Presentation is loading. Please wait.

Presentation is loading. Please wait.

Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.

Published byStuart Lynch Modified over 9 years ago

Similar presentations

Presentation on theme: "Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008."— Presentation transcript:

1 Welcome Windows Server 2008 安全功能 -NAP

2 Network Access Protection in Windows Server 2008

3 Overview Network Policies Access Protection Enforcement Options Network Access Protection Scenarios

4 Lesson 1: Network Policies Access Protection Why Use Network Access Protection? Network Protection Services Overview Network Access Protection Solution NAP Architecture Overview Network Layer Protection with NAP Host Layer Protection with NAP

5 Why Use Network Access Protection? Private Network Unhealthy computer Healthy computer

6 NAP vs. Network Access Quarantine Control Network Access Protection Network Access Quarantine Control Internal, VPN and Remote Access Client Only VPN and Remote Access Clients IPSec, 802.1X, DHCP and VPNDHCP and VPN NAP NPS and Client included in Windows Server 2008 ; NAP client included in Vista Installed from Windows Server 2003 Resource Kit

7 Network Protection Services Overview Network Policy Server (NPS) Network Access Protection (NAP) Policy Server IEEE 802.11 Wireless IEEE 802.3 Wired RADIUS Server RADIUS Proxy Routing and Remote Access  Remote Access Service  Routing Health Registration Authority (HRA)

8 Network Access Protection Solution Polices, Procedures & Awareness Data Application Host Internal Network Perimeter Policy Validation Network Restriction Remediation Ongoing Compliance

9 NAP Architecture Overview MS Network Policy Server Quarantine Server (QS) Client Quarantine Agent (QA) Updates Health Statements Network Access Requests System Health Servers Remediation Servers Health Certificate Network Access Devices and Servers System Health Agent (SHA) MS and 3rd Parties System Health Validator Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN) Health policy

10 According to policy, the client is not up to date. Quarantine client, request it to update. Should this client be restricted based on its health? Network Layer Protection with NAP Requesting access. Here’s my new health status. MS NPS Client 802.1x Switch Remediation Servers May I have access? Here’s my current health status. Ongoing policy updates to Network Policy Server You are given restricted access until fix-up. Can I have updates? Here you go. Restricted Network Client is granted access to full intranet. System Health Servers According to policy, the client is up to date. Grant access.

11 Host Layer Protection with NAP Accessing the network X Remediation Server NPS HRA May I have a health certificate? Here’s my SoH. Client ok? No. Needs fix-up. You don’t get a health certificate. Go fix up. I need updates. Here you go. Here’s your health certificate. Yes. Issue health certificate. Client No Policy Authentication Optional Authentication Required Accessing the network X Remediation Server NPS HRA Client No Policy Authentication Optional Authentication Required

12 Technical Background NAP Platform Architecture NAP Enforcement Methods NAP Infrastructure NAP Client Architecture NAP Server Architecture Component Communication

13 NAP Infrastructure Health Policy Validation Health Policy Compliance Automatic Remediation Limited Access

14 NAP Platform Architecture

15 Network Access Protection Components (1 of 5) NAP Clients IPSec, 802.1X, VPN, DHCP NAP Servers-determine the System Health of any NAP Client Windows Server 2008 + Network Policy Server Remediation action are required for computers that are not compliant Health Registration Authority VPN Server DHCP Server NAP Clients IPSec, 802.1X, VPN, DHCP NAP Servers-determine the System Health of any NAP Client Windows Server 2008 + Network Policy Server Remediation action are required for computers that are not compliant Health Registration Authority VPN Server DHCP Server

16 Network Access Protection Components (2 of 5) NAP Clients IPSec, 802.1X, VPN, DHCP NAP Servers-determine the SH of any NAP Client Windows Server 2008 + Network Policy Server Remediation action are required for computers that are not compliant Health Registration Authority VPN Server DHCP Server NAP Clients IPSec, 802.1X, VPN, DHCP NAP Servers-determine the SH of any NAP Client Windows Server 2008 + Network Policy Server Remediation action are required for computers that are not compliant Health Registration Authority VPN Server DHCP Server

17 Network Access Protection Components (3 of 5) NPS Servers Replacement for the Internet Authentication Service (IAS) Windows server 2008 + Validate System Health Policy Active Directory Directory Service Group Policy Setting for IPSec 802.1X credential are stored in directory service NPS Servers Replacement for the Internet Authentication Service (IAS) Windows server 2008 + Validate System Health Policy Active Directory Directory Service Group Policy Setting for IPSec 802.1X credential are stored in directory service

18 Network Access Protection Components (4 of 5) Restricted Network Separate network segment (logical/physical) Contains the Remediation Servers Remediation Server Bring NAP Client into compliance with health policy System Health Agent (SHA) Check for particular health parameter Send a Statement of Health (SoH) to System Health Validator (SHV) Restricted Network Separate network segment (logical/physical) Contains the Remediation Servers Remediation Server Bring NAP Client into compliance with health policy System Health Agent (SHA) Check for particular health parameter Send a Statement of Health (SoH) to System Health Validator (SHV)

19 Network Access Protection Components (5 of 5) System Health Validator Compare the System of Health (SoH) sent from a System Health Agent (SHA) Statement of Health (SoH) SoH is response sent by a System Health Agent to a System Health Validator System Health Validator Compare the System of Health (SoH) sent from a System Health Agent (SHA) Statement of Health (SoH) SoH is response sent by a System Health Agent to a System Health Validator

20 Misconception Quarantine network is anything but empty SMS Server form within Quarantine Mode For starters, must have a DNS Server Don’t be a primary DNS server Finally, the DHCP and IAS server (VPN Quarantine Mode only) must accessable. Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been update. Quarantine network is anything but empty SMS Server form within Quarantine Mode For starters, must have a DNS Server Don’t be a primary DNS server Finally, the DHCP and IAS server (VPN Quarantine Mode only) must accessable. Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been update.

21 Lesson 2: Enforcement Options NAP – Enforcement Options NAP with DHCP IPsec-based Communication NAP with RRAS

22 NAP – Enforcement Options Restricted VLANFull access802.1X Healthy peers reject connection requests from unhealthy systems Can communicate with any trusted peer Complements layer 2 protection Works with existing servers and infrastructure Offers flexible isolation IPsec Restricted VLANFull accessVPN Restricted set of routesFull IP address given, full access DHCP Unhealthy ClientHealthy ClientEnforcement

23 NAP with DHCP NPS Server DHCP Server Requesting access. Here’s my new health status. The client requests and receives updates I need to Lease an IP address You are not within the Health Policy requirements Access Granted. Here is your new IP Address VPN Server Client IEEE 802.1X Devices Remediation Servers

24 Demo1: Using Network Access Protection Exercise 1: Configuring Network Access Protection for DHCP

25 NAP with RRAS VPN Server Remediation Servers RADIUS Messages PEAP Messages Client NPS Server

26 Demo2: Using Network Access Protection Exercise 1: Configuring Network Access Protection for VPN

27 IPSec-based Communication Secure network Boundary network Restricted network IPsec Authenticated Unauthenticated

28 NAP Enforcement Client 802.1X VPN IPSec DHCP NPS RADIUS

29 How NAP Works IPSec Enforcement IEEE 802.1X Logical Networks Remote Access VPNs DHCP

30 IPSec Enforcement in Logical Networks

31 Communication Initiation Process with IPSec Enforcement

32 NAP Client Health Certificate Process

33 IPSec Enforcement in NAP

34 IPSec Reviewing IPSec functionality OSI 7 Layer - Layer 3 Authentication methods for IPSec Pre-share Key Kerberos Certificate IPSec functionality OSI 7 Layer - Layer 3 Authentication methods for IPSec Pre-share Key Kerberos Certificate

35 Certificate Reviewing What’s Digital Certificate What’s Certificate Authority Digital Certificate for what? Identity user, computer, service Digital Certificate for IPSec What’s Digital Certificate What’s Certificate Authority Digital Certificate for what? Identity user, computer, service Digital Certificate for IPSec

36 Demo3: Network Access Protection - IPSec Create a Certificate Template for NAP Exemptions Enable Certificate AutoEnrollment Config NAP to Issue Health Certificates Config Health Registration Authority to request Certificate from subordinate CA Add System Health Validation Certificate to NPS Config GPO to Ensure Client are Configured to Implement NAP Verify Network Access Protection

37 802.1x Authenticated Connections

38 Lesson 3: Network Access Protection Scenarios Scenario 1: Roaming Laptops Scenario 2: Health of Desktop Computers Scenario 3: Health of Visiting Laptops Scenario 4: Unmanaged Home Computers

39 Scenario 1: Roaming Laptops NAP

40 Scenario 2: Health of Desktop Computers Network Policy Server

41 Scenario 3: Health of Visiting Laptops Network Policy Server

42 Scenario 4: Unmanaged Home Computers

43 NAP Authentication Process Background Network Access Protection Settings Authorization Policies Authentication Process

44 Implementation/Usage Scenarios Ensuring the Health of Corporate Desktops Checking the Health and Status of Roaming Laptops Determining the Health of Visiting Laptops Verify the Compliance of Home Computers

45 Summary Network Access Protection: Secures Remote Computers before accessing the Network Has Client and Server Components Can Use One or More of Several methods for Enforcement IPSec 802.1X VPN DHCP Provides Support for Third Party Software Network Access Protection: Secures Remote Computers before accessing the Network Has Client and Server Components Can Use One or More of Several methods for Enforcement IPSec 802.1X VPN DHCP Provides Support for Third Party Software

46 What Next? Windows Server 2008 Beta: https://connect.microsoft.com https://connect.microsoft.com Home Page: http://www.microsoft.com/windowsserver/longhorn/default.mspx http://www.microsoft.com/windowsserver/longhorn/default.mspx Webcasts: http://www.microsoft.com/windowsserver/longhorn/webcasts.mspx http://www.microsoft.com/windowsserver/longhorn/webcasts.mspx Forums: http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17 http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17 Network Access Protection Home Page : http://www.microsoft.com/nap : http://www.microsoft.com/nap Introduction to Network Access Protection : http://go.microsoft.com/fwlink/?LinkId=49884 http://go.microsoft.com/fwlink/?LinkId=49884 Network Access Protection Platform Architecture : http://go.microsoft.com/fwlink/?LinkId=49885 http://go.microsoft.com/fwlink/?LinkId=49885 Network Access Protection Frequently Asked Questions : http://go.microsoft.com/fwlink/?LinkId=49886 http://go.microsoft.com/fwlink/?LinkId=49886 IPSec : http://www.microsoft.com/ipsec http://www.microsoft.com/ipsec Server and Domain Isolation : http://www.microsoft.com/technet/network/sdiso/default.mspx http://www.microsoft.com/technet/network/sdiso/default.mspx

Download ppt "Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008."

Similar presentations

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Tech·Ed North America /6/2017 9:33 AM

Tech·Ed North America /6/2017 9:33 AM
Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.

Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
May 30 th – 31 st, 2006 Sheraton Ottawa. Network Access Protection Gene Ferioli Program Manager Customer Advisory Team Microsoft Corporation.

May 30 th – 31 st, 2006 Sheraton Ottawa. Network Access Protection Gene Ferioli Program Manager Customer Advisory Team Microsoft Corporation.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Chapter 13 Securing Windows Server 2008

Chapter 13 Securing Windows Server 2008
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Agenda Introduction Network Access Protection platform architecture

Agenda Introduction Network Access Protection platform architecture
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.

Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Jayson Ferron CIO Interactive Security Training WSV206.

Jayson Ferron CIO Interactive Security Training WSV206.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Windows Clients and Windows Server 2008 NAP: Session objectives See why using the built functionality of Windows in both.

Windows Clients and Windows Server 2008 NAP: Session objectives See why using the built functionality of Windows in both.

Similar presentations

Ads by Google