Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.

Slides:



Advertisements
Similar presentations
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Advertisements

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 5: Configuring Access for Remote Clients and Networks.
Copyright line. Network Access Protection EXAM OBJECTIVES  Working with NAP.
Chapter 13 Securing Windows Server 2008
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Agenda Introduction Network Access Protection platform architecture
Module 3 Windows Server 2008 Branch Office Scenario.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.
Clinic Security and Policy Enforcement in Windows Server 2008.
Hands-On Microsoft Windows Server 2008 Chapter 10 Securing Windows Server 2008.
Windows Server 2008 Chapter 10 Last Update
Configuring Routing and Remote Access(RRAS) and Wireless Networking
Chapter 20: Getting from the Office to the Road: VPNs BAI617.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Introduction to Networking Concepts. Introducing TCP/IP Addressing Network address – common portion of the IP address shared by all hosts on a subnet/network.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Selecting the Right Network Access Protection Architecture
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Module 11: Remote Access Fundamentals
Module 7 Planning Server and Network Security. Module Overview Overview of Defense-in-Depth Planning for Windows Firewall with Advanced Security Planning.
Module 8: Configuring Network Access Protection
Module 5: Configuring Access for Remote Clients and Networks.
Module 9: Fundamentals of Securing Network Communication.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Page 1 TCP/IP Networking and Remote Access Lecture 9 Hassan Shuja 11/23/2004.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Configuring Network Access Protection
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Securing Your Network – End to End Connectivity Pat Fetty Senior Program Manager Windows Customer Advisory.
NAC-NAP Interoperability
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Module 6: Network Policies and Access Protection.
Module 5: Network Policies and Access Protection
Maintaining Network Health Lesson 10. Active Directory Certificates Services 2 A component of Microsoft Identity Lifecycle Management (ILM) ILM allow.
Managing Network Access Protection. Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Module 9: Configuring Network Access
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It works.
Implementing Network Access Protection
Configuring and Troubleshooting Routing and Remote Access
Server-to-Client Remote Access and DirectAccess
Network Models, Hardware, Protocols and number systems
Network Hardware and Protocols
NAP / PWG Discussion August 17, 2009.
Presentation transcript:

Module 9: Designing Network Access Protection

Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops Home computers used for remote access

Lesson: NAP Architecture Network Components and Services for NAP NAP Architecture Overview Network Layer Protection with NAP Host Layer Protection with NAP NAP and Certificate Services

Network Components and Concepts for NAP Component Description NAP client Presents health status to an enforcement point Enforcement point Controls access to the network NAP health policy server NPS server that checks compliance with policies Remediation servers Servers that can be accessed by non- compliant computers to become compliant Health registration authority (HRA) Issues health certificates for IPSec enforcement

NAP Architecture Overview Remediation Servers System Health Servers Client Health Policy Server (NPS) System Health Validator NAP Server System Health Agent (SHA) MS and 3rd Parties NAP Agent Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN) Health Statements Health Certificate Network Access Requests Network Access Devices and Servers

Network Layer Protection with NAP Remediation Server 802.1x switch NPS Server Client Restricted network created Unrestricted access granted Remediation Server 802.1x switch NPS Server Client

NAP and Certificate Services Certificate Services is: Used for IPSec enforcement to generate health certificates Contacted by an HRA Health certificates should have a short expiry of hours

Lesson 3: NAP Enforcement NAP Enforcement Methods IPsec Enforcement VPN Enforcement DHCP Enforcement

NAP Enforcement Methods Internet Protocol security (IPsec) communications Enforces health policies when a client computer attempts to communicate with another computer using IPsec Extensible Authentication Protocol (EAP) for IEEE 802.1X connections Enforces health policies when a client computer attempts to access a network using EAP through an 802.1X wireless connection or an authenticating switch connection Remote access for VPN connections Enforces health policies when a client computer attempts to gain access to the network through a VPN connection Dynamic Host Configuration Protocol (DHCP) Enforces health policies when a client computer attempts to obtain an IP address from a DHCP server TS Gateway Enforces health policies when a client computer attempts to communicate through a TS Gateway Enforcement methods available for NAP are:

IPsec Enforcement Secure Network Boundary Network Restricted Network Secure Network Boundary Network Restricted Network Secure Network Boundary Network Restricted Network

VPN Enforcement VPN Server Remediation Servers RADIUS Messages PEAP Messages Client NPS Server

DHCP Enforcement Client NPS Server DHCP Server Remediation Servers Client not within the Health Policy requirements Client obtains updates Access Granted and given a new IP Address Client NPS Server DHCP Server Remediation Servers

System Health Agents and Validators System Health Validator (SHV): Is the server-side complement to an SHA Compares client health to required status System Health Agent (SHA): Is present on clients Publishes health status Includes Windows SHA Can be obtained from third-parties

Lesson: Designing NAP Enforcement and Remediation Considerations for Designing DHCP Enforcement Considerations for Designing VPN Enforcement Considerations for Designing 802.1X Enforcement Considerations for Designing IPsec Enforcement Discussion: Selecting an Enforcement Method Discussion: Selecting Remediation Servers

Considerations for Designing DHCP Enforcement Non-compliant computers are: Given as a default gateway Given as a subnet mask Given static host routes to remediation servers Some considerations for DHCP enforcement are: Must use Windows Server 2008 DHCP server IPv6 is not supported for NAP and Windows Server 2008 DHCP server Health status is sent as part of the lease request Can be circumvented by using a static IP address

Considerations for Designing VPN Enforcement Non-compliant computers are: Limited by IP packet filters Considerations for VPN enforcement are: Must use NAP-integrated RRAS Health status is sent as part of the authentication process Best suited for remote connections where a VPN is already used

Considerations for Designing 802.1X Enforcement Non-compliant computers are: Limited by packet filters enforced by the switch Limited by a VLAN enforced by the switch Considerations for 802.1X Enforcement: More secure than DHCP enforcement Switches must support 802.1X Health status is sent as part of the authentication process

Considerations for Designing IPsec Enforcement Non-compliant computers are: Limited by IPSec polices Considerations for IPsec Enforcement: Offers the highest level of security Can provide encryption of data Requires no additional hardware Can be used for both IPv4 or IPv6 Requires a CA and HRA

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.