1 / 20

Week #7 Network Access Protection

Week #7 Network Access Protection. Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP. What Is Network Access Protection?. Network Access Protection can:. Enforce health-requirement policies on client computers.

andren
Télécharger la présentation

Week #7 Network Access Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Week #7 Network Access Protection • Overview of Network Access Protection • How NAP Works • Configuring NAP • Monitoring and Troubleshooting NAP

  2. What Is Network Access Protection? Network Access Protection can: • Enforce health-requirement policies on client computers • Ensure client computers are compliant with policies • Offer remediation support for computers that do not meet health requirements Network Access Protection cannot: • Prevent authorized users with compliant computersfrom performing malicious activity • Restrict network access for computers that are runningWindows versions previous to Windows XP SP2

  3. NAP Scenarios NAP benefits the network infrastructure by verifying the health state of: • Roaming laptops • Desktop computers • Visiting laptops • Unmanaged home computers

  4. NAP Enforcement Methods

  5. NAP Platform Architecture VPN Server Active Directory IEEE 802.1X Devices Health Registration Authority Internet NAP Health Policy Server DHCP Server Intranet Perimeter Network Restricted Network Remediation Servers NAP Client with limited access

  6. NAP Architecture Interactions RADIUS Messages Remediation Server HRA Health Requirement Server System Health Requirement Queries System Health Updates HTTP or HTTP over SSL Messages DHCP Messages DHCP Server PEAP Messages over PPP NAP Client NAP Health Policy Server PEAP Messages over EAPOL VPN Server IEEE 802.1X Network Access Devices

  7. NAP Client Infrastructure Remediation Server 1 Remediation Server 2 SHA_1 SHA_2 SHA_3 . . . SHA API NAP Agent NAP EC API NAP Client . . . NAP EC_A NAP EC_B NAP EC_C

  8. NAP Server-Side Infrastructure Health Requirement Server 1 Health Requirement Server 2 SHV_1 . . . SHV_2 SHV_3 NAP Health Policy Server SHV API NAP Administration Server NPS Service RADIUS Windows-based NAP Enforcement Point NAP ES_A . . . NAP ES_B NAP ES_C

  9. Communication Between NAP Platform Components Remediation Server 1 Health Requirement Server 1 Remediation Server 2 Health Requirement Server 2 SHV_1 SHV_2 SHV_2 NAP Health Policy Server SHA1 SHA2 SHV API SHA API NAP Administration Server NAP Agent NPS Service Windows-based NAP Enforcement Point NAP Client NAP EC API RADIUS NAP EC_A NAP EC_B NAP ES_B NAP ES_A

  10. NAP Enforcement Processes Remediation Server 1 Health Requirement Server 1 To validate network access based on system health, a network infrastructure must provide the following functionality: Remediation Server 2 Health Requirement Server 2 • Health policy validation: Determines whether computers are compliant with health policy requirements SHV_1 SHV_2 SHV_2 NAP Health Policy Server SHA1 SHA2 • Network access limitation: Limits access for noncompliant computers SHV API SHA API • Automatic remediation: Provides necessary updates to allow a noncompliant computer to become compliant NAP Administration Server NAP Agent NPS Service Windows-based NAP Enforcement Point • Ongoing compliance: Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements NAP Client NAP EC API RADIUS NAP EC_A NAP EC_B NAP ES_B NAP ES_A

  11. How IPsec Enforcement Works VPN Server Key Points of IPsec NAP Enforcement: Active Directory IEEE 802.1X Devices • Comprised of a health certificate server and an IPsec NAP EC • Health certificate server issues X.509 certificates to quarantine clients when they are verified as compliant Health Registration Authority Internet • Certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on an intranet NAP Health Policy Server DHCP Server Intranet Perimeter Network • IPsec Enforcement confines the communication on a network to those nodes that are considered compliant Restricted Network • You can define requirements for secure communications with compliant clients on a per-IP address or a per-TCP/UDP port number basis Remediation Servers NAP Client with limited access

  12. How 802.1X Enforcement Works Key Points of 802.1X Wired or Wireless NAP Enforcement: VPN Server Active Directory IEEE 802.1X Devices • Computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection • Noncompliant computers are limited through a restricted-access profile that the Ethernet switch or wireless AP place on the connection Health Registration Authority • Restricted access profiles can specify IP packet filters or a virtual LAN (VLAN) identifier (ID) that corresponds to the restricted network Internet NAP Health Policy Server DHCP Server Intranet Perimeter Network • 802.1X enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant Restricted Network 802.1X enforcement consists of NPS in Windows Server 2008 and an EAPHost EC in Windows Vista, Windows XP with SP2 (with the NAP Client for Windows XP), and Windows Server 2008 Remediation Servers NAP Client with limited access

  13. How VPN Enforcement Works VPN Server Key Points of VPN NAP Enforcement: Active Directory IEEE 802.1X Devices • Computer must be compliant to obtain unlimited network access through a remote access VPN connection • Noncompliant computers have network access limited through a set of IP packet filters that are applied to the VPN connection by the VPN server Health Registration Authority Internet • VPN enforcement actively monitors the health status of the NAP client and applies the IP packet filters for the restricted networkto the VPN connection if the client becomes noncompliant NAP Health Policy Server DHCP Server Intranet Perimeter Network Restricted Network VPN enforcement consists of NPS in Windows Server 2008 and a VPN EC as part of the remote access client in Windows Vista, Windows XP with SP2 (with the NAP Client for Windows XP), and Windows Server 2008 Remediation Servers NAP Client with limited access

  14. How DHCP Enforcement Works VPN Server Key Points of DHCP NAP Enforcement: Active Directory IEEE 802.1X Devices • Computer must be compliant to obtain an unlimited access IPv4 address configuration from a DHCP server • Noncompliant computers have network access limited by an IPv4 address configuration that allows access only to the restricted network Health Registration Authority Internet • DHCP enforcement actively monitors the health status of the NAP client and renews the IPv4 address configuration for accessonly to the restricted network if the client becomes noncompliant NAP Health Policy Server DHCP Server Intranet Perimeter Network Restricted Network DHCP enforcement consist of a DHCP ES that is part of the DHCP Server service in Windows Server 2008 and a DHCP EC that is part of the DHCP Client service in Windows Vista, Windows XP with SP2 (with NAP Client for Windows XP), and Windows Server 2008 Remediation Servers NAP Client with limited access

  15. What Are System Health Validators? • Each SHA on the client has a corresponding SHV in NPS • SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client • SHVs contain the required configuration settings on client computers • The Windows Security SHV corresponds to the Microsoft SHA on client computers System Health Validators are server software counterparts to system health agents

  16. What Is a Health Policy? To make use of the Windows Security Health Validator, you must configure a Health Policy and assign the SHV to it • Health policies consist of one or more SHVs and other settings that allow you to define client computer configuration requirements for NAP-capable computers that attempt to connect to your network • You can define client health policies in NPS by adding one or more SHVs to the health policy • NAP enforcement is accomplished by NPS on a per-network policy basis • After you create a health policy by adding one or more SHVs to the policy, you can add the health policy to the network policy and enable NAP enforcement in the policy

  17. What Are Remediation Server Groups? With NAP enforcement in place, you should specify remediation server groups so the clients have access to resources that bring noncompliant NAP-capable clients into compliance • A remediation server hosts the updates that the NAP agent can use to bring noncompliant client computers into compliance with the health policy that NPS defines • A remediation server group is a list of servers on the restricted network that noncompliant NAP clients can access for software updates

  18. NAP Client Configuration • Some NAP deployments that use Windows Security Health Validator require that you enable Security Center • The Network Access Protection service is required when you deploy NAP to NAP-capable client computers • You also must configure the NAP enforcement clients on the NAP-capable computers

  19. What Is NAP Tracing? • NAP tracing identifies NAP events and records them to a log file based on the one of the following tracing levels: • Basic • Advanced • Debug • You can use tracing logs to: • Evaluate the health and security of your network • For troubleshooting and maintenance • NAP tracing is disabled by default, which means that no NAP events are recorded in the trace logs

  20. Configuring NAP Tracing • You can configure NAP tracing by using one of the following tools: • The NAP Client Management console • The Netsh command-line tool • To enable logging functionality, you must be a member of the Local Administrators group • Trace logs are located in the following directory: %systemroot%\tracing\nap

More Related