Windows Server 2008 Network Access Protection (NAP) Technical Overview
Introducing Network Access Protection Network Access Protection Architecture Reviewing NAP Enforcement Options What Will We Cover?
Level 300 Familiarity with DHCP Knowledge of IPsec Familiarity with RRAS and VPN Helpful Experience
Introducing Network Access Protection Using NAP with DHCP Using NAP with VPN Using NAP with IPsec Agenda
Network Access Protection Solution Policy Validation Network Restriction Remediation Ongoing Compliance Polices, Procedures, and Awareness Data Application Host Internal Network Perimeter
Network Access Protection – Notes Policy Validation Network Restriction Remediation Ongoing Compliance Polices, Procedures, and Awareness Data Application Host Internal Network Perimeter
NAP Architecture Overview Network Policy Server Quarantine Server (QS) Client Quarantine Agent (QA) Health policyUpdates Health Statements Network Access Requests System Health Servers Remediation Servers Health Certificate Network Access Devices and Servers System Health Agent (SHA) MS and 3rd Parties System Health Validator Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN)
NAP Architecture Overview – Notes Network Policy Server Quarantine Server (QS) Client Quarantine Agent (QA) Health policyUpdates Health Statements Network Access Requests System Health Servers Remediation Servers Health Certificate Network Access Devices and Servers System Health Agent (SHA) MS and 3rd Parties System Health Validator Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN)
Network Layer Protection with NAP Requesting access. Here’s my new health status. MS NPS Client 802.1x Switch Remediation Servers May I have access? Here’s my current health status. Should this client be restricted based on its health? Ongoing policy updates to Network Policy Server You are given restricted access until fix-up. Can I have updates? Here you go. According to policy, the client is not up to date. Quarantine client, request it to update. Restricted Network Client is granted access to full intranet. System Health Servers According to policy, the client is up to date. Grant access.
Host Layer Protection with NAP Accessing the network X Remediation Server NPS HRA May I have a health certificate? Here’s my SoH. Client ok? No. Needs fix-up. You don’t get a health certificate. Go fix up. I need updates. Here you go. Here’s your health certificate. Yes. Issue health certificate. Client No Policy Authentication Optional Authentication Required
NAP – Enforcement Options Restricted VLANFull access802.1X Healthy peers reject connection requests from unhealthy systems Can communicate with any trusted peer Complements layer 2 protection Works with existing servers and infrastructure Offers flexible isolation IPsec Restricted VLANFull accessVPN Restricted set of routesFull IP address given, full access DHCP Unhealthy ClientHealthy ClientEnforcement Infrastructure and API Setv Customer Choice IPsec-based Enforcement
Introducing Network Access Protection Using NAP with DHCP Using NAP with VPN Using NAP with IPsec Agenda
NAP with DHCP NPS Server Client DHCP ServerVPN ServerIEEE 802.1X Devices Remediation Servers Requesting access. Here’s my new health status. The client requests and receives updates I need to lease an IP address You are not within the Health Policy requirements Access granted. Here is your new IP address
Demonstration Environment
Demo Configuring NAP for DHCP Configure Health Policies Configure Network Policies Enable Client NAP Settings demonstration
Introducing Network Access Protection Using NAP with DHCP Using NAP with VPN Using NAP with IPsec Agenda
NAP with VPN and RRAS NPS Server Client VPN Server Remediation Servers RADIUS Messages PEAP Messages
Demo Configuring NAP for VPN Configure RRAS Settings Configure Connection Request Policy Configure Network Policies demonstration
Introducing Network Access Protection Using NAP with DHCP Using NAP with VPN Using NAP with IPsec Agenda
IPsec-based Communication Secure network Boundary network Restricted network IPsec Authenticated Unauthenticated
IPsec-based Communication – Notes Secure network Boundary network Restricted network IPsec Authenticated Unauthenticated
Demo Configuring NAP for IPsec Configure Exemption Group Configure Certificate Settings Configure Health Registration Authority demonstration
NAP provides policy-driven access control Customer choice—flexible, selectable enforcement Broad industry support Session Summary
Visit TechNet at: Visit the following site for additional information: For More Information
Course IDTitle 5934 Introducing Microsoft Windows Server Introducing Server Management in Microsoft Windows Server 2008 For training information and availability Training Resources
Self-study learning tool, free to anyone Determines skills gaps Provides learning plans Post your score, see how you rank Visit: Readiness with Skills Assessment
Become a Microsoft Certified Professional What are MCP certifications? Validation in performing critical IT functions Why certify? WW recognition of skills gained through experience More effective deployments with reduced costs What certifications are there for IT Pros? MCP, MCSE, MCSA, MCDST, MCDBA
TechNet Plus TechNet Plus is an essential premium web-enabled and live support resource that provides IT Professionals with fast and easy access to Microsoft experts, software and technical information, enhancing IT productivity, control and planning. Evaluate full versions of all Microsoft commercial software for evaluation— without time limits. This includes all client, server and Office applications. Try out all the latest betas before public release Keep your skills current with select Microsoft E-Learning courses free each quarter Evaluate full versions of all Microsoft commercial software for evaluation— without time limits. This includes all client, server and Office applications. Try out all the latest betas before public release Keep your skills current with select Microsoft E-Learning courses free each quarter Evaluate & Learn Plan & Deploy Support & Maintain Use the TechNet Library to plan for deployment using the Knowledge Base, resource kits, and technical training Use exclusive tools like System Center Capacity Planner to accurately plan for and deploy Exchange Server and System Center Operations Manager Stay informed with your free subscription to TechNet Magazine. Use the TechNet Library to plan for deployment using the Knowledge Base, resource kits, and technical training Use exclusive tools like System Center Capacity Planner to accurately plan for and deploy Exchange Server and System Center Operations Manager Stay informed with your free subscription to TechNet Magazine. 2 complimentary Professional Support incidents for use 24/7 (20% discount on additional incidents) Access over 100 managed newsgroups and get next business day response-- guaranteed Use the TechNet Library to maintain your IT environment with security updates, service packs and utilities 2 complimentary Professional Support incidents for use 24/7 (20% discount on additional incidents) Access over 100 managed newsgroups and get next business day response-- guaranteed Use the TechNet Library to maintain your IT environment with security updates, service packs and utilities Get all these resources and more with a TechNet Plus subscription. For more information visit: technet.microsoft.com/subscriptions