Embed Size (px)
Citation preview
Module 9:Designing Network Access Protection
Scenarios for Implementing NAP
Verifying the health of:
• Roaming laptops
• Desktop computers
• Visiting laptops
• Home computers used for remote access
Lesson: NAP Architecture
• Network Components and Services for NAP
• NAP Architecture Overview
• Network Layer Protection with NAP
• Host Layer Protection with NAP
• NAP and Certificate Services
Network Components and Concepts for NAP
Component Description
NAP client• Presents health status to an
enforcement point
Enforcement point • Controls access to the network
NAP health policy server
• NPS server that checks compliance with policies
Remediation servers• Servers that can be accessed by non-
compliant computers to become compliant
Health registration authority (HRA)
• Issues health certificates for IPSec enforcement
NAP Architecture Overview
Remediation Servers System Health Servers
Client Health PolicyServer (NPS)
System Health Validator
NAP Server
System Health Agent (SHA)MS and 3rd Parties
NAP Agent
Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)
Health Statements
Health Certificate
Network AccessRequests
Network Access Devices and Servers
Network Layer Protection with NAP
Remediation Server
802.1x switch
NPSServerClient
Restricted network created
Unrestricted accessgranted
Remediation Server
802.1x switch
NPSServerClient
NAP and Certificate Services
Certificate Services is:
• Used for IPSec enforcement to generate health certificates
• Contacted by an HRA
• Health certificates should have a short expiry of 24-48 hours
Lesson 3: NAP Enforcement
• NAP Enforcement Methods
• IPsec Enforcement
• VPN Enforcement
• DHCP Enforcement
NAP Enforcement Methods
Internet Protocol security (IPsec) communications
• Enforces health policies when a client computer attempts to communicate with another computer using IPsec
Extensible Authentication Protocol (EAP) for IEEE 802.1X connections
• Enforces health policies when a client computer attempts to access a network using EAP through an 802.1X wireless connection or an authenticating switch connection
Remote access for VPN connections
• Enforces health policies when a client computer attempts to gain access to the network through a VPN connection
Dynamic Host Configuration Protocol (DHCP)
• Enforces health policies when a client computer attempts to obtain an IP address from a DHCP server
TS Gateway• Enforces health policies when a client computer
attempts to communicate through a TS Gateway
Enforcement methods available for NAP are:
IPsec Enforcement
SecureNetwork
Boundary Network
Restricted Network
SecureNetwork
Boundary Network
Restricted Network
SecureNetwork
Boundary Network
Restricted Network
VPN Enforcement
VPN Server
Remediation Servers
RADIUS MessagesPEAP Messages
Client NPS Server
DHCP Enforcement
Client
NPS ServerDHCP Server
RemediationServers
Client not within theHealth Policy requirements
Client obtainsupdates
Access Granted andgiven a new IP Address
Client
NPS ServerDHCP Server
RemediationServers
System Health Agents and Validators
System Health Validator (SHV):
• Is the server-side complement to an SHA
• Compares client health to required status
System Health Agent (SHA):
Is present on clients
Publishes health status
Includes Windows SHA
Can be obtained from third-parties
Lesson: Designing NAP Enforcement and Remediation
• Considerations for Designing DHCP Enforcement
• Considerations for Designing VPN Enforcement
• Considerations for Designing 802.1X Enforcement
• Considerations for Designing IPsec Enforcement
• Discussion: Selecting an Enforcement Method
• Discussion: Selecting Remediation Servers
Considerations for Designing DHCP Enforcement
Non-compliant computers are:
Given 0.0.0.0 as a default gateway
Given 255.255.255.255 as a subnet mask
Given static host routes to remediation servers
Some considerations for DHCP enforcement are:
Must use Windows Server 2008 DHCP server
IPv6 is not supported for NAP and Windows Server 2008 DHCP server
Health status is sent as part of the lease request
Can be circumvented by using a static IP address
Considerations for Designing VPN Enforcement
Non-compliant computers are:
• Limited by IP packet filters
Considerations for VPN enforcement are:
Must use NAP-integrated RRAS
Health status is sent as part of the authentication process
Best suited for remote connections where a VPN is already used
Considerations for Designing 802.1X Enforcement
Non-compliant computers are:
• Limited by packet filters enforced by the switch
• Limited by a VLAN enforced by the switch
Considerations for 802.1X Enforcement:
More secure than DHCP enforcement
Switches must support 802.1X
Health status is sent as part of the authentication process
Considerations for Designing IPsec Enforcement
Non-compliant computers are:
• Limited by IPSec polices
Considerations for IPsec Enforcement:
• Offers the highest level of security
• Can provide encryption of data
• Requires no additional hardware
• Can be used for both IPv4 or IPv6
• Requires a CA and HRA
