Implementing Network Access Protection

Slides:



Advertisements
Similar presentations
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Advertisements

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Chapter 13 Securing Windows Server 2008
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Agenda Introduction Network Access Protection platform architecture
Module 3 Windows Server 2008 Branch Office Scenario.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Chapter 9: Troubleshooting and Repairing Networking.
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.
Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Clinic Security and Policy Enforcement in Windows Server 2008.
Hands-On Microsoft Windows Server 2008 Chapter 10 Securing Windows Server 2008.
Windows Server 2008 Chapter 10 Last Update
Implementing Dynamic Host Configuration Protocol
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Selecting the Right Network Access Protection Architecture
Module 6: Configuring and Troubleshooting Routing and Remote Access
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 14: Configuring Server Security Compliance
1 Week 6 – NPS and RADIUS Install and Configure a Network Policy Server Configure RADIUS Clients and Servers NPS Authentication Methods Monitor and Troubleshoot.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 11: Remote Access Fundamentals
Module 7 Planning Server and Network Security. Module Overview Overview of Defense-in-Depth Planning for Windows Firewall with Advanced Security Planning.
Module 8: Configuring Network Access Protection
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Internet Authentication Service.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Configuring Network Access Protection
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Module 6: Network Policies and Access Protection.
Module 5: Network Policies and Access Protection
Managing Network Access Protection. Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Click to edit Master title style TechNet goes virtual ©2009 Microsoft Corporation. All Rights Reserved. TechNet goes virtual NAP and NPS in Windows Server.
Virtual Private Network Access for Remote Networks
D-Link Wireless AP with NAP 802.1x solution
Palo Alto Networks Certified Network Security Engineer
Module 9: Configuring Network Access
Module Overview Installing and Configuring a Network Policy Server
Configuring and Troubleshooting DHCP
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It works.
SECURING NETWORK TRAFFIC WITH IPSEC
Securing the Network Perimeter with ISA 2004
Configuring and Troubleshooting Routing and Remote Access
Module 8: Securing Network Traffic by Using IPSec and Certificates
Lesson #10 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 10 Configuring Network and Firewall Settings.
Server-to-Client Remote Access and DirectAccess
Goals Introduce the Windows Server 2003 family of operating systems
{ Security Technologies}
Module 8: Securing Network Traffic by Using IPSec and Certificates
Security and identity (Network Access Protection, Parental Controls)
NAP / PWG Discussion August 17, 2009.
What’s New In WatchGuard Wi-Fi Cloud v8.6
Presentation transcript:

Implementing Network Access Protection

Module Overview Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP 2

Overview of Network Access Protection What Is Network Access Protection? NAP Scenarios NAP Enforcement Methods NAP Platform Architecture

What Is Network Access Protection? Network Access Protection can: Enforce health-requirement policies on client computers Ensure client computers are compliant with policies Offer remediation support for computers that do not meet health requirements Network Access Protection cannot: Enforce health requirement policies on client computers Ensure client computers are compliant with policies

NAP Enforcement Methods Key Points IPsec enforcement for IPsec- protected communications Computer must be compliant to communicate with other compliant computers The strongest NAP enforcement type, and can be applied per IP address or protocol port number 802.1X enforcement for IEEE 802.1X-authenticated wired or wireless connections Computer must be compliant to obtain unlimited access through an 802.1X connection (authentication switch or access point) VPN enforcement for remote access connections Computer must be compliant to obtain unlimited access through a RAS connection DirectAccess Computer must be compliant to obtain unlimited network access For noncompliant computers, access restricted to defined group of infrastructure servers DHCP enforcement for DHCP- based address configuration Computer must be compliant to receive an unlimited access IPv4 address configuration from DHCP This is the weakest form of NAP enforcement

NAP Platform Architecture Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network

How NAP Works NAP Enforcement Processes IPsec Enforcement 802.1x Enforcement VPN Enforcement DHCP Enforcement

NAP Enforcement Processes HRA VPN Server DHCP Server IEEE 802.1X Network Access Devices Health Requirement Server Remediation Server NAP Client NAP Health Policy Server RADIUS Messages System Health Updates HTTP or HTTP over SSL Messages Requirement Queries DHCP Messages PEAP Messages over PPP PEAP Messages over EAPOL

IPsec Enforcement Key Points of IPsec NAP Enforcement: Comprised of a health certificate server and an IPsec NAP EC Health certificate server issues X.509 certificates to quarantine clients when they are verified as compliant Certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on an intranet IPsec Enforcement confines the communication on a network to those nodes that are considered compliant You can define requirements for secure communications with compliant clients on a per-IP address or a per-TCP/UDP port number basis Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network

802.1x Enforcement Key Points of 802.1X Wired or Wireless NAP Enforcement: Computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection Noncompliant computers are limited through a restricted-access profile that the Ethernet switch or wireless AP place on the connection Restricted access profiles can specify IP packet filters or a virtual LAN (VLAN) identifier (ID) that corresponds to the restricted network 802.1X enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network

VPN Enforcement Key Points of VPN NAP Enforcement: Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Key Points of VPN NAP Enforcement: Computer must be compliant to obtain unlimited network access through a remote access VPN connection Noncompliant computers have network access limited through a set of IP packet filters that are applied to the VPN connection by the VPN server VPN enforcement actively monitors the health status of the NAP client and applies the IP packet filters for the restricted network to the VPN connection if the client becomes noncompliant

DHCP Enforcement Key Points of DHCP NAP Enforcement: Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Key Points of DHCP NAP Enforcement: Computer must be compliant to obtain an unlimited access IPv4 address configuration from a DHCP server Noncompliant computers have IPv4 address configuration, allowing access to restricted network only DHCP enforcement actively monitors the health status of the NAP client, renewing the IPv4 address configuration for access only to the restricted network if the client becomes noncompliant

Configuring NAP What Are System Health Validators? What Is a Health Policy? What Are Remediation Server Groups? NAP Client Configuration

What Are System Health Validators? System Health Validators are server software counterparts to system health agents Each SHA on the client has a corresponding SHV in NPS SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client SHVs contain the required configuration settings on client computers The Windows Security SHV corresponds to the Microsoft SHA on client computers

What Is a Health Policy? To make use of the Windows Security Health Validator, you must configure a Health Policy and assign the SHV to it Health policies consist of one or more SHVs and other settings that allow you to define client computer configuration requirements for NAP-capable computers that attempt to connect to your network You can define client health policies in NPS by adding one or more SHVs to the health policy NAP enforcement is accomplished by NPS on a per-network policy basis After you create a health policy by adding one or more SHVs to the policy, you can add the health policy to the network policy and enable NAP enforcement in the policy

What Are Remediation Server Groups? With NAP enforcement in place, you should specify remediation server groups so the clients have access to resources that bring noncompliant NAP-capable clients into compliance A remediation server hosts the updates that the NAP agent can use to bring noncompliant client computers into compliance with the health policy that NPS defines A remediation server group is a list of servers on the restricted network that noncompliant NAP clients can access for software updates

NAP Client Configuration Some NAP deployments that use Windows Security Health Validator require that you enable Security Center The Network Access Protection service is required when you deploy NAP to NAP-capable client computers You also must configure the NAP enforcement clients on the NAP-capable computers Most NAP client settings can be configured with GPO

Monitoring and Troubleshooting NAP What Is NAP Tracing? Troubleshooting NAP with Netsh Troubleshooting NAP with Event Logs

What Is NAP Tracing? NAP tracing identifies NAP events and records them to a log file based on the one of the following tracing levels: Basic Advanced Debug You can use tracing logs to: Evaluate the health and security of your network For troubleshooting and maintenance NAP tracing is disabled by default, which means that no NAP events are recorded in the trace logs

Troubleshooting NAP with Netsh You can use the following netsh NAP command to help you to troubleshoot NAP issues netsh NAP client show state netsh NAP client show config netsh NAP client show group

Troubleshooting NAP with Event Logs Event ID Meaning 6272 Successful authentication has occurred 6273 Successful authentication has not occurred 6274 A configuration problem exists 6276 NAP client quarantined 6277 NAP client is on probation 6278 NAP client granted full access

Summary Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP 22

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.