do not comply with network access policies are isolated until the software and configuration updates are completed. Again, in both environments, the administrator can define policy exceptions.
Network Isolation
Administrators can protect network assets by isolating computers that do not comply with network access requirements. Computers that do not comply will have their network access restricted as defined by the administrator, whether that access is limited to a restricted network, to a single resource, or to no internal resources at all. If an administrator does not configure health update resources, the network isolation will last for the duration of the connection. If an administrator configures health update resources, the network isolation will last only until the computer is brought into compliance.
NAP is an extensible platform that provides an infrastructure and an API set for adding components that verify and amend a computer’s health and that enforce existing network policy. By itself,  NAP does not provide components to verify or correct a computer's health. Other components, known as system health agents (SHAs) and system health validators (SHVs), provide network policy validation and compliance. For example, a future release of SMS will include an SHA and SHV that will be compatible with NAP.
Note   The NAP platform is not the same as Network Access Quarantine Control, which is a feature included with Windows Server 2003 to provide limited health policy enforcement only for remote access (dial-up and virtual private network [VPN]) connections.
Who Should Use NAP?
NAP helps large and medium organizations reduce the risk of infection or attack from viruses, worms, and malicious software (malware) by enforcing health policies. NAP is particularly useful for organizations that allow employees to connect desktop or mobile computers to the corporate network from home, through a public network (such as the Internet), or both. NAP is also useful for organizations that allow employees to connect computers to unknown or hostile network environments, such as the Internet, and then connect to the corporate network. NAP can help protect the network in these situations by inspecting client computers and ensuring health compliance before allowing them to connect to the corporate network. NAP is typically implemented by the networking, security, and desktop IT administration staff.
Benefits of NAP
NAP's health policy enforcement provides an additional layer of protection against malicious software and mitigates risks to business processes. As an end-to-end solution, NAP integrates with existing network infrastructure, minimizing costly infrastructure upgrades and effectively leveraging infrastructure investments that may have already been made. In addition, NAP is a network infrastructure solution that is supported by industry and has an open and extensible architecture.