Download presentation
Presentation is loading. Please wait.
Published byStuart Lynch Modified over 9 years ago
1
Welcome Windows Server 2008 安全功能 -NAP
2
Network Access Protection in Windows Server 2008
3
Overview Network Policies Access Protection Enforcement Options Network Access Protection Scenarios
4
Lesson 1: Network Policies Access Protection Why Use Network Access Protection? Network Protection Services Overview Network Access Protection Solution NAP Architecture Overview Network Layer Protection with NAP Host Layer Protection with NAP
5
Why Use Network Access Protection? Private Network Unhealthy computer Healthy computer
6
NAP vs. Network Access Quarantine Control Network Access Protection Network Access Quarantine Control Internal, VPN and Remote Access Client Only VPN and Remote Access Clients IPSec, 802.1X, DHCP and VPNDHCP and VPN NAP NPS and Client included in Windows Server 2008 ; NAP client included in Vista Installed from Windows Server 2003 Resource Kit
7
Network Protection Services Overview Network Policy Server (NPS) Network Access Protection (NAP) Policy Server IEEE 802.11 Wireless IEEE 802.3 Wired RADIUS Server RADIUS Proxy Routing and Remote Access Remote Access Service Routing Health Registration Authority (HRA)
8
Network Access Protection Solution Polices, Procedures & Awareness Data Application Host Internal Network Perimeter Policy Validation Network Restriction Remediation Ongoing Compliance
9
NAP Architecture Overview MS Network Policy Server Quarantine Server (QS) Client Quarantine Agent (QA) Updates Health Statements Network Access Requests System Health Servers Remediation Servers Health Certificate Network Access Devices and Servers System Health Agent (SHA) MS and 3rd Parties System Health Validator Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN) Health policy
10
According to policy, the client is not up to date. Quarantine client, request it to update. Should this client be restricted based on its health? Network Layer Protection with NAP Requesting access. Here’s my new health status. MS NPS Client 802.1x Switch Remediation Servers May I have access? Here’s my current health status. Ongoing policy updates to Network Policy Server You are given restricted access until fix-up. Can I have updates? Here you go. Restricted Network Client is granted access to full intranet. System Health Servers According to policy, the client is up to date. Grant access.
11
Host Layer Protection with NAP Accessing the network X Remediation Server NPS HRA May I have a health certificate? Here’s my SoH. Client ok? No. Needs fix-up. You don’t get a health certificate. Go fix up. I need updates. Here you go. Here’s your health certificate. Yes. Issue health certificate. Client No Policy Authentication Optional Authentication Required Accessing the network X Remediation Server NPS HRA Client No Policy Authentication Optional Authentication Required
12
Technical Background NAP Platform Architecture NAP Enforcement Methods NAP Infrastructure NAP Client Architecture NAP Server Architecture Component Communication
13
NAP Infrastructure Health Policy Validation Health Policy Compliance Automatic Remediation Limited Access
14
NAP Platform Architecture
15
Network Access Protection Components (1 of 5) NAP Clients IPSec, 802.1X, VPN, DHCP NAP Servers-determine the System Health of any NAP Client Windows Server 2008 + Network Policy Server Remediation action are required for computers that are not compliant Health Registration Authority VPN Server DHCP Server NAP Clients IPSec, 802.1X, VPN, DHCP NAP Servers-determine the System Health of any NAP Client Windows Server 2008 + Network Policy Server Remediation action are required for computers that are not compliant Health Registration Authority VPN Server DHCP Server
16
Network Access Protection Components (2 of 5) NAP Clients IPSec, 802.1X, VPN, DHCP NAP Servers-determine the SH of any NAP Client Windows Server 2008 + Network Policy Server Remediation action are required for computers that are not compliant Health Registration Authority VPN Server DHCP Server NAP Clients IPSec, 802.1X, VPN, DHCP NAP Servers-determine the SH of any NAP Client Windows Server 2008 + Network Policy Server Remediation action are required for computers that are not compliant Health Registration Authority VPN Server DHCP Server
17
Network Access Protection Components (3 of 5) NPS Servers Replacement for the Internet Authentication Service (IAS) Windows server 2008 + Validate System Health Policy Active Directory Directory Service Group Policy Setting for IPSec 802.1X credential are stored in directory service NPS Servers Replacement for the Internet Authentication Service (IAS) Windows server 2008 + Validate System Health Policy Active Directory Directory Service Group Policy Setting for IPSec 802.1X credential are stored in directory service
18
Network Access Protection Components (4 of 5) Restricted Network Separate network segment (logical/physical) Contains the Remediation Servers Remediation Server Bring NAP Client into compliance with health policy System Health Agent (SHA) Check for particular health parameter Send a Statement of Health (SoH) to System Health Validator (SHV) Restricted Network Separate network segment (logical/physical) Contains the Remediation Servers Remediation Server Bring NAP Client into compliance with health policy System Health Agent (SHA) Check for particular health parameter Send a Statement of Health (SoH) to System Health Validator (SHV)
19
Network Access Protection Components (5 of 5) System Health Validator Compare the System of Health (SoH) sent from a System Health Agent (SHA) Statement of Health (SoH) SoH is response sent by a System Health Agent to a System Health Validator System Health Validator Compare the System of Health (SoH) sent from a System Health Agent (SHA) Statement of Health (SoH) SoH is response sent by a System Health Agent to a System Health Validator
20
Misconception Quarantine network is anything but empty SMS Server form within Quarantine Mode For starters, must have a DNS Server Don’t be a primary DNS server Finally, the DHCP and IAS server (VPN Quarantine Mode only) must accessable. Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been update. Quarantine network is anything but empty SMS Server form within Quarantine Mode For starters, must have a DNS Server Don’t be a primary DNS server Finally, the DHCP and IAS server (VPN Quarantine Mode only) must accessable. Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been update.
21
Lesson 2: Enforcement Options NAP – Enforcement Options NAP with DHCP IPsec-based Communication NAP with RRAS
22
NAP – Enforcement Options Restricted VLANFull access802.1X Healthy peers reject connection requests from unhealthy systems Can communicate with any trusted peer Complements layer 2 protection Works with existing servers and infrastructure Offers flexible isolation IPsec Restricted VLANFull accessVPN Restricted set of routesFull IP address given, full access DHCP Unhealthy ClientHealthy ClientEnforcement
23
NAP with DHCP NPS Server DHCP Server Requesting access. Here’s my new health status. The client requests and receives updates I need to Lease an IP address You are not within the Health Policy requirements Access Granted. Here is your new IP Address VPN Server Client IEEE 802.1X Devices Remediation Servers
24
Demo1: Using Network Access Protection Exercise 1: Configuring Network Access Protection for DHCP
25
NAP with RRAS VPN Server Remediation Servers RADIUS Messages PEAP Messages Client NPS Server
26
Demo2: Using Network Access Protection Exercise 1: Configuring Network Access Protection for VPN
27
IPSec-based Communication Secure network Boundary network Restricted network IPsec Authenticated Unauthenticated
28
NAP Enforcement Client 802.1X VPN IPSec DHCP NPS RADIUS
29
How NAP Works IPSec Enforcement IEEE 802.1X Logical Networks Remote Access VPNs DHCP
30
IPSec Enforcement in Logical Networks
31
Communication Initiation Process with IPSec Enforcement
32
NAP Client Health Certificate Process
33
IPSec Enforcement in NAP
34
IPSec Reviewing IPSec functionality OSI 7 Layer - Layer 3 Authentication methods for IPSec Pre-share Key Kerberos Certificate IPSec functionality OSI 7 Layer - Layer 3 Authentication methods for IPSec Pre-share Key Kerberos Certificate
35
Certificate Reviewing What’s Digital Certificate What’s Certificate Authority Digital Certificate for what? Identity user, computer, service Digital Certificate for IPSec What’s Digital Certificate What’s Certificate Authority Digital Certificate for what? Identity user, computer, service Digital Certificate for IPSec
36
Demo3: Network Access Protection - IPSec Create a Certificate Template for NAP Exemptions Enable Certificate AutoEnrollment Config NAP to Issue Health Certificates Config Health Registration Authority to request Certificate from subordinate CA Add System Health Validation Certificate to NPS Config GPO to Ensure Client are Configured to Implement NAP Verify Network Access Protection
37
802.1x Authenticated Connections
38
Lesson 3: Network Access Protection Scenarios Scenario 1: Roaming Laptops Scenario 2: Health of Desktop Computers Scenario 3: Health of Visiting Laptops Scenario 4: Unmanaged Home Computers
39
Scenario 1: Roaming Laptops NAP
40
Scenario 2: Health of Desktop Computers Network Policy Server
41
Scenario 3: Health of Visiting Laptops Network Policy Server
42
Scenario 4: Unmanaged Home Computers
43
NAP Authentication Process Background Network Access Protection Settings Authorization Policies Authentication Process
44
Implementation/Usage Scenarios Ensuring the Health of Corporate Desktops Checking the Health and Status of Roaming Laptops Determining the Health of Visiting Laptops Verify the Compliance of Home Computers
45
Summary Network Access Protection: Secures Remote Computers before accessing the Network Has Client and Server Components Can Use One or More of Several methods for Enforcement IPSec 802.1X VPN DHCP Provides Support for Third Party Software Network Access Protection: Secures Remote Computers before accessing the Network Has Client and Server Components Can Use One or More of Several methods for Enforcement IPSec 802.1X VPN DHCP Provides Support for Third Party Software
46
What Next? Windows Server 2008 Beta: https://connect.microsoft.com https://connect.microsoft.com Home Page: http://www.microsoft.com/windowsserver/longhorn/default.mspx http://www.microsoft.com/windowsserver/longhorn/default.mspx Webcasts: http://www.microsoft.com/windowsserver/longhorn/webcasts.mspx http://www.microsoft.com/windowsserver/longhorn/webcasts.mspx Forums: http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17 http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17 Network Access Protection Home Page : http://www.microsoft.com/nap : http://www.microsoft.com/nap Introduction to Network Access Protection : http://go.microsoft.com/fwlink/?LinkId=49884 http://go.microsoft.com/fwlink/?LinkId=49884 Network Access Protection Platform Architecture : http://go.microsoft.com/fwlink/?LinkId=49885 http://go.microsoft.com/fwlink/?LinkId=49885 Network Access Protection Frequently Asked Questions : http://go.microsoft.com/fwlink/?LinkId=49886 http://go.microsoft.com/fwlink/?LinkId=49886 IPSec : http://www.microsoft.com/ipsec http://www.microsoft.com/ipsec Server and Domain Isolation : http://www.microsoft.com/technet/network/sdiso/default.mspx http://www.microsoft.com/technet/network/sdiso/default.mspx
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.