NAPNAPNAPNAP를를를를중심으로한중심으로한중심으로한중심으로한Microsoft Microsoft Microsoft Microsoft 통합통합통합통합보안보안보안보안솔루션솔루션솔루션솔루션

© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

Date: Sep. 19 (Wed.)Date: Sep. 19 (Wed.)Date: Sep. 19 (Wed.)Date: Sep. 19 (Wed.)

김현준김현준김현준김현준////부장부장부장부장

한국마이크로소프트한국마이크로소프트한국마이크로소프트한국마이크로소프트

Table of ContentsTable of ContentsTable of ContentsTable of Contents

•Network Access Protection 개요

•NAP 동작방식및구성요소

•NAP 적용옵션별기준, 구현, 및기능

•NAP 연동대상및방식•NAP 연동대상및방식

•NAP 파트너

•참고자료

IT IT IT IT 과제과제과제과제

� 관리되지않는컴퓨터가사내네트워크에자유롭게접속할경우, 바이러스/Worm/Malware 등으로인한감염의위험

솔루션솔루션솔루션솔루션요구요구요구요구사항사항사항사항

� PC의건강상태를확인하기위한포괄적인검역체제의필요 (OS 보안설정, 안티바이러스등구성요소에대한확인)

네트워크에액세스하는 PC로인한위험성이대두되면서, 컴퓨터에대한시스템요구사항을확인하고강제화하기위한포괄적인검역체제의필요성이높아지고있음

IT IT IT IT 과제과제과제과제및및및및솔루션솔루션솔루션솔루션요구요구요구요구사항사항사항사항

� 다양한장치들이 Public 네트워크를통해회사네트워크로접속됨

� 현재의방화벽/ DMZ 등의보안만으로는이를방지하기어려움

� 비즈니스및서비스에대한위협감소

� 다양한인프라환경과의상호호환성

관리되지관리되지관리되지관리되지않은않은않은않은컴퓨터의컴퓨터의컴퓨터의컴퓨터의네트워크네트워크네트워크네트워크액세스로액세스로액세스로액세스로인한인한인한인한다양한다양한다양한다양한보안보안보안보안위험성위험성위험성위험성대두대두대두대두

관리되지관리되지관리되지관리되지않은않은않은않은컴퓨터의컴퓨터의컴퓨터의컴퓨터의네트워크네트워크네트워크네트워크액세스로액세스로액세스로액세스로인한인한인한인한다양한다양한다양한다양한보안보안보안보안위험성위험성위험성위험성대두대두대두대두

네트워크의네트워크의네트워크의네트워크의건강건강건강건강상태상태상태상태및및및및안전한안전한안전한안전한통신을통신을통신을통신을위한위한위한위한포괄적인포괄적인포괄적인포괄적인검역검역검역검역체제의체제의체제의체제의필요필요필요필요

네트워크의네트워크의네트워크의네트워크의건강건강건강건강상태상태상태상태및및및및안전한안전한안전한안전한통신을통신을통신을통신을위한위한위한위한포괄적인포괄적인포괄적인포괄적인검역검역검역검역체제의체제의체제의체제의필요필요필요필요

NAP NAP NAP NAP 주요주요주요주요프로세스프로세스프로세스프로세스

NAP는Windows Server 2008과 Windows Vista에기본제공되는정책시행플랫폼으로서요구사항의준수를강제화함으로써네트워크자산을보다효과적으로보호할수있도록해줍니다.

상태상태상태상태정책정책정책정책

유효성유효성유효성유효성검사검사검사검사

네트워크네트워크네트워크네트워크액세스액세스액세스액세스제한제한제한제한

자동자동자동자동교정교정교정교정지속적인지속적인지속적인지속적인

규격규격규격규격준수준수준수준수

Network Access Protection Network Access Protection Network Access Protection Network Access Protection 개요개요개요개요

�컴퓨터가상태정책요구사항을준수하는지여부를확인

�“규격”일경우

Full Access 허용

�비규격컴퓨터의액세스를제한

�네트워크액세스보호시행메커니즘

(DHCP, 802.1x, IPSec, VPN)에따라상이

�비규격컴퓨터가규격컴퓨터가될수있도록필요한업데이트를제공

�교정후에는네트워크제한을풀어줌

�상태정책요구사항의지속적인변화를따르도록규격컴퓨터를자동으로업데이트

주요주요주요주요 특징특징특징특징

� 정책기반의시스템상태요구사항을철저하게확인및적용함에중점을두고있음

� “Unhealthy” 상태클라이언트의업데이트를위한업데이트서버로의

현실적인현실적인현실적인현실적인솔루션솔루션솔루션솔루션

� 고객의요구에따라운영체제의내장기능을선택적으로구성/사용가능

� 네트워크액세스제한을위한적용옵션을선택가능 (DHCP, IPSec, 802.1x, VPN : 중복사용가능)

유연하고유연하고유연하고유연하고선택선택선택선택가능한가능한가능한가능한내장내장내장내장기술기술기술기술

Network Access ProtectionNetwork Access ProtectionNetwork Access ProtectionNetwork Access Protection의의의의특징특징특징특징

액세스를제공

� 확장가능한플랫폼아키텍처 –네트워크벤더를통해서추가적인가치를제공

� 3rd Party 에의한확장용이 – NAP API 제공

플랫폼으로서의플랫폼으로서의플랫폼으로서의플랫폼으로서의확장성확장성확장성확장성

VPN : )

� 다양한벤더의종단간서비스를표준기반으로구축가능함 (TSG)

� 60개이상의파트너와의에코시스템구현

광범위한광범위한광범위한광범위한산업산업산업산업표준표준표준표준지원지원지원지원

Network Access Network Access Network Access Network Access

ProtectionProtectionProtectionProtection

NAP NAP NAP NAP 적용적용적용적용시나리오시나리오시나리오시나리오

이동사용자Laptop 컴퓨터에대한상태확인

사내정보근로자들의

데스크톱컴퓨터에대한상태확인

Desktop PCDesktop PCDesktop PCDesktop PCDesktop PCDesktop PCDesktop PCDesktop PCRoaming Roaming Roaming Roaming

LaptopLaptopLaptopLaptop

Roaming Roaming Roaming Roaming

LaptopLaptopLaptopLaptop

Network Access Protection Network Access Protection Network Access Protection Network Access Protection 시나리오시나리오시나리오시나리오

대한상태확인

사내방문자의Laptop에대한상태확인

관리되지않는홈컴퓨터의상태

확인

Unmanaged Unmanaged Unmanaged Unmanaged

Home PCHome PCHome PCHome PC

Unmanaged Unmanaged Unmanaged Unmanaged

Home PCHome PCHome PCHome PC

Visiting Visiting Visiting Visiting

LaptopLaptopLaptopLaptop

Visiting Visiting Visiting Visiting

LaptopLaptopLaptopLaptop

How it works !How it works !How it works !How it works !

2222 33331111

Restricted Restricted Restricted Restricted NetworkNetworkNetworkNetworkNot policyNot policyNot policyNot policy

System Health ServerSystem Health Servere.g. Patch, AVe.g. Patch, AV

3333네트워크액세스요청시 “Health” 상태를함께전송

NAD는“Health”상태를NPS로전송

NPS는사전정의된“health” 정책에대한준수여부확인

Network Access Protection Network Access Protection Network Access Protection Network Access Protection 동작방식동작방식동작방식동작방식

네트워크네트워크네트워크네트워크액세스액세스액세스액세스디바이스디바이스디바이스디바이스 (NAD)(NAD)(NAD)(NAD)

Windows ClientWindows ClientWindows ClientWindows Client(NAP (NAP (NAP (NAP 클라이언트클라이언트클라이언트클라이언트))))

Corporate Corporate Corporate Corporate NetworkNetworkNetworkNetwork

5555

Remediation Remediation ServersServers

e.g. Patch, AVe.g. Patch, AV

NetworkNetworkNetworkNetwork

4444

Not policyNot policyNot policyNot policyCompliantCompliantCompliantCompliant

Network Policy Network Policy Network Policy Network Policy Server (NPS)Server (NPS)Server (NPS)Server (NPS)

Policy Policy Policy Policy CompliantCompliantCompliantCompliant

“Non-compliant” PC는

제한된네트워크로격리되어

업데이트과정수행

“Compliant” PC는네트워크에 “Full

Access”

� 클라이언트클라이언트클라이언트클라이언트 (Client)(Client)(Client)(Client)

• SHA – Health 에이전트는클라이언트상태검사

• NAP Agent – Coordinates SHA/EC

• EC – Enforcement 방법

� 교정교정교정교정서버서버서버서버 (Remediation Server)(Remediation Server)(Remediation Server)(Remediation Server)

• Patches, AV signatures, etc. 제공

� 네트워크네트워크네트워크네트워크정책정책정책정책서버서버서버서버 (Network Policy Server)(Network Policy Server)(Network Policy Server)(Network Policy Server)

• SHV –SHA 응답평가

• NAP Server –클라이언트 “health” 평가

� 시스템시스템시스템시스템상태상태상태상태서버서버서버서버 (System Health Server)(System Health Server)(System Health Server)(System Health Server)

• SHV 제공

NAP NAP NAP NAP 구성구성구성구성요소요소요소요소

System Health

Servers

Remediation

Servers

Network Access Protection Network Access Protection Network Access Protection Network Access Protection 구성요소구성요소구성요소구성요소

Network Policy ServerNetwork Policy ServerNetwork Policy ServerNetwork Policy Server

NAP ServerNAP ServerNAP ServerNAP Server

NAP ClientNAP ClientNAP ClientNAP Client

NAP AgentNAP AgentNAP AgentNAP Agent

Health policyUpdates

Health

Data

Network

Access

Requests

Servers Servers

Network Access Device &

Server

System Health ValidatorSystem Health ValidatorSystem Health ValidatorSystem Health Validator

(SHV)(SHV)(SHV)(SHV)

Enforcement Clients (EC)Enforcement Clients (EC)Enforcement Clients (EC)Enforcement Clients (EC)

System Health Agent (SHA)System Health Agent (SHA)System Health Agent (SHA)System Health Agent (SHA)

MS SHAMS SHAMS SHAMS SHAMS SHAMS SHAMS SHAMS SHA SHA 1SHA 1SHA 1SHA 1 SHA 2SHA 2SHA 2SHA 2

MS SHVMS SHVMS SHVMS SHVMS SHVMS SHVMS SHVMS SHV SHV 1SHV 1SHV 1SHV 1 SHV 2SHV 2SHV 2SHV 2

IPSecIPSecIPSecIPSecIPSecIPSecIPSecIPSec DHCDHCDHCDHCPPPP

DHCDHCDHCDHCPPPP

802.1802.1802.1802.1xxxx

802.1802.1802.1802.1xxxx

VPNVPNVPNVPNVPNVPNVPNVPN3333rdrdrdrd

PartyPartyPartyParty3333rdrdrdrd

PartyPartyPartyParty

네트워크네트워크네트워크네트워크정책정책정책정책서버서버서버서버

(Network Policy Server)(Network Policy Server)(Network Policy Server)(Network Policy Server)

� Network Policy Server (RADIUS) – Windows Server 2008

�기존 Windows Server 2003의 IAS의확장 – NAP을위한정책정의가능

� System Health Agent: “Health” 상태를확인하는클라이언트모듈

� System Health Validator: “Health” 여부를검증하는

1111

2222

NAPNAPNAPNAP

구성구성구성구성요소요소요소요소상세상세상세상세

SHA & SHVSHA & SHVSHA & SHVSHA & SHV

� System Health Validator: “Health” 여부를검증하는서버모듈

�추가로 System Center Configuration Manager 2007 (SMS v4) 및 3rd Party 로부터 AV 용 SHA, SHV 제공예정

NAPNAPNAPNAP

구성구성구성구성요소요소요소요소

SoH & NAP Agent/ServerSoH & NAP Agent/ServerSoH & NAP Agent/ServerSoH & NAP Agent/Server

� SoH (Statement of Health) : 각 SHA에의해작성된클라이언트상태를나타내는데이터

� NAP Agent: 각 SHA 를호출해 SoH를취득, 검역결과에따르고, EC를호출함.

� NAP Server : SoH를받아서, 대응하는 SHV를호출해검증함.

3333

Enforcement ClientsEnforcement ClientsEnforcement ClientsEnforcement Clients

�검역결과 “unhealthy”일경우, 네트워크제한을강제하는모듈

�제한방법에의해 DHCP, IPSec, 802.1 X, VPN 의 4 개의모듈이있어, 선택적으로사용

액세스액세스액세스액세스포인트포인트포인트포인트

(Network Access Device)(Network Access Device)(Network Access Device)(Network Access Device)

� Network Access Device: 각 SHA 로부터 SoH를받아서 NPS로중개.

�검역결과가 “Unhealthy”이면, QEC와통한네트워크제한적용

�네트워크의제한실시옵션에따라서로다름

4444

5555

NAPNAPNAPNAP

구성구성구성구성요소요소요소요소상세상세상세상세 ----계속계속계속계속

�네트워크의제한실시옵션에따라서로다름NAPNAPNAPNAP

구성구성구성구성요소요소요소요소업데이트업데이트업데이트업데이트관리관리관리관리서버서버서버서버

(Remediation Server)(Remediation Server)(Remediation Server)(Remediation Server)

�네트워크가제한된상태에서도액세스가가능한서버들로, 클라이언트에업데이트방안을제공• 업데이트가이드를제공하는 IT 지원웹사이트

• System Center Configuration Manager 2007 배포포인트

• 안티바이러스의최신정의파일을제공하는파일서버등

6666

시스템시스템시스템시스템상태상태상태상태서버서버서버서버

(System Health Server)(System Health Server)(System Health Server)(System Health Server)

� System Health Server : SHV 의종류에따라서필요

�최신의패치정보, 바이러스정의파일, 그외의정책등, 검역에필요한정보를 NPS 에제공하는서버

7777

DHCP DHCP DHCP DHCP 서버서버서버서버

(Windows Server 2008)(Windows Server 2008)(Windows Server 2008)(Windows Server 2008)

Health Registration Health Registration Health Registration Health Registration

Authority Authority Authority Authority

Restricted set of routesRestricted set of routesRestricted set of routesRestricted set of routes�Default Gateway의 주소가없고, Subnet mask가 255.255.255.255으로제한된 IP 주소 할당

Healthy peers reject Healthy peers reject Healthy peers reject Healthy peers reject connection requests from connection requests from connection requests from connection requests from unhealthy systemsunhealthy systemsunhealthy systemsunhealthy systems

DHCPDHCPDHCPDHCP

“Unhealthy”“Unhealthy”“Unhealthy”“Unhealthy”액세스액세스액세스액세스포인트포인트포인트포인트구분구분구분구분 경계경계경계경계네트워크네트워크네트워크네트워크액세스액세스액세스액세스

�DHCP 의영역 옵션에서 넷마스크 255.255.255.255 의Static라우팅 정보를 배포

�경계네트워크의 서버에는, IPSec 의 상호인증 필수를설정하지않는다IPSecIPSecIPSecIPSec

Full IP Full IP Full IP Full IP

구성구성구성구성제공제공제공제공및및및및

Full AccessFull AccessFull AccessFull Access

신뢰된신뢰된신뢰된신뢰된 PeerPeerPeerPeer와와와와

“Healty”“Healty”“Healty”“Healty”

NAP NAP NAP NAP 적용적용적용적용옵션옵션옵션옵션및및및및옵션옵션옵션옵션별별별별상태상태상태상태

Authority Authority Authority Authority

(Windows Server 2008)(Windows Server 2008)(Windows Server 2008)(Windows Server 2008)�IPSec 의 상호인증을 위해, 정책설정검사를성공한 클라이언트에만 인증서를발급

802.1x 802.1x 802.1x 802.1x 지원지원지원지원스위치스위치스위치스위치Restricted VLANRestricted VLANRestricted VLANRestricted VLAN�검사결과에 따라스위치 액세스 포트에VLAN를동적으로 할당

설정하지않는다

�제한된네트워크의 VLAN 과경계네트워크의 VLAN 으로, 라우팅.

IPSecIPSecIPSecIPSec

802.1x802.1x802.1x802.1x

VPN VPN VPN VPN 서버서버서버서버

(Windows Server 2008 (Windows Server 2008 (Windows Server 2008 (Windows Server 2008

또는또는또는또는 3333rdrdrdrdParty)Party)Party)Party)

Restricted VLANRestricted VLANRestricted VLANRestricted VLAN� VPN 서버를 경유하는 통신을 감시해, 검사를통과하지 못한클라이언트로부터의 통신을필터링하여 제한

�IP 주소의 지정을 통해, 필터링하지 않는서버를설정.

VPNVPNVPNVPN

통신통신통신통신가능가능가능가능

Full AccessFull AccessFull AccessFull Access

Full AccessFull AccessFull AccessFull Access

DHCP 구현개요

NPS NPS NPS NPS 서버서버서버서버

(Windows Server (Windows Server (Windows Server (Windows Server

2008200820082008))))

Remediation Remediation Remediation Remediation 서버서버서버서버

(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)

보안보안보안보안네트워크네트워크네트워크네트워크

2222

3333

ADADADAD

① DHCP요청시,상태인증서(SoH)전송

② DHCP 서버는 SoH를 NPS 서버로

릴레이및 NPS에서정책의 “Compliance”

여부 확인

③ “Compliance” 또는 “Non-Compliance”

에대한결과정보를 DHCP에응답.

(SoHR)

적용적용적용적용과정과정과정과정

NAP NAP NAP NAP 옵션옵션옵션옵션별별별별구현구현구현구현및및및및기능기능기능기능 –––– DHCPDHCPDHCPDHCP

DHCP DHCP DHCP DHCP 서버서버서버서버

(Windows Server (Windows Server (Windows Server (Windows Server

2008200820082008))))

NAP NAP NAP NAP 클라이언트클라이언트클라이언트클라이언트

(Vista, XP)(Vista, XP)(Vista, XP)(Vista, XP)

네트워크네트워크네트워크네트워크

경계경계경계경계네트워크네트워크네트워크네트워크

제한된제한된제한된제한된네트워크네트워크네트워크네트워크

1111

4444

5555(SoHR)

④ “Compliance” 이면, Full IP 주소할당/

“Non-Compliance”이면제한된 IP 주소

할당

⑤ “Non-Compliance” 상태의

클라이언트는 Static Route를 통해

Remediation 서버로액세스 하여

업데이트

IPSec IPSec IPSec IPSec 구현구현구현구현개요개요개요개요

Remediation Remediation Remediation Remediation 서버서버서버서버

(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)

보안보안보안보안네트워크네트워크네트워크네트워크

2222

3333

Root CARoot CARoot CARoot CA

ADADADAD

① 네트워크액세스시, 상태

인증서(SoH)를 HRA에전송

② HRA는 SoH를 NPS 서버로릴레이하고,

NPS에서정책의 “Compliance” 여부

확인

③ “Compliance” 또는 “Non-Compliance”

적용적용적용적용과정과정과정과정NPS NPS NPS NPS 서버서버서버서버

(Windows Server (Windows Server (Windows Server (Windows Server

2008200820082008))))

NAP NAP NAP NAP 옵션옵션옵션옵션별별별별구현구현구현구현및및및및기능기능기능기능 –––– IPSecIPSecIPSecIPSec

Health Registration Health Registration Health Registration Health Registration

Authority Authority Authority Authority ((((하위하위하위하위독립독립독립독립

실행실행실행실행형형형형 CA)CA)CA)CA)

NAP NAP NAP NAP 클라이언트클라이언트클라이언트클라이언트

(Vista, XP)(Vista, XP)(Vista, XP)(Vista, XP)

네트워크네트워크네트워크네트워크

경계경계경계경계네트워크네트워크네트워크네트워크

제한된제한된제한된제한된네트워크네트워크네트워크네트워크

1111

4444

5555

③ “Compliance” 또는 “Non-Compliance”

에대한결과정보를 HRA에응답.

④ “Compliance” 이면, HRA를통해인증서

발급

⑤ “Non-Compliance” 상태의

클라이언트는 Remediation 서버로

액세스하여업데이트

802.1x 802.1x 802.1x 802.1x 구현구현구현구현개요개요개요개요

Remediation Remediation Remediation Remediation 서버서버서버서버

(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)

보안보안보안보안네트워크네트워크네트워크네트워크

2222

3333

ADADADAD

① 네트워크액세스시, 상태인증서

(SoH)를네트워크장비에전송

② 네트워크장비는 SoH를 NPS 서버로

릴레이하고, NPS에서정책의

“Compliance” 여부확인

적용적용적용적용과정과정과정과정NPS NPS NPS NPS 서버서버서버서버

(Windows Server (Windows Server (Windows Server (Windows Server

2008200820082008))))

NAP NAP NAP NAP 옵션옵션옵션옵션별별별별구현구현구현구현및및및및기능기능기능기능 –––– 802.1x802.1x802.1x802.1x

802.1x 802.1x 802.1x 802.1x

지원지원지원지원스위치스위치스위치스위치

NAP NAP NAP NAP 클라이언트클라이언트클라이언트클라이언트

(Vista, XP)(Vista, XP)(Vista, XP)(Vista, XP)

네트워크네트워크네트워크네트워크

(VLAN1)(VLAN1)(VLAN1)(VLAN1)

경계경계경계경계네트워크네트워크네트워크네트워크

(VLAN2)(VLAN2)(VLAN2)(VLAN2)

제한된제한된제한된제한된네트워크네트워크네트워크네트워크

(VLAN3)(VLAN3)(VLAN3)(VLAN3)

1111

4444

5555③ “Compliance” 또는 “Non-Compliance”

에대한결과에따라 VLAN 정보를응답.

④ 네트워크액세스포트의 VLAN을

동적으로설정

⑤ “Non-Compliance” 상태의

클라이언트는 Remediation 서버로

액세스하여업데이트

VPN VPN VPN VPN 구현구현구현구현개요개요개요개요

Remediation Remediation Remediation Remediation 서버서버서버서버

(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)(SMS v4 etc.)

보안보안보안보안네트워크네트워크네트워크네트워크

2222

3333

ADADADAD

① VPN 접속 시, 상태인증서(SoH)를 VPN

서버에전송

② VPN 서버는 SoH를 NPS 서버로

릴레이하고, NPS에서정책의

“Compliance” 여부 확인

③ “Compliance” 또는 “Non-Compliance”

적용적용적용적용과정과정과정과정NPS NPS NPS NPS 서버서버서버서버

(Windows Server (Windows Server (Windows Server (Windows Server

2008200820082008))))

NAP NAP NAP NAP 옵션옵션옵션옵션별별별별구현구현구현구현및및및및기능기능기능기능 –––– VPNVPNVPNVPN

VPN VPN VPN VPN 서버서버서버서버

(Windows Server (Windows Server (Windows Server (Windows Server

2008)2008)2008)2008)

NAP NAP NAP NAP 클라이언트클라이언트클라이언트클라이언트

(Vista, XP)(Vista, XP)(Vista, XP)(Vista, XP)

네트워크네트워크네트워크네트워크

경계경계경계경계네트워크네트워크네트워크네트워크

인터넷인터넷인터넷인터넷

5555

1111

4444

③ “Compliance” 또는 “Non-Compliance”

에대한결과를응답.

④ 검사결과에따라 Packet Filtering

⑤ “Non-Compliance” 클라이언트는

Packet Filtering에의해업데이트

서버로만 액세스가능

SCCM2007SCCM2007SCCM2007SCCM2007과과과과 NAP NAP NAP NAP 연동연동연동연동개요개요개요개요

Network Network Network Network

Policy ServerPolicy ServerPolicy ServerPolicy Server

2222

3333

4444

정책확인및상태정보릴레이

정책정책정책정책확인확인확인확인

� SCCM 2007의보안업데이트관리기능및프로세스를 통한클라이언트 “건강성”관리

� Typical 및 Zero-Day Exploit 시나리오 / NAP 인프라스트럭처 계획및배포의용이성

NAP 연동 대상 및 방식

NAP NAP NAP NAP 클라이언트클라이언트클라이언트클라이언트

(Vista, XP)(Vista, XP)(Vista, XP)(Vista, XP)

SCCM Site ServerSCCM Site ServerSCCM Site ServerSCCM Site Server

보안보안보안보안네트워크네트워크네트워크네트워크

경계경계경계경계네트워크네트워크네트워크네트워크

제한된제한된제한된제한된

네트워크네트워크네트워크네트워크////인터넷인터넷인터넷인터넷

Active Active Active Active

DirectoryDirectoryDirectoryDirectory1111

4444

MS Download MS Download MS Download MS Download

CenterCenterCenterCenter

SCCM Distribution SCCM Distribution SCCM Distribution SCCM Distribution

PointPointPointPoint

카탈로그

동기화

정책

업데이트패치저장

네트워크액세스시, 상태정보전송

“Compliant” or “Non Compliant”

정책확인결과에따라업데이트수행

5555

네트워크네트워크네트워크네트워크액세스액세스액세스액세스

포인트포인트포인트포인트

Partner Partner Partner Partner Policy Policy Policy Policy ClientClientClientClient

EAPFASTEAPFASTEAPFASTEAPFASTMSMSMSMSCiscoCiscoCiscoCiscoSwitchesSwitchesSwitchesSwitches

� Interoperability and customer choice

� Single agent included in Windows Vista

� Independent Software Vendor (ISV) integration ecosystem

� Agent deployment and update support

� Cross-platform support

NACNACNACNAC----NAP NAP NAP NAP 연동연동연동연동아키텍처아키텍처아키텍처아키텍처

Policy Policy Policy Policy

ServerServerServerServer

ClientClientClientClient

Partner System Health Agents (SHAs)

NAP Agent (QA)

EAP Host QEC

EAPFASTEAPFASTEAPFASTEAPFAST

802.1x or UDP802.1x or UDP802.1x or UDP802.1x or UDP HCAPHCAPHCAPHCAPRADIUSRADIUSRADIUSRADIUS

802.1x

MSMSMSMS

NPSNPSNPSNPS

CiscoCiscoCiscoCisco

ACSACSACSACS

SwitchesSwitchesSwitchesSwitches

RoutersRoutersRoutersRouters

HealthHealthHealthHealth

RegistrationRegistrationRegistrationRegistration

AuthorityAuthorityAuthorityAuthority

(HRA)(HRA)(HRA)(HRA)

HCEPHCEPHCEPHCEP

RADIUSRADIUSRADIUSRADIUSEAP-FAST

EAPoUDP

Network Access Protection Network Access Protection Network Access Protection Network Access Protection 파트너파트너파트너파트너

Windows Server Code Name “Longhorn” Beta 3Windows Server Code Name “Longhorn” Beta 3Windows Server Code Name “Longhorn” Beta 3Windows Server Code Name “Longhorn” Beta 3

http://www.microsoft.com/windowsserver/longhorn/default.mspxhttp://www.microsoft.com/windowsserver/longhorn/default.mspxhttp://www.microsoft.com/windowsserver/longhorn/default.mspxhttp://www.microsoft.com/windowsserver/longhorn/default.mspx

Network Access Protection TechnetNetwork Access Protection TechnetNetwork Access Protection TechnetNetwork Access Protection Technet

http://www.microsoft.com/technet/network/nap/default.mspxhttp://www.microsoft.com/technet/network/nap/default.mspxhttp://www.microsoft.com/technet/network/nap/default.mspxhttp://www.microsoft.com/technet/network/nap/default.mspx

참고자료

Network Access Protection ForumNetwork Access Protection ForumNetwork Access Protection ForumNetwork Access Protection Forum

http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17

Network Access Protection MSDNNetwork Access Protection MSDNNetwork Access Protection MSDNNetwork Access Protection MSDN

http://msdn2.microsoft.com/enhttp://msdn2.microsoft.com/enhttp://msdn2.microsoft.com/enhttp://msdn2.microsoft.com/en----us/library/aa369712.aspxus/library/aa369712.aspxus/library/aa369712.aspxus/library/aa369712.aspx

Q & AQ & AQ & AQ & A

20단기 4340년 9월27일 HPS Services Portfolio v3.0