Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
NAPNAPNAPNAP를를를를중심으로한중심으로한중심으로한중심으로한Microsoft Microsoft Microsoft Microsoft 통합통합통합통합보안보안보안보안솔루션솔루션솔루션솔루션
© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Date: Sep. 19 (Wed.)Date: Sep. 19 (Wed.)Date: Sep. 19 (Wed.)Date: Sep. 19 (Wed.)
김현준김현준김현준김현준////부장부장부장부장
한국마이크로소프트한국마이크로소프트한국마이크로소프트한국마이크로소프트
Table of ContentsTable of ContentsTable of ContentsTable of Contents
•Network Access Protection 개요
•NAP 동작방식및구성요소
•NAP 적용옵션별기준, 구현, 및기능
•NAP 연동대상및방식•NAP 연동대상및방식
•NAP 파트너
•참고자료
IT IT IT IT 과제과제과제과제
� 관리되지않는컴퓨터가사내네트워크에자유롭게접속할경우, 바이러스/Worm/Malware 등으로인한감염의위험
솔루션솔루션솔루션솔루션요구요구요구요구사항사항사항사항
� PC의건강상태를확인하기위한포괄적인검역체제의필요 (OS 보안설정, 안티바이러스등구성요소에대한확인)
네트워크에액세스하는 PC로인한위험성이대두되면서, 컴퓨터에대한시스템요구사항을확인하고강제화하기위한포괄적인검역체제의필요성이높아지고있음
IT IT IT IT 과제과제과제과제및및및및솔루션솔루션솔루션솔루션요구요구요구요구사항사항사항사항
� 다양한장치들이 Public 네트워크를통해회사네트워크로접속됨
� 현재의방화벽/ DMZ 등의보안만으로는이를방지하기어려움
� 비즈니스및서비스에대한위협감소
� 다양한인프라환경과의상호호환성
관리되지관리되지관리되지관리되지않은않은않은않은컴퓨터의컴퓨터의컴퓨터의컴퓨터의네트워크네트워크네트워크네트워크액세스로액세스로액세스로액세스로인한인한인한인한다양한다양한다양한다양한보안보안보안보안위험성위험성위험성위험성대두대두대두대두
관리되지관리되지관리되지관리되지않은않은않은않은컴퓨터의컴퓨터의컴퓨터의컴퓨터의네트워크네트워크네트워크네트워크액세스로액세스로액세스로액세스로인한인한인한인한다양한다양한다양한다양한보안보안보안보안위험성위험성위험성위험성대두대두대두대두
네트워크의네트워크의네트워크의네트워크의건강건강건강건강상태상태상태상태및및및및안전한안전한안전한안전한통신을통신을통신을통신을위한위한위한위한포괄적인포괄적인포괄적인포괄적인검역검역검역검역체제의체제의체제의체제의필요필요필요필요
네트워크의네트워크의네트워크의네트워크의건강건강건강건강상태상태상태상태및및및및안전한안전한안전한안전한통신을통신을통신을통신을위한위한위한위한포괄적인포괄적인포괄적인포괄적인검역검역검역검역체제의체제의체제의체제의필요필요필요필요
NAP NAP NAP NAP 주요주요주요주요프로세스프로세스프로세스프로세스
NAP는Windows Server 2008과 Windows Vista에기본제공되는정책시행플랫폼으로서요구사항의준수를강제화함으로써네트워크자산을보다효과적으로보호할수있도록해줍니다.
상태상태상태상태정책정책정책정책
유효성유효성유효성유효성검사검사검사검사
네트워크네트워크네트워크네트워크액세스액세스액세스액세스제한제한제한제한
자동자동자동자동교정교정교정교정지속적인지속적인지속적인지속적인
규격규격규격규격준수준수준수준수
Network Access Protection Network Access Protection Network Access Protection Network Access Protection 개요개요개요개요
�컴퓨터가상태정책요구사항을준수하는지여부를확인
�“규격”일경우
Full Access 허용
�비규격컴퓨터의액세스를제한
�네트워크액세스보호시행메커니즘
(DHCP, 802.1x, IPSec, VPN)에따라상이
�비규격컴퓨터가규격컴퓨터가될수있도록필요한업데이트를제공
�교정후에는네트워크제한을풀어줌
�상태정책요구사항의지속적인변화를따르도록규격컴퓨터를자동으로업데이트
주요주요주요주요 특징특징특징특징
� 정책기반의시스템상태요구사항을철저하게확인및적용함에중점을두고있음
� “Unhealthy” 상태클라이언트의업데이트를위한업데이트서버로의
현실적인현실적인현실적인현실적인솔루션솔루션솔루션솔루션
� 고객의요구에따라운영체제의내장기능을선택적으로구성/사용가능
� 네트워크액세스제한을위한적용옵션을선택가능 (DHCP, IPSec, 802.1x, VPN : 중복사용가능)
유연하고유연하고유연하고유연하고선택선택선택선택가능한가능한가능한가능한내장내장내장내장기술기술기술기술
Network Access ProtectionNetwork Access ProtectionNetwork Access ProtectionNetwork Access Protection의의의의특징특징특징특징
액세스를제공
� 확장가능한플랫폼아키텍처 –네트워크벤더를통해서추가적인가치를제공
� 3rd Party 에의한확장용이 – NAP API 제공
플랫폼으로서의플랫폼으로서의플랫폼으로서의플랫폼으로서의확장성확장성확장성확장성
VPN : )
� 다양한벤더의종단간서비스를표준기반으로구축가능함 (TSG)
� 60개이상의파트너와의에코시스템구현
광범위한광범위한광범위한광범위한산업산업산업산업표준표준표준표준지원지원지원지원
Network Access Network Access Network Access Network Access
ProtectionProtectionProtectionProtection
NAP NAP NAP NAP 적용적용적용적용시나리오시나리오시나리오시나리오
이동사용자Laptop 컴퓨터에대한상태확인
사내정보근로자들의
데스크톱컴퓨터에대한상태확인
Desktop PCDesktop PCDesktop PCDesktop PCDesktop PCDesktop PCDesktop PCDesktop PCRoaming Roaming Roaming Roaming
LaptopLaptopLaptopLaptop
Roaming Roaming Roaming Roaming
LaptopLaptopLaptopLaptop
Network Access Protection Network Access Protection Network Access Protection Network Access Protection 시나리오시나리오시나리오시나리오
대한상태확인
사내방문자의Laptop에대한상태확인
관리되지않는홈컴퓨터의상태
확인
Unmanaged Unmanaged Unmanaged Unmanaged
Home PCHome PCHome PCHome PC
Unmanaged Unmanaged Unmanaged Unmanaged
Home PCHome PCHome PCHome PC
Visiting Visiting Visiting Visiting
LaptopLaptopLaptopLaptop
Visiting Visiting Visiting Visiting
LaptopLaptopLaptopLaptop
How it works !How it works !How it works !How it works !
2222 33331111
Restricted Restricted Restricted Restricted NetworkNetworkNetworkNetworkNot policyNot policyNot policyNot policy
System Health ServerSystem Health Servere.g. Patch, AVe.g. Patch, AV
3333네트워크액세스요청시 “Health” 상태를함께전송
NAD는“Health”상태를NPS로전송
NPS는사전정의된“health” 정책에대한준수여부확인
Network Access Protection Network Access Protection Network Access Protection Network Access Protection 동작방식동작방식동작방식동작방식
네트워크네트워크네트워크네트워크액세스액세스액세스액세스디바이스디바이스디바이스디바이스 (NAD)(NAD)(NAD)(NAD)
Windows ClientWindows ClientWindows ClientWindows Client(NAP (NAP (NAP (NAP 클라이언트클라이언트클라이언트클라이언트))))
Corporate Corporate Corporate Corporate NetworkNetworkNetworkNetwork
5555
Remediation Remediation ServersServers
e.g. Patch, AVe.g. Patch, AV
NetworkNetworkNetworkNetwork
4444
Not policyNot policyNot policyNot policyCompliantCompliantCompliantCompliant
Network Policy Network Policy Network Policy Network Policy Server (NPS)Server (NPS)Server (NPS)Server (NPS)
Policy Policy Policy Policy CompliantCompliantCompliantCompliant
“Non-compliant” PC는
제한된네트워크로격리되어
업데이트과정수행
“Compliant” PC는네트워크에 “Full
Access”
� 클라이언트클라이언트클라이언트클라이언트 (Client)(Client)(Client)(Client)
• SHA – Health 에이전트는클라이언트상태검사
• NAP Agent – Coordinates SHA/EC
• EC – Enforcement 방법
� 교정교정교정교정서버서버서버서버 (Remediation Server)(Remediation Server)(Remediation Server)(Remediation Server)
• Patches, AV signatures, etc. 제공
� 네트워크네트워크네트워크네트워크정책정책정책정책서버서버서버서버 (Network Policy Server)(Network Policy Server)(Network Policy Server)(Network Policy Server)
• SHV –SHA 응답평가
• NAP Server –클라이언트 “health” 평가
� 시스템시스템시스템시스템상태상태상태상태서버서버서버서버 (System Health Server)(System Health Server)(System Health Server)(System Health Server)
• SHV 제공
NAP NAP NAP NAP 구성구성구성구성요소요소요소요소
System Health
Servers
Remediation
Servers
Network Access Protection Network Access Protection Network Access Protection Network Access Protection 구성요소구성요소구성요소구성요소
Network Policy ServerNetwork Policy ServerNetwork Policy ServerNetwork Policy Server
NAP ServerNAP ServerNAP ServerNAP Server
NAP ClientNAP ClientNAP ClientNAP Client
NAP AgentNAP AgentNAP AgentNAP Agent
Health policyUpdates
Health
Data
Network
Access
Requests
Servers Servers
Network Access Device &
Server
System Health ValidatorSystem Health ValidatorSystem Health ValidatorSystem Health Validator
(SHV)(SHV)(SHV)(SHV)
Enforcement Clients (EC)Enforcement Clients (EC)Enforcement Clients (EC)Enforcement Clients (EC)
System Health Agent (SHA)System Health Agent (SHA)System Health Agent (SHA)System Health Agent (SHA)
MS SHAMS SHAMS SHAMS SHAMS SHAMS SHAMS SHAMS SHA SHA 1SHA 1SHA 1SHA 1 SHA 2SHA 2SHA 2SHA 2
MS SHVMS SHVMS SHVMS SHVMS SHVMS SHVMS SHVMS SHV SHV 1SHV 1SHV 1SHV 1 SHV 2SHV 2SHV 2SHV 2
IPSecIPSecIPSecIPSecIPSecIPSecIPSecIPSec DHCDHCDHCDHCPPPP
DHCDHCDHCDHCPPPP
802.1802.1802.1802.1xxxx
802.1802.1802.1802.1xxxx
VPNVPNVPNVPNVPNVPNVPNVPN3333rdrdrdrd
PartyPartyPartyParty3333rdrdrdrd
PartyPartyPartyParty
네트워크네트워크네트워크네트워크정책정책정책정책서버서버서버서버
(Network Policy Server)(Network Policy Server)(Network Policy Server)(Network Policy Server)
� Network Policy Server (RADIUS) – Windows Server 2008
�기존 Windows Server 2003의 IAS의확장 – NAP을위한정책정의가능
� System Health Agent: “Health” 상태를확인하는클라이언트모듈
� System Health Validator: “Health” 여부를검증하는
1111
2222
NAPNAPNAPNAP
구성구성구성구성요소요소요소요소상세상세상세상세
SHA & SHVSHA & SHVSHA & SHVSHA & SHV
� System Health Validator: “Health” 여부를검증하는서버모듈
�추가로 System Center Configuration Manager 2007 (SMS v4) 및 3rd Party 로부터 AV 용 SHA, SHV 제공예정
NAPNAPNAPNAP
구성구성구성구성요소요소요소요소
SoH & NAP Agent/ServerSoH & NAP Agent/ServerSoH & NAP Agent/ServerSoH & NAP Agent/Server
� SoH (Statement of Health) : 각 SHA에의해작성된클라이언트상태를나타내는데이터
� NAP Agent: 각 SHA 를호출해 SoH를취득, 검역결과에따르고, EC를호출함.
� NAP Server : SoH를받아서, 대응하는 SHV를호출해검증함.
3333
Enforcement ClientsEnforcement ClientsEnforcement ClientsEnforcement Clients
�검역결과 “unhealthy”일경우, 네트워크제한을강제하는모듈
�제한방법에의해 DHCP, IPSec, 802.1 X, VPN 의 4 개의모듈이있어, 선택적으로사용
액세스액세스액세스액세스포인트포인트포인트포인트
(Network Access Device)(Network Access Device)(Network Access Device)(Network Access Device)
� Network Access Device: 각 SHA 로부터 SoH를받아서 NPS로중개.
�검역결과가 “Unhealthy”이면, QEC와통한네트워크제한적용
�네트워크의제한실시옵션에따라서로다름
4444
5555
NAPNAPNAPNAP
구성구성구성구성요소요소요소요소상세상세상세상세 ----계속계속계속계속
�네트워크의제한실시옵션에따라서로다름NAPNAPNAPNAP
구성구성구성구성요소요소요소요소업데이트업데이트업데이트업데이트관리관리관리관리서버서버서버서버
(Remediation Server)(Remediation Server)(Remediation Server)(Remediation Server)
�네트워크가제한된상태에서도액세스가가능한서버들로, 클라이언트에업데이트방안을제공• 업데이트가이드를제공하는 IT 지원웹사이트
• System Center Configuration Manager 2007 배포포인트
• 안티바이러스의최신정의파일을제공하는파일서버등
6666
시스템시스템시스템시스템상태상태상태상태서버서버서버서버
(System Health Server)(System Health Server)(System Health Server)(System Health Server)
� System Health Server : SHV 의종류에따라서필요
�최신의패치정보, 바이러스정의파일, 그외의정책등, 검역에필요한정보를 NPS 에제공하는서버
7777
DHCP DHCP DHCP DHCP 서버서버서버서버
(Windows Server 2008)(Windows Server 2008)(Windows Server 2008)(Windows Server 2008)
Health Registration Health Registration Health Registration Health Registration
Authority Authority Authority Authority
Restricted set of routesRestricted set of routesRestricted set of routesRestricted set of routes�Default Gateway의 주소가없고, Subnet mask가 255.255.255.255으로제한된 IP 주소 할당
Healthy peers reject Healthy peers reject Healthy peers reject Healthy peers reject connection requests from connection requests from connection requests from connection requests from unhealthy systemsunhealthy systemsunhealthy systemsunhealthy systems
DHCPDHCPDHCPDHCP
“Unhealthy”“Unhealthy”“Unhealthy”“Unhealthy”액세스액세스액세스액세스포인트포인트포인트포인트구분구분구분구분 경계경계경계경계네트워크네트워크네트워크네트워크액세스액세스액세스액세스
�DHCP 의영역 옵션에서 넷마스크 255.255.255.255 의Static라우팅 정보를 배포
�경계네트워크의 서버에는, IPSec 의 상호인증 필수를설정하지않는다IPSecIPSecIPSecIPSec
Full IP Full IP Full IP Full IP
구성구성구성구성제공제공제공제공및및및및
Full AccessFull AccessFull AccessFull Access
신뢰된신뢰된신뢰된신뢰된 PeerPeerPeerPeer와와와와
“Healty”“Healty”“Healty”“Healty”
NAP NAP NAP NAP 적용적용적용적용옵션옵션옵션옵션및및및및옵션옵션옵션옵션별별별별상태상태상태상태
Authority Authority Authority Authority
(Windows Server 2008)(Windows Server 2008)(Windows Server 2008)(Windows Server 2008)�IPSec 의 상호인증을 위해, 정책설정검사를성공한 클라이언트에만 인증서를발급
802.1x 802.1x 802.1x 802.1x 지원지원지원지원스위치스위치스위치스위치Restricted VLANRestricted VLANRestricted VLANRestricted VLAN�검사결과에 따라스위치 액세스 포트에VLAN를동적으로 할당
설정하지않는다
�제한된네트워크의 VLAN 과경계네트워크의 VLAN 으로, 라우팅.
IPSecIPSecIPSecIPSec
802.1x802.1x802.1x802.1x
VPN VPN VPN VPN 서버서버서버서버
(Windows Server 2008 (Windows Server 2008 (Windows Server 2008 (Windows Server 2008
또는또는또는또는 3333rdrdrdrdParty)Party)Party)Party)
Restricted VLANRestricted VLANRestricted VLANRestricted VLAN� VPN 서버를 경유하는 통신을 감시해, 검사를통과하지 못한클라이언트로부터의 통신을필터링하여 제한
�IP 주소의 지정을 통해, 필터링하지 않는서버를설정.
VPNVPNVPNVPN
통신통신통신통신가능가능가능가능
Full AccessFull AccessFull AccessFull Access
Full AccessFull AccessFull AccessFull Access
DHCP 구현개요
NPS NPS NPS NPS 서버서버서버서버
(Windows Server (Windows Server (Windows Server (Windows Server
2008200820082008))))
Remediation Remediation Remediation Remediation 서버서버서버서버
(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)
보안보안보안보안네트워크네트워크네트워크네트워크
2222
3333
ADADADAD
① DHCP요청시,상태인증서(SoH)전송
② DHCP 서버는 SoH를 NPS 서버로
릴레이및 NPS에서정책의 “Compliance”
여부 확인
③ “Compliance” 또는 “Non-Compliance”
에대한결과정보를 DHCP에응답.
(SoHR)
적용적용적용적용과정과정과정과정
NAP NAP NAP NAP 옵션옵션옵션옵션별별별별구현구현구현구현및및및및기능기능기능기능 –––– DHCPDHCPDHCPDHCP
DHCP DHCP DHCP DHCP 서버서버서버서버
(Windows Server (Windows Server (Windows Server (Windows Server
2008200820082008))))
NAP NAP NAP NAP 클라이언트클라이언트클라이언트클라이언트
(Vista, XP)(Vista, XP)(Vista, XP)(Vista, XP)
네트워크네트워크네트워크네트워크
경계경계경계경계네트워크네트워크네트워크네트워크
제한된제한된제한된제한된네트워크네트워크네트워크네트워크
1111
4444
5555(SoHR)
④ “Compliance” 이면, Full IP 주소할당/
“Non-Compliance”이면제한된 IP 주소
할당
⑤ “Non-Compliance” 상태의
클라이언트는 Static Route를 통해
Remediation 서버로액세스 하여
업데이트
IPSec IPSec IPSec IPSec 구현구현구현구현개요개요개요개요
Remediation Remediation Remediation Remediation 서버서버서버서버
(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)
보안보안보안보안네트워크네트워크네트워크네트워크
2222
3333
Root CARoot CARoot CARoot CA
ADADADAD
① 네트워크액세스시, 상태
인증서(SoH)를 HRA에전송
② HRA는 SoH를 NPS 서버로릴레이하고,
NPS에서정책의 “Compliance” 여부
확인
③ “Compliance” 또는 “Non-Compliance”
적용적용적용적용과정과정과정과정NPS NPS NPS NPS 서버서버서버서버
(Windows Server (Windows Server (Windows Server (Windows Server
2008200820082008))))
NAP NAP NAP NAP 옵션옵션옵션옵션별별별별구현구현구현구현및및및및기능기능기능기능 –––– IPSecIPSecIPSecIPSec
Health Registration Health Registration Health Registration Health Registration
Authority Authority Authority Authority ((((하위하위하위하위독립독립독립독립
실행실행실행실행형형형형 CA)CA)CA)CA)
NAP NAP NAP NAP 클라이언트클라이언트클라이언트클라이언트
(Vista, XP)(Vista, XP)(Vista, XP)(Vista, XP)
네트워크네트워크네트워크네트워크
경계경계경계경계네트워크네트워크네트워크네트워크
제한된제한된제한된제한된네트워크네트워크네트워크네트워크
1111
4444
5555
③ “Compliance” 또는 “Non-Compliance”
에대한결과정보를 HRA에응답.
④ “Compliance” 이면, HRA를통해인증서
발급
⑤ “Non-Compliance” 상태의
클라이언트는 Remediation 서버로
액세스하여업데이트
802.1x 802.1x 802.1x 802.1x 구현구현구현구현개요개요개요개요
Remediation Remediation Remediation Remediation 서버서버서버서버
(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)
보안보안보안보안네트워크네트워크네트워크네트워크
2222
3333
ADADADAD
① 네트워크액세스시, 상태인증서
(SoH)를네트워크장비에전송
② 네트워크장비는 SoH를 NPS 서버로
릴레이하고, NPS에서정책의
“Compliance” 여부확인
적용적용적용적용과정과정과정과정NPS NPS NPS NPS 서버서버서버서버
(Windows Server (Windows Server (Windows Server (Windows Server
2008200820082008))))
NAP NAP NAP NAP 옵션옵션옵션옵션별별별별구현구현구현구현및및및및기능기능기능기능 –––– 802.1x802.1x802.1x802.1x
802.1x 802.1x 802.1x 802.1x
지원지원지원지원스위치스위치스위치스위치
NAP NAP NAP NAP 클라이언트클라이언트클라이언트클라이언트
(Vista, XP)(Vista, XP)(Vista, XP)(Vista, XP)
네트워크네트워크네트워크네트워크
(VLAN1)(VLAN1)(VLAN1)(VLAN1)
경계경계경계경계네트워크네트워크네트워크네트워크
(VLAN2)(VLAN2)(VLAN2)(VLAN2)
제한된제한된제한된제한된네트워크네트워크네트워크네트워크
(VLAN3)(VLAN3)(VLAN3)(VLAN3)
1111
4444
5555③ “Compliance” 또는 “Non-Compliance”
에대한결과에따라 VLAN 정보를응답.
④ 네트워크액세스포트의 VLAN을
동적으로설정
⑤ “Non-Compliance” 상태의
클라이언트는 Remediation 서버로
액세스하여업데이트
VPN VPN VPN VPN 구현구현구현구현개요개요개요개요
Remediation Remediation Remediation Remediation 서버서버서버서버
(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)
보안보안보안보안네트워크네트워크네트워크네트워크
2222
3333
ADADADAD
① VPN 접속 시, 상태인증서(SoH)를 VPN
서버에전송
② VPN 서버는 SoH를 NPS 서버로
릴레이하고, NPS에서정책의
“Compliance” 여부 확인
③ “Compliance” 또는 “Non-Compliance”
적용적용적용적용과정과정과정과정NPS NPS NPS NPS 서버서버서버서버
(Windows Server (Windows Server (Windows Server (Windows Server
2008200820082008))))
NAP NAP NAP NAP 옵션옵션옵션옵션별별별별구현구현구현구현및및및및기능기능기능기능 –––– VPNVPNVPNVPN
VPN VPN VPN VPN 서버서버서버서버
(Windows Server (Windows Server (Windows Server (Windows Server
2008)2008)2008)2008)
NAP NAP NAP NAP 클라이언트클라이언트클라이언트클라이언트
(Vista, XP)(Vista, XP)(Vista, XP)(Vista, XP)
네트워크네트워크네트워크네트워크
경계경계경계경계네트워크네트워크네트워크네트워크
인터넷인터넷인터넷인터넷
5555
1111
4444
③ “Compliance” 또는 “Non-Compliance”
에대한결과를응답.
④ 검사결과에따라 Packet Filtering
⑤ “Non-Compliance” 클라이언트는
Packet Filtering에의해업데이트
서버로만 액세스가능
SCCM2007SCCM2007SCCM2007SCCM2007과과과과 NAP NAP NAP NAP 연동연동연동연동개요개요개요개요
Network Network Network Network
Policy ServerPolicy ServerPolicy ServerPolicy Server
2222
3333
4444
정책확인및상태정보릴레이
정책정책정책정책확인확인확인확인
� SCCM 2007의보안업데이트관리기능및프로세스를 통한클라이언트 “건강성”관리
� Typical 및 Zero-Day Exploit 시나리오 / NAP 인프라스트럭처 계획및배포의용이성
NAP 연동 대상 및 방식
NAP NAP NAP NAP 클라이언트클라이언트클라이언트클라이언트
(Vista, XP)(Vista, XP)(Vista, XP)(Vista, XP)
SCCM Site ServerSCCM Site ServerSCCM Site ServerSCCM Site Server
보안보안보안보안네트워크네트워크네트워크네트워크
경계경계경계경계네트워크네트워크네트워크네트워크
제한된제한된제한된제한된
네트워크네트워크네트워크네트워크////인터넷인터넷인터넷인터넷
Active Active Active Active
DirectoryDirectoryDirectoryDirectory1111
4444
MS Download MS Download MS Download MS Download
CenterCenterCenterCenter
SCCM Distribution SCCM Distribution SCCM Distribution SCCM Distribution
PointPointPointPoint
카탈로그
동기화
정책
업데이트패치저장
네트워크액세스시, 상태정보전송
“Compliant” or “Non Compliant”
정책확인결과에따라업데이트수행
5555
네트워크네트워크네트워크네트워크액세스액세스액세스액세스
포인트포인트포인트포인트
Partner Partner Partner Partner Policy Policy Policy Policy ClientClientClientClient
EAPFASTEAPFASTEAPFASTEAPFASTMSMSMSMSCiscoCiscoCiscoCiscoSwitchesSwitchesSwitchesSwitches
� Interoperability and customer choice
� Single agent included in Windows Vista
� Independent Software Vendor (ISV) integration ecosystem
� Agent deployment and update support
� Cross-platform support
NACNACNACNAC----NAP NAP NAP NAP 연동연동연동연동아키텍처아키텍처아키텍처아키텍처
Policy Policy Policy Policy
ServerServerServerServer
ClientClientClientClient
Partner System Health Agents (SHAs)
NAP Agent (QA)
EAP Host QEC
EAPFASTEAPFASTEAPFASTEAPFAST
802.1x or UDP802.1x or UDP802.1x or UDP802.1x or UDP HCAPHCAPHCAPHCAPRADIUSRADIUSRADIUSRADIUS
802.1x
MSMSMSMS
NPSNPSNPSNPS
CiscoCiscoCiscoCisco
ACSACSACSACS
SwitchesSwitchesSwitchesSwitches
RoutersRoutersRoutersRouters
HealthHealthHealthHealth
RegistrationRegistrationRegistrationRegistration
AuthorityAuthorityAuthorityAuthority
(HRA)(HRA)(HRA)(HRA)
HCEPHCEPHCEPHCEP
RADIUSRADIUSRADIUSRADIUSEAP-FAST
EAPoUDP
Network Access Protection Network Access Protection Network Access Protection Network Access Protection 파트너파트너파트너파트너
Windows Server Code Name “Longhorn” Beta 3Windows Server Code Name “Longhorn” Beta 3Windows Server Code Name “Longhorn” Beta 3Windows Server Code Name “Longhorn” Beta 3
http://www.microsoft.com/windowsserver/longhorn/default.mspxhttp://www.microsoft.com/windowsserver/longhorn/default.mspxhttp://www.microsoft.com/windowsserver/longhorn/default.mspxhttp://www.microsoft.com/windowsserver/longhorn/default.mspx
Network Access Protection TechnetNetwork Access Protection TechnetNetwork Access Protection TechnetNetwork Access Protection Technet
http://www.microsoft.com/technet/network/nap/default.mspxhttp://www.microsoft.com/technet/network/nap/default.mspxhttp://www.microsoft.com/technet/network/nap/default.mspxhttp://www.microsoft.com/technet/network/nap/default.mspx
참고자료
Network Access Protection ForumNetwork Access Protection ForumNetwork Access Protection ForumNetwork Access Protection Forum
http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17
Network Access Protection MSDNNetwork Access Protection MSDNNetwork Access Protection MSDNNetwork Access Protection MSDN
http://msdn2.microsoft.com/enhttp://msdn2.microsoft.com/enhttp://msdn2.microsoft.com/enhttp://msdn2.microsoft.com/en----us/library/aa369712.aspxus/library/aa369712.aspxus/library/aa369712.aspxus/library/aa369712.aspx
Q & AQ & AQ & AQ & A
20단기 4340년 9월27일 HPS Services Portfolio v3.0