Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.

Published byRoland Bruce Modified over 9 years ago

Similar presentations

Presentation on theme: "Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops."— Presentation transcript:

1 Module 9: Designing Network Access Protection

2 Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops Home computers used for remote access

3 Lesson: NAP Architecture Network Components and Services for NAP NAP Architecture Overview Network Layer Protection with NAP Host Layer Protection with NAP NAP and Certificate Services

4 Network Components and Concepts for NAP Component Description NAP client Presents health status to an enforcement point Enforcement point Controls access to the network NAP health policy server NPS server that checks compliance with policies Remediation servers Servers that can be accessed by non- compliant computers to become compliant Health registration authority (HRA) Issues health certificates for IPSec enforcement

5 NAP Architecture Overview Remediation Servers System Health Servers Client Health Policy Server (NPS) System Health Validator NAP Server System Health Agent (SHA) MS and 3rd Parties NAP Agent Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN) Health Statements Health Certificate Network Access Requests Network Access Devices and Servers

6 Network Layer Protection with NAP Remediation Server 802.1x switch NPS Server Client Restricted network created Unrestricted access granted Remediation Server 802.1x switch NPS Server Client

7 NAP and Certificate Services Certificate Services is: Used for IPSec enforcement to generate health certificates Contacted by an HRA Health certificates should have a short expiry of 24-48 hours

8 Lesson 3: NAP Enforcement NAP Enforcement Methods IPsec Enforcement VPN Enforcement DHCP Enforcement

9 NAP Enforcement Methods Internet Protocol security (IPsec) communications Enforces health policies when a client computer attempts to communicate with another computer using IPsec Extensible Authentication Protocol (EAP) for IEEE 802.1X connections Enforces health policies when a client computer attempts to access a network using EAP through an 802.1X wireless connection or an authenticating switch connection Remote access for VPN connections Enforces health policies when a client computer attempts to gain access to the network through a VPN connection Dynamic Host Configuration Protocol (DHCP) Enforces health policies when a client computer attempts to obtain an IP address from a DHCP server TS Gateway Enforces health policies when a client computer attempts to communicate through a TS Gateway Enforcement methods available for NAP are:

10 IPsec Enforcement Secure Network Boundary Network Restricted Network Secure Network Boundary Network Restricted Network Secure Network Boundary Network Restricted Network

11 VPN Enforcement VPN Server Remediation Servers RADIUS Messages PEAP Messages Client NPS Server

12 DHCP Enforcement Client NPS Server DHCP Server Remediation Servers Client not within the Health Policy requirements Client obtains updates Access Granted and given a new IP Address Client NPS Server DHCP Server Remediation Servers

13 System Health Agents and Validators System Health Validator (SHV): Is the server-side complement to an SHA Compares client health to required status System Health Agent (SHA): Is present on clients Publishes health status Includes Windows SHA Can be obtained from third-parties

14 Lesson: Designing NAP Enforcement and Remediation Considerations for Designing DHCP Enforcement Considerations for Designing VPN Enforcement Considerations for Designing 802.1X Enforcement Considerations for Designing IPsec Enforcement Discussion: Selecting an Enforcement Method Discussion: Selecting Remediation Servers

15 Considerations for Designing DHCP Enforcement Non-compliant computers are: Given 0.0.0.0 as a default gateway Given 255.255.255.255 as a subnet mask Given static host routes to remediation servers Some considerations for DHCP enforcement are: Must use Windows Server 2008 DHCP server IPv6 is not supported for NAP and Windows Server 2008 DHCP server Health status is sent as part of the lease request Can be circumvented by using a static IP address

16 Considerations for Designing VPN Enforcement Non-compliant computers are: Limited by IP packet filters Considerations for VPN enforcement are: Must use NAP-integrated RRAS Health status is sent as part of the authentication process Best suited for remote connections where a VPN is already used

17 Considerations for Designing 802.1X Enforcement Non-compliant computers are: Limited by packet filters enforced by the switch Limited by a VLAN enforced by the switch Considerations for 802.1X Enforcement: More secure than DHCP enforcement Switches must support 802.1X Health status is sent as part of the authentication process

18 Considerations for Designing IPsec Enforcement Non-compliant computers are: Limited by IPSec polices Considerations for IPsec Enforcement: Offers the highest level of security Can provide encryption of data Requires no additional hardware Can be used for both IPv4 or IPv6 Requires a CA and HRA

Download ppt "Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops."

Similar presentations

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Copyright line. Network Access Protection EXAM OBJECTIVES  Working with NAP.

Copyright line. Network Access Protection EXAM OBJECTIVES  Working with NAP.
Chapter 13 Securing Windows Server 2008

Chapter 13 Securing Windows Server 2008
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Agenda Introduction Network Access Protection platform architecture

Agenda Introduction Network Access Protection platform architecture
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.

Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.

Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.

Windows Server 2008 Network Access Protection (NAP) Technical Overview.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

Similar presentations

Ads by Google