Upload
rixwan-ahmed-khan
View
54
Download
0
Embed Size (px)
DESCRIPTION
Configuring NAP
Citation preview
NETWORK ACCESS PROTECTION
Need for NAP NAP Component Enforcement Types
NEED FOR NAP:
A single vulnerable host poses threat to entire network Especially laptop, guests or home Need to detect + Remediate unhealthy clients
Little or No user actionRestricted network until resolveFull network IP Healthy
NAP COMPONENTS: System Health Agent (SHA)
NAP Client (security center)Report health statVista, XP-SP3
System Health Validator (SHV)NAP on W2K8Possibly Combined With Radius
Remediation ServersAntivirus updatesWSUS
RADIUS (Remote Access Dial-In User Server)AAA (Authentication, Authorization, Accounting)
CA (Certificate Authority)Must be W2K8
Vender SHA/SHV Pair
ENFORCMENT TYPES:
IPSecHealth Check Health CertCan be IP Address or Port-SpecificW2K8 CA required
802.1x Switch/ APConstant MonitoringACLVLAN
VPNW2K8Packet Filter
DHCPCompliant clients: Full access IP configurationNon-Compliant: Single Host Routes
CONFIGURING NAP:
Administrative templates Windows Components Security Center 'Turn On security center’
Windows 7 Client > run > ipconfig /all 'show no default gateway'Windows 7 Client > run > route print 'no default route'Windows 7 Client > run > ping 192.168.1.39Windows 7 Client > run > netsh nap client show state
Windows 7 Client > run > ipconfig /releaseWindows 7 Client > run > ipconfig /renewWindows 7 Client > run > route printr 'default gateway show if its healthy client'Windows 7 Client > web > google.com 'if its healthy client'