6421a_8: Configuring Network Access Protection
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View 6421a_8: Configuring Network Access Protection as PDF for free.
More details
- Words: 1,950
- Pages: 32
Module 8: Configuring Network Access Protection
Module Overview • Overview of Network Access Protection • How NAP Works • Configuring NAP • Monitoring and Troubleshooting NAP
Lesson 1: Overview of Network Access Protection • What Is Network Access Protection? • NAP Scenarios • NAP Enforcement Methods • NAP Platform Architecture • NAP Architecture Interactions • NAP Client Infrastructure • NAP Server-Side Infrastructure • Communication Between NAP Platform Components
What Is Network Access Protection? Network Access Protection can: • Enforce health-requirement policies on client computers • Ensure client computers are compliant with policies • Offer remediation support for computers that do not meet health requirements Network Access Protection cannot: • Prevent authorized users with compliant computers from performing malicious activity • Restrict network access for computers that are running Windows versions previous to Windows XP SP2
NAP Scenarios
NAP benefits the network infrastructure by verifying the health state of: • Roaming laptops • Desktop computers • Visiting laptops • Unmanaged home computers
NAP Enforcement Methods Method IPsec enforcement for IPsecprotected communications
Key Points • Computer must be compliant to communicate with
other compliant computers
• The strongest NAP enforcement type, and can be
applied per IP address or protocol port number
802.1X enforcement for IEEE • Computer must be compliant to obtain unlimited 802.1X-authenticated wired or access through an 802.1X connection wireless connections (authentication switch or access point) VPN enforcement for remote access connections
• Computer must be compliant to obtain unlimited
DHCP enforcement for DHCPbased address configuration
• Computer must be compliant to receive an
access through a RAS connection
unlimited access IPv4 address configuration from DHCP
• This is the weakest form of NAP enforcement
NAP Platform Architecture VPN Server Active Directory
IEEE 802.1X Devices
Health Registration Authority
Internet Perimeter Network
DHCP Server
Intranet
NAP Health Policy Server
Restricted Network Remediation Servers
NAP Client with limited access
NAP Architecture Interactions Remediation Server
System Health Updates HT
or P T
NAP Client
PE
HRA
r ve o TP HT
S
Me L S
ge a s s
s ssage e M P DH C
PEAP
AP
M es s
Me
RADIUS Messages
s
es
ov
er
EA PO
System Health Requirement Queries
DHCP Server
ages over P PP
ss ag
Health Requirement Server
NAP Health Policy Server VPN Server
L
IEEE 802.1X Network Access Devices
NAP Client Infrastructure Remediation Server 1
Remediation Server 2
SHA_1
SHA_2
SHA_3 ...
SHA API
NAP Agent NAP EC API NAP EC_A
NAP EC_B
NAP Client
NAP EC_C ...
NAP Server-Side Infrastructure Health Requirement Server 1
Health Requirement Server 2
SHV_1
SHV_2
SHV_3
...
NAP Health Policy Server
SHV API
NAP Administration Server NPS Service RADIUS
NAP ES_A
NAP ES_B
NAP ES_C
Windows-based NAP Enforcement Point
...
Communication Between NAP Platform Components Remediation Server 1
Health Requirement Server 1
Remediation Server 2
Health Requirement Server 2
SHA1
SHA2
SHA API
SHV_1
SHV_2
SHV_2
NAP Health Policy Server
SHV API NAP Administration Server
NAP Agent NAP Client
NPS Service
NAP EC API
NAP EC_A
NAP EC_B
RADIUS
NAP ES_B
NAP ES_A
Windows-based NAP Enforcement Point
Lesson 2: How NAP Works • NAP Enforcement Processes • How IPsec Enforcement Works • How 802.1X Enforcement Works • How VPN Enforcement Works • How DHCP Enforcement Works
NAP Enforcement Processes Remediation Server 1
Health Requirement Server 1
To validate network access based on system health, a network infrastructure must provide the following functionality: Remediation Server 2
Health Requirement Determines whether Server 2 computers
• Health policy validation: are compliant with health policy requirements •
SHA1 Network
SHA2 access
SHV_1
limitation: Limits access for noncompliant computers SHA API
SHV_2
SHV_2
NAP Health Policy Server
SHV API
• Automatic remediation: Provides necessary updates toServer NAP Administration allowNAP a noncompliant computer to become compliant Agent NAP Client
NPS Service
• Ongoing compliance: Automatically updates compliant NAP EC API computers so that they adhere to ongoing changesRADIUS in health policy requirements NAP EC_A
NAP EC_B
NAP ES_B
NAP ES_A
Windows-based NAP Enforcement Point
How IPsec Enforcement Works VPN Server
Key Points of IPsec NAP Enforcement:
Active Directory
IEEE 802.1X Devices
• Comprised of a health certificate server and an IPsec NAP EC • Health certificate server issues X.509 certificates to quarantine Health clients when they are verified as compliant Registration Authority
Internet • Certificates are then used to authenticate NAP clients when DHCP Server they initiate IPsec-secured communications with other Intranet Perimeter NAP clients on an intranet Network
NAP Health Policy Server
• IPsec Enforcement confines the communication on a network to those nodes that are considered compliant Restricted Network • You can define requirements for secure communications with Remediation compliant clients on a per-IP address or a NAP Client with Servers per-TCP/UDP port number basis limited access
How 802.1X Enforcement Works VPN Server Key Points of 802.1X Wired or Wireless NAP Enforcement: Active Directory
• Computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection
IEEE 802.1X Devices
• Noncompliant computers are limited through a restricted-access profile that the Ethernet switch or wireless AP place on the connection Health
Registration Authority packet filters or
• Restricted access profiles can specify IP a Internet virtual LAN (VLAN) identifier (ID) that corresponds to the DHCP Server restricted network Intranet Perimeter
NAP Health Policy Server
Network • 802.1X enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant Restricted Network
Remediation NAPEAPHost Client with 802.1X enforcement consists of NPS in Windows Server 2008 and an Servers limited access EC in Windows Vista, Windows XP with SP2 (with the NAP Client for Windows XP), and Windows Server 2008
How VPN Enforcement Works VPN Server
Key Points of VPN NAP Enforcement:
Active Directory
IEEE 802.1X Devices
• Computer must be compliant to obtain unlimited network access through a remote access VPN connection • Noncompliant computers have network access limited through Health a set of IP packet filters that are applied to the VPN connection Registration by the VPN server Authority
Internet • VPN enforcement actively monitors the health status of the NAP DHCP Server client and applies the IP packet filters for the restricted Intranet network Perimeter to the VPN connection Network if the client becomes noncompliant
NAP Health Policy Server
Restricted Network VPN enforcement consists of NPS in Windows Server 2008 and a VPN EC as part Remediation of the remote access client in Windows Vista, Windows XP with SP2NAP (with the Client with Servers limited access NAP Client for Windows XP), and Windows Server 2008
How DHCP Enforcement Works VPN Server
Key Points of DHCP NAP Enforcement:
Active Directory
IEEE 802.1X Devices
• Computer must be compliant to obtain an unlimited access IPv4 address configuration from a DHCP server • Noncompliant computers have network access limited by an IPv4 address configuration that allows access onlyHealth to the Registration restricted network Authority
Internet • DHCP enforcement actively monitors the health status of the DHCP Server NAP client and renews the IPv4 address configuration for access Intranet Perimeter only to the restricted Networknetwork if the client becomes noncompliant
NAP Health Policy Server
Restricted DHCP enforcement consist of a DHCP ES that is part of the DHCP Server service Network in Windows Server 2008 and a DHCP EC that is part of the DHCP Client service Remediation in Windows Vista, Windows XP with SP2 (with NAP Client for Windows NAP XP), Client and with Servers limited access Windows Server 2008
Lesson 3: Configuring NAP • What Are System Health Validators? • What Is a Health Policy? • What Are Remediation Server Groups? • NAP Client Configuration • Demonstration: Using the Configure NAP Wizard to Apply
Network Access Policies
What Are System Health Validators? System Health Validators are server software counterparts to system health agents
• Each SHA on the client has a corresponding SHV in NPS • SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client • SHVs contain the required configuration settings on client computers • The Windows Security SHV corresponds to the Microsoft SHA on client computers
What Is a Health Policy? To make use of the Windows Security Health Validator, you must configure a Health Policy and assign the SHV to it • Health policies consist of one or more SHVs and other settings that allow you to define client computer configuration requirements for NAP-capable computers that attempt to connect to your network • You can define client health policies in NPS by adding one or more SHVs to the health policy
• NAP enforcement is accomplished by NPS on a per-network policy basis • After you create a health policy by adding one or more SHVs to the policy, you can add the health policy to the network policy and enable NAP enforcement in the policy
What Are Remediation Server Groups? With NAP enforcement in place, you should specify remediation server groups so the clients have access to resources that bring noncompliant NAP-capable clients into compliance
• A remediation server hosts the updates that the NAP agent can use to bring noncompliant client computers into compliance with the health policy that NPS defines • A remediation server group is a list of servers on the restricted network that noncompliant NAP clients can access for software updates
NAP Client Configuration
• Some NAP deployments that use Windows Security Health Validator require that you enable Security Center • The Network Access Protection service is required when you deploy NAP to NAP-capable client computers • You also must configure the NAP enforcement clients on the NAP-capable computers
Demonstration: Using the Configure NAP Wizard to Apply Network Access Policies In this demonstration, you will see how to: • Create DHCP NAP policies • Configure DHCP enforcement on the DHCP server • Use the NAP Client Management snap-in to enable EC
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Lesson 4: Monitoring and Troubleshooting NAP • What Is NAP Tracing? • Configuring NAP Tracing • Demonstration: Configuring Tracing
What Is NAP Tracing? • NAP tracing identifies NAP events and records them to a log file based on the one of the following tracing levels: • Basic • Advanced • Debug • You can use tracing logs to: • Evaluate the health and security of your network • For troubleshooting and maintenance • NAP tracing is disabled by default, which means that no NAP events are recorded in the trace logs
Configuring NAP Tracing
• You can configure NAP tracing by using one of the following tools: • The NAP Client Management console • The Netsh command-line tool • To enable logging functionality, you must be a member of the Local Administrators group • Trace logs are located in the following directory: %systemroot%\tracing\nap
Demonstration: Configuring Tracing In this demonstration, you will see how to: • Configure tracing from the GUI • Configure tracing from the command line • View the log files
Lab: Configuring NAP for DHCP and VPN • Exercise 1: Configuring NAP for DHCP Clients • Exercise 2: Configuring NAP for VPN Clients
Logon information
Virtual machine
NYC-DC1, NYC-SVR1 and NYC-CL1
User name
Administrator
Password
Pa$$w0rd
Estimated time: 120 minutes
Lab Review • The DHCP NAP enforcement method is the weakest
enforcement method in Microsoft Windows Server 2008. What makes it less preferable than other ways?
• Could you use the remote access NAP solution alongside
the IPsec NAP solution? What benefit would be realized by using such a scenario?
• Could you have used DHCP NAP enforcement for the
client? Why or why not?
Module Review and Takeaways • Review Questions • Best Practices • Tools
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Module Overview • Overview of Network Access Protection • How NAP Works • Configuring NAP • Monitoring and Troubleshooting NAP
Lesson 1: Overview of Network Access Protection • What Is Network Access Protection? • NAP Scenarios • NAP Enforcement Methods • NAP Platform Architecture • NAP Architecture Interactions • NAP Client Infrastructure • NAP Server-Side Infrastructure • Communication Between NAP Platform Components
What Is Network Access Protection? Network Access Protection can: • Enforce health-requirement policies on client computers • Ensure client computers are compliant with policies • Offer remediation support for computers that do not meet health requirements Network Access Protection cannot: • Prevent authorized users with compliant computers from performing malicious activity • Restrict network access for computers that are running Windows versions previous to Windows XP SP2
NAP Scenarios
NAP benefits the network infrastructure by verifying the health state of: • Roaming laptops • Desktop computers • Visiting laptops • Unmanaged home computers
NAP Enforcement Methods Method IPsec enforcement for IPsecprotected communications
Key Points • Computer must be compliant to communicate with
other compliant computers
• The strongest NAP enforcement type, and can be
applied per IP address or protocol port number
802.1X enforcement for IEEE • Computer must be compliant to obtain unlimited 802.1X-authenticated wired or access through an 802.1X connection wireless connections (authentication switch or access point) VPN enforcement for remote access connections
• Computer must be compliant to obtain unlimited
DHCP enforcement for DHCPbased address configuration
• Computer must be compliant to receive an
access through a RAS connection
unlimited access IPv4 address configuration from DHCP
• This is the weakest form of NAP enforcement
NAP Platform Architecture VPN Server Active Directory
IEEE 802.1X Devices
Health Registration Authority
Internet Perimeter Network
DHCP Server
Intranet
NAP Health Policy Server
Restricted Network Remediation Servers
NAP Client with limited access
NAP Architecture Interactions Remediation Server
System Health Updates HT
or P T
NAP Client
PE
HRA
r ve o TP HT
S
Me L S
ge a s s
s ssage e M P DH C
PEAP
AP
M es s
Me
RADIUS Messages
s
es
ov
er
EA PO
System Health Requirement Queries
DHCP Server
ages over P PP
ss ag
Health Requirement Server
NAP Health Policy Server VPN Server
L
IEEE 802.1X Network Access Devices
NAP Client Infrastructure Remediation Server 1
Remediation Server 2
SHA_1
SHA_2
SHA_3 ...
SHA API
NAP Agent NAP EC API NAP EC_A
NAP EC_B
NAP Client
NAP EC_C ...
NAP Server-Side Infrastructure Health Requirement Server 1
Health Requirement Server 2
SHV_1
SHV_2
SHV_3
...
NAP Health Policy Server
SHV API
NAP Administration Server NPS Service RADIUS
NAP ES_A
NAP ES_B
NAP ES_C
Windows-based NAP Enforcement Point
...
Communication Between NAP Platform Components Remediation Server 1
Health Requirement Server 1
Remediation Server 2
Health Requirement Server 2
SHA1
SHA2
SHA API
SHV_1
SHV_2
SHV_2
NAP Health Policy Server
SHV API NAP Administration Server
NAP Agent NAP Client
NPS Service
NAP EC API
NAP EC_A
NAP EC_B
RADIUS
NAP ES_B
NAP ES_A
Windows-based NAP Enforcement Point
Lesson 2: How NAP Works • NAP Enforcement Processes • How IPsec Enforcement Works • How 802.1X Enforcement Works • How VPN Enforcement Works • How DHCP Enforcement Works
NAP Enforcement Processes Remediation Server 1
Health Requirement Server 1
To validate network access based on system health, a network infrastructure must provide the following functionality: Remediation Server 2
Health Requirement Determines whether Server 2 computers
• Health policy validation: are compliant with health policy requirements •
SHA1 Network
SHA2 access
SHV_1
limitation: Limits access for noncompliant computers SHA API
SHV_2
SHV_2
NAP Health Policy Server
SHV API
• Automatic remediation: Provides necessary updates toServer NAP Administration allowNAP a noncompliant computer to become compliant Agent NAP Client
NPS Service
• Ongoing compliance: Automatically updates compliant NAP EC API computers so that they adhere to ongoing changesRADIUS in health policy requirements NAP EC_A
NAP EC_B
NAP ES_B
NAP ES_A
Windows-based NAP Enforcement Point
How IPsec Enforcement Works VPN Server
Key Points of IPsec NAP Enforcement:
Active Directory
IEEE 802.1X Devices
• Comprised of a health certificate server and an IPsec NAP EC • Health certificate server issues X.509 certificates to quarantine Health clients when they are verified as compliant Registration Authority
Internet • Certificates are then used to authenticate NAP clients when DHCP Server they initiate IPsec-secured communications with other Intranet Perimeter NAP clients on an intranet Network
NAP Health Policy Server
• IPsec Enforcement confines the communication on a network to those nodes that are considered compliant Restricted Network • You can define requirements for secure communications with Remediation compliant clients on a per-IP address or a NAP Client with Servers per-TCP/UDP port number basis limited access
How 802.1X Enforcement Works VPN Server Key Points of 802.1X Wired or Wireless NAP Enforcement: Active Directory
• Computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection
IEEE 802.1X Devices
• Noncompliant computers are limited through a restricted-access profile that the Ethernet switch or wireless AP place on the connection Health
Registration Authority packet filters or
• Restricted access profiles can specify IP a Internet virtual LAN (VLAN) identifier (ID) that corresponds to the DHCP Server restricted network Intranet Perimeter
NAP Health Policy Server
Network • 802.1X enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant Restricted Network
Remediation NAPEAPHost Client with 802.1X enforcement consists of NPS in Windows Server 2008 and an Servers limited access EC in Windows Vista, Windows XP with SP2 (with the NAP Client for Windows XP), and Windows Server 2008
How VPN Enforcement Works VPN Server
Key Points of VPN NAP Enforcement:
Active Directory
IEEE 802.1X Devices
• Computer must be compliant to obtain unlimited network access through a remote access VPN connection • Noncompliant computers have network access limited through Health a set of IP packet filters that are applied to the VPN connection Registration by the VPN server Authority
Internet • VPN enforcement actively monitors the health status of the NAP DHCP Server client and applies the IP packet filters for the restricted Intranet network Perimeter to the VPN connection Network if the client becomes noncompliant
NAP Health Policy Server
Restricted Network VPN enforcement consists of NPS in Windows Server 2008 and a VPN EC as part Remediation of the remote access client in Windows Vista, Windows XP with SP2NAP (with the Client with Servers limited access NAP Client for Windows XP), and Windows Server 2008
How DHCP Enforcement Works VPN Server
Key Points of DHCP NAP Enforcement:
Active Directory
IEEE 802.1X Devices
• Computer must be compliant to obtain an unlimited access IPv4 address configuration from a DHCP server • Noncompliant computers have network access limited by an IPv4 address configuration that allows access onlyHealth to the Registration restricted network Authority
Internet • DHCP enforcement actively monitors the health status of the DHCP Server NAP client and renews the IPv4 address configuration for access Intranet Perimeter only to the restricted Networknetwork if the client becomes noncompliant
NAP Health Policy Server
Restricted DHCP enforcement consist of a DHCP ES that is part of the DHCP Server service Network in Windows Server 2008 and a DHCP EC that is part of the DHCP Client service Remediation in Windows Vista, Windows XP with SP2 (with NAP Client for Windows NAP XP), Client and with Servers limited access Windows Server 2008
Lesson 3: Configuring NAP • What Are System Health Validators? • What Is a Health Policy? • What Are Remediation Server Groups? • NAP Client Configuration • Demonstration: Using the Configure NAP Wizard to Apply
Network Access Policies
What Are System Health Validators? System Health Validators are server software counterparts to system health agents
• Each SHA on the client has a corresponding SHV in NPS • SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client • SHVs contain the required configuration settings on client computers • The Windows Security SHV corresponds to the Microsoft SHA on client computers
What Is a Health Policy? To make use of the Windows Security Health Validator, you must configure a Health Policy and assign the SHV to it • Health policies consist of one or more SHVs and other settings that allow you to define client computer configuration requirements for NAP-capable computers that attempt to connect to your network • You can define client health policies in NPS by adding one or more SHVs to the health policy
• NAP enforcement is accomplished by NPS on a per-network policy basis • After you create a health policy by adding one or more SHVs to the policy, you can add the health policy to the network policy and enable NAP enforcement in the policy
What Are Remediation Server Groups? With NAP enforcement in place, you should specify remediation server groups so the clients have access to resources that bring noncompliant NAP-capable clients into compliance
• A remediation server hosts the updates that the NAP agent can use to bring noncompliant client computers into compliance with the health policy that NPS defines • A remediation server group is a list of servers on the restricted network that noncompliant NAP clients can access for software updates
NAP Client Configuration
• Some NAP deployments that use Windows Security Health Validator require that you enable Security Center • The Network Access Protection service is required when you deploy NAP to NAP-capable client computers • You also must configure the NAP enforcement clients on the NAP-capable computers
Demonstration: Using the Configure NAP Wizard to Apply Network Access Policies In this demonstration, you will see how to: • Create DHCP NAP policies • Configure DHCP enforcement on the DHCP server • Use the NAP Client Management snap-in to enable EC
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Lesson 4: Monitoring and Troubleshooting NAP • What Is NAP Tracing? • Configuring NAP Tracing • Demonstration: Configuring Tracing
What Is NAP Tracing? • NAP tracing identifies NAP events and records them to a log file based on the one of the following tracing levels: • Basic • Advanced • Debug • You can use tracing logs to: • Evaluate the health and security of your network • For troubleshooting and maintenance • NAP tracing is disabled by default, which means that no NAP events are recorded in the trace logs
Configuring NAP Tracing
• You can configure NAP tracing by using one of the following tools: • The NAP Client Management console • The Netsh command-line tool • To enable logging functionality, you must be a member of the Local Administrators group • Trace logs are located in the following directory: %systemroot%\tracing\nap
Demonstration: Configuring Tracing In this demonstration, you will see how to: • Configure tracing from the GUI • Configure tracing from the command line • View the log files
Lab: Configuring NAP for DHCP and VPN • Exercise 1: Configuring NAP for DHCP Clients • Exercise 2: Configuring NAP for VPN Clients
Logon information
Virtual machine
NYC-DC1, NYC-SVR1 and NYC-CL1
User name
Administrator
Password
Pa$$w0rd
Estimated time: 120 minutes
Lab Review • The DHCP NAP enforcement method is the weakest
enforcement method in Microsoft Windows Server 2008. What makes it less preferable than other ways?
• Could you use the remote access NAP solution alongside
the IPsec NAP solution? What benefit would be realized by using such a scenario?
• Could you have used DHCP NAP enforcement for the
client? Why or why not?
Module Review and Takeaways • Review Questions • Best Practices • Tools
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Related Documents
6421a_8: Configuring Network Access Protection
June 2020 9
Configuring Outbound Internet Access
May 2020 5
Configuring Ip Network Multipathing
June 2020 6
Configuring Network Devices
July 2020 11
Configuring The Oracle Network Environment
May 2020 10
Generic Access Network
November 2019 17More Documents from "karan kukreja"
40633826-pages-197-211.pdf
June 2020 9
Romantismul.docx
December 2019 14
Coastal Life Volume 5 Issue 8
April 2020 11
Alexandru Ioan I Cuza.docx
June 2020 14