Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Network Access Protection

Published byShanon Henderson Modified over 6 years ago

Similar presentations

Presentation on theme: "Implementing Network Access Protection"— Presentation transcript:

1 Implementing Network Access Protection

2 Module Overview Overview of Network Access Protection How NAP Works
Configuring NAP Monitoring and Troubleshooting NAP 2

3 Overview of Network Access Protection
What Is Network Access Protection? NAP Scenarios NAP Enforcement Methods NAP Platform Architecture

4 What Is Network Access Protection?
Network Access Protection can: Enforce health-requirement policies on client computers Ensure client computers are compliant with policies Offer remediation support for computers that do not meet health requirements Network Access Protection cannot: Enforce health requirement policies on client computers Ensure client computers are compliant with policies

5 NAP Enforcement Methods
Key Points IPsec enforcement for IPsec- protected communications Computer must be compliant to communicate with other compliant computers The strongest NAP enforcement type, and can be applied per IP address or protocol port number 802.1X enforcement for IEEE X-authenticated wired or wireless connections Computer must be compliant to obtain unlimited access through an 802.1X connection (authentication switch or access point) VPN enforcement for remote access connections Computer must be compliant to obtain unlimited access through a RAS connection DirectAccess Computer must be compliant to obtain unlimited network access For noncompliant computers, access restricted to defined group of infrastructure servers DHCP enforcement for DHCP- based address configuration Computer must be compliant to receive an unlimited access IPv4 address configuration from DHCP This is the weakest form of NAP enforcement

6 NAP Platform Architecture
Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network

7 How NAP Works NAP Enforcement Processes IPsec Enforcement
802.1x Enforcement VPN Enforcement DHCP Enforcement

8 NAP Enforcement Processes
HRA VPN Server DHCP Server IEEE 802.1X Network Access Devices Health Requirement Server Remediation Server NAP Client NAP Health Policy Server RADIUS Messages System Health Updates HTTP or HTTP over SSL Messages Requirement Queries DHCP Messages PEAP Messages over PPP PEAP Messages over EAPOL

9 IPsec Enforcement Key Points of IPsec NAP Enforcement:
Comprised of a health certificate server and an IPsec NAP EC Health certificate server issues X.509 certificates to quarantine clients when they are verified as compliant Certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on an intranet IPsec Enforcement confines the communication on a network to those nodes that are considered compliant You can define requirements for secure communications with compliant clients on a per-IP address or a per-TCP/UDP port number basis Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network

10 802.1x Enforcement Key Points of 802.1X Wired or Wireless NAP Enforcement: Computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection Noncompliant computers are limited through a restricted-access profile that the Ethernet switch or wireless AP place on the connection Restricted access profiles can specify IP packet filters or a virtual LAN (VLAN) identifier (ID) that corresponds to the restricted network 802.1X enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network

11 VPN Enforcement Key Points of VPN NAP Enforcement:
Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Key Points of VPN NAP Enforcement: Computer must be compliant to obtain unlimited network access through a remote access VPN connection Noncompliant computers have network access limited through a set of IP packet filters that are applied to the VPN connection by the VPN server VPN enforcement actively monitors the health status of the NAP client and applies the IP packet filters for the restricted network to the VPN connection if the client becomes noncompliant

12 DHCP Enforcement Key Points of DHCP NAP Enforcement:
Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Key Points of DHCP NAP Enforcement: Computer must be compliant to obtain an unlimited access IPv4 address configuration from a DHCP server Noncompliant computers have IPv4 address configuration, allowing access to restricted network only DHCP enforcement actively monitors the health status of the NAP client, renewing the IPv4 address configuration for access only to the restricted network if the client becomes noncompliant

13 Configuring NAP What Are System Health Validators?
What Is a Health Policy? What Are Remediation Server Groups? NAP Client Configuration

14 What Are System Health Validators?
System Health Validators are server software counterparts to system health agents Each SHA on the client has a corresponding SHV in NPS SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client SHVs contain the required configuration settings on client computers The Windows Security SHV corresponds to the Microsoft SHA on client computers

15 What Is a Health Policy? To make use of the Windows Security Health Validator, you must configure a Health Policy and assign the SHV to it Health policies consist of one or more SHVs and other settings that allow you to define client computer configuration requirements for NAP-capable computers that attempt to connect to your network You can define client health policies in NPS by adding one or more SHVs to the health policy NAP enforcement is accomplished by NPS on a per-network policy basis After you create a health policy by adding one or more SHVs to the policy, you can add the health policy to the network policy and enable NAP enforcement in the policy

16 What Are Remediation Server Groups?
With NAP enforcement in place, you should specify remediation server groups so the clients have access to resources that bring noncompliant NAP-capable clients into compliance A remediation server hosts the updates that the NAP agent can use to bring noncompliant client computers into compliance with the health policy that NPS defines A remediation server group is a list of servers on the restricted network that noncompliant NAP clients can access for software updates

17 NAP Client Configuration
Some NAP deployments that use Windows Security Health Validator require that you enable Security Center The Network Access Protection service is required when you deploy NAP to NAP-capable client computers You also must configure the NAP enforcement clients on the NAP-capable computers Most NAP client settings can be configured with GPO

18 Monitoring and Troubleshooting NAP
What Is NAP Tracing? Troubleshooting NAP with Netsh Troubleshooting NAP with Event Logs

19 What Is NAP Tracing? NAP tracing identifies NAP events and records them to a log file based on the one of the following tracing levels: Basic Advanced Debug You can use tracing logs to: Evaluate the health and security of your network For troubleshooting and maintenance NAP tracing is disabled by default, which means that no NAP events are recorded in the trace logs

20 Troubleshooting NAP with Netsh
You can use the following netsh NAP command to help you to troubleshoot NAP issues netsh NAP client show state netsh NAP client show config netsh NAP client show group

21 Troubleshooting NAP with Event Logs
Event ID Meaning 6272 Successful authentication has occurred 6273 Successful authentication has not occurred 6274 A configuration problem exists 6276 NAP client quarantined 6277 NAP client is on probation 6278 NAP client granted full access

22 Summary Overview of Network Access Protection How NAP Works
Configuring NAP Monitoring and Troubleshooting NAP 22

Download ppt "Implementing Network Access Protection"

Similar presentations

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.

4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Chapter 13 Securing Windows Server 2008

Chapter 13 Securing Windows Server 2008
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Agenda Introduction Network Access Protection platform architecture

Agenda Introduction Network Access Protection platform architecture
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.

Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Chapter 9: Troubleshooting and Repairing Networking.

Chapter 9: Troubleshooting and Repairing Networking.
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.

Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.

Windows Server 2008 Network Access Protection (NAP) Technical Overview.
Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India

Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.

Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Similar presentations

Ads by Google