Module 6: Network Policies and Access Protection

Module Overview Describe how Network Policies Access Protection (NAP) works Identify NAP enforcement options Identify scenarios for NAP usage Describe Routing and Remote Access (RRAS)

Lesson 1: Network Policies Access Protection Identify uses for NAP Describe NAP Describe how NAP integrates with other components Describe NAP architecture Describe Network Layer Protection with NAP Describe Host Layer Protection with NAP

Why Use Network Access Protection? Private Network Unhealthy computer Healthy computer

Network Protection Services Overview Network Policy Server (NPS) Network Access Protection (NAP) Policy Server IEEE Wireless IEEE Wired RADIUS Server RADIUS Proxy Routing and Remote Access  Remote Access Service  Routing Health Registration Authority (HRA)

NAP Architecture Overview MS Network Policy Server Quarantine Server (QS) Client Quarantine Agent (QA) Updates Health Statements Network Access Requests System Health Servers Remediation Servers Health Certificate Network Access Devices and Servers System Health Agent (SHA) MS and 3rd Parties System Health Validator Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN) Health policy

According to policy, the client is not up to date. Quarantine client, request it to update. Should this client be restricted based on its health? Network Layer Protection with NAP Requesting access. Here’s my new health status. MS NPS Client 802.1x Switch Remediation Servers May I have access? Here’s my current health status. Ongoing policy updates to Network Policy Server You are given restricted access until fix-up. Can I have updates? Here you go. Restricted Network Client is granted access to full intranet. System Health Servers According to policy, the client is up to date. Grant access.

Host Layer Protection with NAP Accessing the network X Remediation Server NPS HRA May I have a health certificate? Here’s my SoH. Client ok? No. Needs fix-up. You don’t get a health certificate. Go fix up. I need updates. Here you go. Here’s your health certificate. Yes. Issue health certificate. Client No Policy Authentication Optional Authentication Required Accessing the network X Remediation Server NPS HRA Client No Policy Authentication Optional Authentication Required

Lesson 2: Enforcement Options Identify the NAP enforcement options Show how NAP works with DHCP enforcement Show how NAP works with IPsec-based communication Show how NAP works with RRAS

NAP – Enforcement Options Restricted VLANFull access802.1X Healthy peers reject connection requests from unhealthy systems Can communicate with any trusted peer Complements layer 2 protection Works with existing servers and infrastructure Offers flexible isolation IPsec Restricted VLANFull accessVPN Restricted set of routesFull IP address given, full access DHCP Unhealthy ClientHealthy ClientEnforcement

NAP with DHCP NPS Server DHCP Server Requesting access. Here’s my new health status. The client requests and receives updates I need to Lease an IP address You are not within the Health Policy requirements Access Granted. Here is your new IP Address VPN Server Client IEEE 802.1X Devices Remediation Servers

IPsec-based Communication Secure network Boundary network Restricted network IPsec Authenticated Unauthenticated

NAP with RRAS VPN Server Remediation Servers RADIUS Messages PEAP Messages Client NPS Server

Lesson 3: Network Access Protection Scenarios Describe a roaming laptops NAP scenario Describe a desktop computers NAP scenario Describe a visiting laptops NAP scenario Describe an unmanaged home computer NAP scenario

Scenario 1: Roaming Laptops NAP

Scenario 2: Health of Desktop Computers Network Policy Server

Scenario 3: Health of Visiting Laptops Network Policy Server

Scenario 4: Unmanaged Home Computers