Presentation is loading. Please wait.

Presentation is loading. Please wait.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

Published byRichard Eckford Modified over 10 years ago

Similar presentations

Presentation on theme: "5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture."— Presentation transcript:

1

2 5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture Interactions NAP Client Infrastructure NAP Server-side Infrastructure Communication Between NAP Platform Components

3 What is Network Access Protection NAP can: - Enforce heath-requirement policies on client computers - Ensure client computers are compliant with policies - Offer remediation support for computers that do not meet health requirements NAP cannot: - Enforce health requirement policies on client computers - Ensure client computers are compliant with policies 3 important & distinct aspects: - Health state validation - Health policy compliance - Limited access

4 NAP Scenarios NAP benefits the network infrastructure by verifying the health state of: - Roaming laptops - Desktop computers - Visiting laptops - Unmanaged home computers

5 NAP Enforcement Methods MethodKey points IPsec enforcement for IPsec- protected communications Computer must be compliant to communicate with other compliant computers The strongest NAP enforcement type and can be applied per IP address or protocol port number 802.1X enforcement for IEEE 802.1X-authenticated wired or wireless connections Computer must be compliant to obtain unlimited access through an 802.1X connection (authentication switch /access point) VPN enforcement for remote access connections Computer must be compliant to obtain unlimited access through a RAS connection DHCP enforcement for DHCP- based address configuration Computer must be compliant to receive an unlimited access IPv4 address configuration from DHCP This is the weakest form of NAP enforcement

6 NAP Platform Architecture Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network

7 NAP Architecture Interactions HRA VPN Server DHCP Server IEEE 802.1X Network Access Devices Health Requirement Server Remediation Server NAP Client NAP Health Policy Server RADIUS Messages System Health Updates HTTP or HTTP over SSL Messages System Health Requirement Queries DHCP Messages PEAP Messages over PPP PEAP Messages over EAPOL

8 NAP Client Infrastructure The NAP client architecture consists of: - A layer of NAP EC components - A layer of system health agent (SHA) components - NAP agent - SHA application programming interface (API) - NAP EC API

9 NAP Client Remediation Server 2Remediation Server 1 NAP Agent NAP EC API NAP EC_ANAP EC_BNAP EC_C SHA API SHA_1 SHA_2SHA_3...

10 NAP Server-side Infrastructure Health Requirement Server 2 Health Requirement Server 1 NAP Administration Server SHV API SHV_1 SHV_2SHV_3... NPS Service NAP Health Policy Server NAP ES_A NAP ES_BNAP ES_C... Windows-based NAP Enforcement Point RADIUS

11 Communication Between NAP Platform Components The NAP Agent component can communicate with the NAP Administration Server component through the following process: 1. The NAP Agent passes the SSoH to the NAP EC 2. The NAP EC passes the SSoH to the NAP ES 3. The NAP ES passes the SSoH to the NPS service 4. The NPS service passes the SSoH to the NAP Administrator Server The NAP Administration Server can communicate with the NAP Agent through the following process: 1. The NAP Administration Server passes the SSoHRs to the NPS service 2. The NAP service passes the system statement of health response (SSoHR) to the NAP ES 3. The NAP ES passes the SSoHR to the NAP EC 4. The NAP EC passes the SSoHR to the NAP Agent

12 An SHA can communicate with its corresponding SHV through the following process: 1. The SHA passes its SoH to the NAP Agent 2. The NAP Agent passes the SoH, contained within the SSoH to the NAP EC 3. The NAP EC passes the SoH to the NAP ES 4. The NAP ES passes the SoH to the NAP Administration Server 5. The NAP Administration Server passes the SoH to the SHV The SHV can communicate with its corresponding SHA through the following process: 1. The SHV passes its SoHR to the NAP Administration Server 2. The NAP Administration Server passes the SoHR to the NPS service 3. The NPS service passes the SoHR, contained within the SSoR to the NAP ES 4. The NAP ES passes the SoHR to the NAP EC 5. The NAP EC passes the SoHR to the NAP Agent 6. The NAP Agent passes the SoHR to the SHA

13 NAP Health Policy Server Windows-based NAP Enforcement Point NAP Administration Server SHV API SHV_1 SHV_2 NPS Service RADIUS Health Requirement Server 1 Health Requirement Server 2 NAP Agent NAP EC API NAP EC_ANAP EC_B SHA API SHA1SHA2 NAP Client Remediation Server 1 Remediation Server 2 NAP ES_BNAP ES_A

14 5.2 How NAP Works NAP Enforcement Process How IPsec Enforcement Works How 802.1X Enforcement Works How VPN Enforcement Works How DHCP Enforcement Works

15 NAP Enforcement Process To validate network access based on system health, a network infrastructure must provide the following functionality: - Health policy validation: Determines whether computers are compliant with health policy requirements - Network access limitation: Limits access for noncompliant computers - Automatic remediation: Provides necessary updates to allow a noncompliant computer to become compliant - Ongoing compliance: Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements

16 How IPsec Enforcement Works Comprised of a health certificate server and an IPsec NAP EC Health certificate server issues X.509 certificates to quarantine clients when they are verified as compliant Certificates are then used to authenticate NAP clients when the initiate IPsec-secured communications with other NAP clients on an intranet IPsec Enforcement confines the communications on a network to those nodes that are considered compliant You can define requirements for secure communications with compliant clients on a per-IP address or a per- TCP/UDP port number basis

17 How 802.1x Enforcement Works Computer must be compliant to obtain unlimited network access through an 802.1x-authenticated network connection Noncompliant computers are limited through a restricted- access profile that the Ethernet switch or wireless AP place on the connection Restricted access profiles can specify IP packet filters or a virtual LAN (VLAN) identifier (ID) that corresponds to the restricted network 802.1x enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant

18 How VPN Enforcement Works Computer must be compliant to obtain unlimited network access through a remote access VPN connection Noncompliant computers have network access limited through a set of IP packet filters that are applied to the VPN connection by the VPN server VPN enforcement actively monitors the health status of the NAP client and applies the IP packet filters for the restricted network to the VPN connection if the client becomes noncompliant

19 How DHCP Enforcement Works Computer must be compliant to obtain an unlimited access IPv4 address configuration from a DHCP server Noncompliant computers have network access limited by an IPv4 address configuration that allows access only to the restricted network DHCP enforcement actively monitors the health status of the NAP client and renews the IPv4 address configuration for access only to the restricted network if the client becomes noncompliant

20 5.3 Configuring NAP What are System Health Validators What is a Health Policy What are Remediation Server Groups NAP Client Configuration

21 What are System Health Validators? Each SHA on the client has a corresponding SHV in NPS SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client SHVs contain the required configuration settings on client computers The Windows Security SHV corresponds to the Microsoft SHA on client computers

22 What is a Health Policy? Health policies consist of one or more SHVs and other settings that allow you to define client computer configuration requirements for NAP-capable computers that attempt to connect to your network You can define client health policies in NPS by adding one or more SHVs to the health policy NAP enforcement is accomplished by NPS on a per-network policy basis After you create a health policy by adding one or more SHVs to the policy, you can add the health policy to the network policy and enable NAP enforcement in the policy

23 What are Remediation Server Groups? A remediation server hosts the updates that the NAP agent can use to bring noncompliant client computers into compliance with the health policy that NPS defines A remediation server group is a list of servers on the restricted network that noncompliant NAP clients can access for software updates

24 NAP Client Configuration Some NAP deployments that use Windows Security Health Validator require that you enable Security Center The network Access Protection service is required when you deploy NAP to NAP-capable client computer You also must configure the NAP enforcement clients on the NAP-capable computers

25 5.4 Monitoring and Troubleshooting NAP What is NAP Tracing Configuring NAP Tracing

26 What is NAP Tracing? NAP tracing identifies NAP events and records them to a log file based on one of the tracing levels : - Basic - Advanced - Debug You can use tracing logs to : - Evaluate the health and security of your network - For troubleshooting and maintenance NAP tracing is disabled by default, which means that no NAP events are recorded in the trace logs

27 Configuring NAP Tracing You can configure NAP tracing by using : - The NAP Client Management console - The Netsh command-line tool To enable logging functionality, you must be a member of the Local Administrators group Trace logs are located in the directory : %systemroot%\tracing\nap

28 End of Chapter 5

Download ppt "5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture."

Similar presentations

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Tech·Ed North America /6/2017 9:33 AM

Tech·Ed North America /6/2017 9:33 AM
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.

4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
Chapter 13 Securing Windows Server 2008

Chapter 13 Securing Windows Server 2008
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Agenda Introduction Network Access Protection platform architecture

Agenda Introduction Network Access Protection platform architecture
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.

Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Chapter 9: Troubleshooting and Repairing Networking.

Chapter 9: Troubleshooting and Repairing Networking.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.

Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.

Windows Server 2008 Network Access Protection (NAP) Technical Overview.

Similar presentations

Ads by Google