module 8: configuring network access protection. module overview overview of network access...
TRANSCRIPT
Module Overview
• Overview of Network Access Protection
• How NAP Works
• Configuring NAP
• Monitoring and Troubleshooting NAP
Lesson 1: Overview of Network Access Protection
• What Is Network Access Protection?
• NAP Scenarios
• NAP Enforcement Methods
• NAP Platform Architecture
• NAP Architecture Interactions
• NAP Client Infrastructure
• NAP Server-Side Infrastructure
• Communication Between NAP Platform Components
Network Access Protection can:
What Is Network Access Protection?
• Enforce health-requirement policies on client computers
• Ensure client computers are compliant with policies
• Offer remediation support for computers that do not meet health requirements
Network Access Protection cannot:
• Prevent authorized users with compliant computersfrom performing malicious activity
• Restrict network access for computers that are runningWindows versions previous to Windows XP SP2
NAP Scenarios
NAP benefits the network infrastructure by verifying the health state of:
• Roaming laptops
• Desktop computers
• Visiting laptops
• Unmanaged home computers
Method Key Points
IPsec enforcement for IPsec-protected communications
• Computer must be compliant to communicate with other compliant computers
• The strongest NAP enforcement type, and can be applied per IP address or protocol port number
802.1X enforcement for IEEE 802.1X-authenticated wired or wireless connections
• Computer must be compliant to obtain unlimited access through an 802.1X connection (authentication switch or access point)
VPN enforcement for remote access connections
• Computer must be compliant to obtain unlimited access through a RAS connection
DHCP enforcement for DHCP-based address configuration
• Computer must be compliant to receive an unlimited access IPv4 address configuration from DHCP
• This is the weakest form of NAP enforcement
NAP Enforcement Methods
NAP Platform Architecture
Intranet
Remediation Servers
InternetNAP Health
Policy Server DHCP Server
Health Registration Authority
IEEE 802.1X
Devices
Active Directory
VPN Server
Restricted Network
NAP Client with limited access
Perimeter Network
NAP Architecture Interactions
HRA
VPN Server
DHCP Server
IEEE 802.1X Network Access Devices
Health Requirement Server
Remediation Server
NAP Client NAP Health Policy Server
RADIUS Messages
SystemHealthUpdates
HTTP or HTTP over S
SL Messages
SystemHealth
RequirementQueries
DHCP Messages
PEAP Messages over PPPPEAP Messages over EAPOL
NAP Client Infrastructure
NAP Client
Remediation Server 2 Remediation Server
1
NAP Agent
NAP EC API
NAP EC_A NAP EC_B NAP EC_C
SHA API
SHA_1 SHA_2 SHA_3. . .
. . .
NAP Server-Side Infrastructure
Health Requirement Server 2
Health Requirement
Server 1
NAP Administration Server
SHV API
SHV_1 SHV_2 SHV_3
. . .
NPS Service
NAP Health Policy Server
NAP ES_A NAP ES_B NAP ES_C
. . .
Windows-based NAP Enforcement Point
RADIUS
Communication Between NAP Platform Components
NAP Health Policy
Server
Windows-based
NAP Enforcement
Point
NAP Administration Server
SHV API
SHV_1 SHV_2 SHV_2
NPS Service
RADIUS
Health Requirement
Server 1
Health Requirement
Server 2
NAP Agent
NAP EC API
NAP EC_A NAP EC_B
SHA API
SHA1 SHA2
NAP Client
Remediation Server 1
Remediation Server 2
NAP ES_B NAP ES_A
Lesson 2: How NAP Works
• NAP Enforcement Processes
• How IPsec Enforcement Works
• How 802.1X Enforcement Works
• How VPN Enforcement Works
• How DHCP Enforcement Works
NAP Health Policy
Server
Windows-based
NAP Enforcement
Point
NAP Administration Server
SHV API
SHV_1 SHV_2 SHV_2
NPS Service
RADIUS
Health Requirement
Server 1
Health Requirement
Server 2
NAP Agent
NAP EC API
NAP EC_A NAP EC_B
SHA API
SHA1 SHA2
NAP Client
Remediation Server 1
Remediation Server 2
NAP ES_B NAP ES_A
To validate network access based on system health, a network infrastructure must provide the following functionality:
• Health policy validation: Determines whether computers are compliant with health policy requirements
• Network access limitation: Limits access for noncompliant computers
• Automatic remediation: Provides necessary updates to allow a noncompliant computer to become compliant
• Ongoing compliance: Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements
NAP Enforcement Processes
Intranet
Remediation Servers
InternetNAP Health
Policy Server DHCP Server
Health Registration Authority
IEEE 802.1X
Devices
Active Directory
VPN Server
Restricted Network
NAP Client with limited access
Perimeter Network
How IPsec Enforcement Works
Key Points of IPsec NAP Enforcement:
• Comprised of a health certificate server and an IPsec NAP EC
• Health certificate server issues X.509 certificates to quarantine clients when they are verified as compliant
• Certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on an intranet
• IPsec Enforcement confines the communication on a network to those nodes that are considered compliant
• You can define requirements for secure communications with compliant clients on a per-IP address or a per-TCP/UDP port number basis
Intranet
Remediation Servers
InternetNAP Health
Policy Server DHCP Server
Health Registration Authority
IEEE 802.1X
Devices
Active Directory
VPN Server
Restricted Network
NAP Client with limited access
Perimeter Network
How 802.1X Enforcement Works
Key Points of 802.1X Wired or Wireless NAP Enforcement:
• Computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection
• Noncompliant computers are limited through a restricted-access profile that the Ethernet switch or wireless AP place on the connection
• Restricted access profiles can specify IP packet filters or a virtual LAN (VLAN) identifier (ID) that corresponds to the restricted network
• 802.1X enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant
802.1X enforcement consists of NPS in Windows Server 2008 and an EAPHost EC in Windows Vista, Windows XP with SP2 (with the NAP Client for Windows XP), and Windows Server 2008
802.1X enforcement consists of NPS in Windows Server 2008 and an EAPHost EC in Windows Vista, Windows XP with SP2 (with the NAP Client for Windows XP), and Windows Server 2008
Intranet
Remediation Servers
InternetNAP Health
Policy Server DHCP Server
Health Registration Authority
IEEE 802.1X
Devices
Active Directory
VPN Server
Restricted Network
NAP Client with limited access
Perimeter Network
Key Points of VPN NAP Enforcement:
• Computer must be compliant to obtain unlimited network access through a remote access VPN connection
• Noncompliant computers have network access limited through a set of IP packet filters that are applied to the VPN connection by the VPN server
• VPN enforcement actively monitors the health status of the NAP client and applies the IP packet filters for the restricted networkto the VPN connection if the client becomes noncompliant
VPN enforcement consists of NPS in Windows Server 2008 and a VPN EC as part of the remote access client in Windows Vista, Windows XP with SP2 (with the NAP Client for Windows XP), and Windows Server 2008
VPN enforcement consists of NPS in Windows Server 2008 and a VPN EC as part of the remote access client in Windows Vista, Windows XP with SP2 (with the NAP Client for Windows XP), and Windows Server 2008
How VPN Enforcement Works
Intranet
Remediation Servers
InternetNAP Health
Policy Server DHCP Server
Health Registration Authority
IEEE 802.1X
Devices
Active Directory
VPN Server
Restricted Network
NAP Client with limited access
Perimeter Network
Key Points of DHCP NAP Enforcement:
• Computer must be compliant to obtain an unlimited access IPv4 address configuration from a DHCP server
• Noncompliant computers have network access limited by an IPv4 address configuration that allows access only to the restricted network
• DHCP enforcement actively monitors the health status of the NAP client and renews the IPv4 address configuration for accessonly to the restricted network if the client becomes noncompliant
DHCP enforcement consist of a DHCP ES that is part of the DHCP Server service in Windows Server 2008 and a DHCP EC that is part of the DHCP Client service in Windows Vista, Windows XP with SP2 (with NAP Client for Windows XP), and Windows Server 2008
DHCP enforcement consist of a DHCP ES that is part of the DHCP Server service in Windows Server 2008 and a DHCP EC that is part of the DHCP Client service in Windows Vista, Windows XP with SP2 (with NAP Client for Windows XP), and Windows Server 2008
How DHCP Enforcement Works
Lesson 3: Configuring NAP
• What Are System Health Validators?
• What Is a Health Policy?
• What Are Remediation Server Groups?
• NAP Client Configuration
• Demonstration: Using the Configure NAP Wizard to Apply Network Access Policies
What Are System Health Validators?
System Health Validators are server software counterparts to system health agents System Health Validators are server software counterparts to system health agents
• Each SHA on the client has a corresponding SHV in NPS
• SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client
• SHVs contain the required configuration settings on client computers
• The Windows Security SHV corresponds to the Microsoft SHA on client computers
What Is a Health Policy?
To make use of the Windows Security Health Validator, you must configure a Health Policy and assign the SHV to it To make use of the Windows Security Health Validator, you must configure a Health Policy and assign the SHV to it
• Health policies consist of one or more SHVs and other settings that allow you to define client computer configuration requirements for NAP-capable computers that attempt to connect to your network
• You can define client health policies in NPS by adding one or more SHVs to the health policy
• NAP enforcement is accomplished by NPS on a per-network policy basis
• After you create a health policy by adding one or more SHVs to the policy, you can add the health policy to the network policy and enable NAP enforcement in the policy
What Are Remediation Server Groups?
With NAP enforcement in place, you should specify remediation server groups so the clients have access to resources that bring noncompliant NAP-capable clients into compliance
With NAP enforcement in place, you should specify remediation server groups so the clients have access to resources that bring noncompliant NAP-capable clients into compliance
• A remediation server hosts the updates that the NAP agent can use to bring noncompliant client computers into compliance with the health policy that NPS defines
• A remediation server group is a list of servers on the restricted network that noncompliant NAP clients can access for software updates
NAP Client Configuration
• Some NAP deployments that use Windows Security Health Validator require that you enable Security Center
• The Network Access Protection service is required when you deploy NAP to NAP-capable client computers
• You also must configure the NAP enforcement clients on the NAP-capable computers
Demonstration: Using the Configure NAP Wizard to Apply Network Access Policies
In this demonstration, you will see how to:
• Create DHCP NAP policies
• Configure DHCP enforcement on the DHCP server
• Use the NAP Client Management snap-in to enable EC
Lesson 4: Monitoring and Troubleshooting NAP
• What Is NAP Tracing?
• Configuring NAP Tracing
• Demonstration: Configuring Tracing
What Is NAP Tracing?
• NAP tracing identifies NAP events and records them to a log file based on the one of the following tracing levels:
• Basic
• Advanced
• Debug
• You can use tracing logs to:
• Evaluate the health and security of your network
• For troubleshooting and maintenance
• NAP tracing is disabled by default, which means that no NAP events are recorded in the trace logs
Configuring NAP Tracing
• You can configure NAP tracing by using one of the following tools:
• The NAP Client Management console
• The Netsh command-line tool
• To enable logging functionality, you must be a member of the Local Administrators group
• Trace logs are located in the following directory: %systemroot%\tracing\nap
Demonstration: Configuring Tracing
In this demonstration, you will see how to:
• Configure tracing from the GUI
• Configure tracing from the command line
• View the log files
Lab: Configuring NAP for DHCP and VPN
• Exercise 1: Configuring NAP for DHCP Clients
• Exercise 2: Configuring NAP for VPN Clients
Logon information
Virtual machine NYC-DC1, NYC-SVR1 and NYC-CL1
User name Administrator
Password Pa$$w0rd
Estimated time: 120 minutes
Lab Review
• The DHCP NAP enforcement method is the weakest enforcement method in Microsoft Windows Server 2008. What makes it less preferable than other ways?
• Could you use the remote access NAP solution alongside the IPsec NAP solution? What benefit would be realized by using such a scenario?
• Could you have used DHCP NAP enforcement for the client? Why or why not?