View
1
Download
0
Category
Preview:
Citation preview
M d l 6Module 6:Network Policies and Access Network Policies and Access
ProtectionProtection
Module Overview
Describe how Network Policies Access Protection (NAP) Describe how Network Policies Access Protection (NAP) worksIdentify NAP enforcement optionsy pIdentify scenarios for NAP usageDescribe Routing and Remote Access (RRAS)Describe Routing and Remote Access (RRAS)
Lesson 1: Network Policies Access Protection
Identify uses for NAPIdentify uses for NAPDescribe NAPDescribe how NAP integrates with other componentsDescribe how NAP integrates with other componentsDescribe NAP architectureD ib N t k L P t ti ith NAPDescribe Network Layer Protection with NAPDescribe Host Layer Protection with NAP
Why Use Network Access Protection?
P i t N t kHealthy computer
Private Network
Unhealthy computery p
Network Protection Services Overview
Network Policy Server (NPS)Network Policy Server (NPS)Network Access Protection (NAP) Policy ServerIEEE 802 11 WirelessIEEE 802.11 WirelessIEEE 802.3 WiredRADIUS SRADIUS ServerRADIUS ProxyRouting and Remote Access
Remote Access ServiceRouting
Health Registration Authority (HRA)Health Registration Authority (HRA)
Network Access Protection Solution
Policy Validation
DataNetwork RestrictionRemediation
Application
Host
Ongoing Compliance
Host
Internal Network
Perimeter
Polices, Procedures & Awareness
NAP Architecture Overview
System Health Servers
Remediation Servers
MS Network Policy Server
Client
Updates
HealthStatements
NetworkAccess
RequestsSystem Health Agent (SHA)
Health policy
y
Quarantine Agent (QA)Health
Certificate
Network Access Devices
System Health Agent (SHA)MS and 3rd Parties
System Health Validator
Quarantine Server (QS)Network Access Devices and Servers
Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)
Network Layer Protection with NAP
Remediation Restricted Network System Health S Servers Servers
Ongoing policy updates Can I have updates?
Here you go.
Should this client be restricted based
Requesting access. Here’s my new
May I have access?Here’s my current
Ongoing policy updates to Network Policy Server
updates?
According to policy, th li t i t t
restricted basedon its health?
Here s my newhealth status.
MS NPSClient
yhealth status.
Y i According to policy the client is not up to date. Quarantine client, request it to
d t
Client
802.1xSwitch
You are given restricted accessuntil fix-up. Client is granted access to
f ll i t t
According to policy, the client is up to date.
update.full intranet. Grant access.
Host Layer Protection with NAP
No PolicyNo Policy
AuthenticationOptional
AuthenticationRequired
AuthenticationOptional
AuthenticationRequired
May I have a health certificate? Here’s my SoH.
Client ok?
Accessing the networkHRA
No. Needs fix-up.You don’t get a health certificate.Go fix up.
I need updates.
Here’s your health certificate.Yes. Issue health certificate.
Client Accessing the networkHRA
Client
Remediation ServerNPS
Here you go.
Remediation ServerNPS
Remediation ServerRemediation Server
Lesson 2: Enforcement Options
Identify the NAP enforcement optionsIdentify the NAP enforcement optionsShow how NAP works with DHCP enforcementShow how NAP works with IPsec based communicationShow how NAP works with IPsec-based communicationShow how NAP works with RRAS
NAP – Enforcement Options
Unhealthy ClientHealthy ClientEnforcement
Restricted set of routesFull IP address given, full access
DHCP
Restricted VLANFull access802.1X
Restricted VLANFull access VPN
Restricted VLANFull access802.1X
Healthy peers reject connection requests
Can communicate with any trusted peerIPsec connection requests
from unhealthy systemswith any trusted peer
Complements layer 2 protection
IPsec
Complements layer 2 protection
Works with existing servers and infrastructure
Offers flexible isolationOffers flexible isolation
NAP with DHCP
I need to Lease an IP address IEEE 802.1X DevicesRequesting access.
Here’s my new health status.
Devices
NPS SDHCP ServerClient
NPS Server
Th li t t You are not within the The client requests and receives updates
You are not within the Health Policy requirements
Access Granted. Here is your new IP AddressRemediation your new IP Address
VPN ServerServers
IPsec-based Communication
Secure network
Boundary network
Restricted network
IPsec AuthenticatedUnauthenticated
NAP with RRAS
RADIUS MessagesPEAP Messages
VPN ServerClient NPS Server
Remediation Servers
Lesson 3: Network Access Protection Scenarios
Describe a roaming laptops NAP scenarioDescribe a roaming laptops NAP scenarioDescribe a desktop computers NAP scenarioDescribe a visiting laptops NAP scenarioDescribe a visiting laptops NAP scenarioDescribe an unmanaged home computer NAP scenario
Scenario 1: Roaming Laptops
NAP
Scenario 2: Health of Desktop Computers
Network Policy Server
Scenario 3: Health of Visiting Laptops
Network Policy Server
Scenario 4: Unmanaged Home Computers
Lesson 4: Routing and Remote Access (RRAS)
Plan RRAS ConfigurationPlan RRAS ConfigurationDescribe Scenarios and Features of Microsoft RRASConfigure SSTP remote access serversConfigure SSTP remote access serversConfigure SSTP remote access clientsU i P k t Filt iUsing Packet FilteringHow Packet Filters Are Applied
RRAS configuration considerations
VPN ClientVPN ClientVPN Server
IP AddressingIP AddressingTunnelingR t A P liRemote Access PolicyFiltering
Features of Microsoft RRAS
Scenarios Optional FeaturesScenariosRemote accessSite to site connectivity
Optional FeaturesRRAS packet filter configurationSite-to-site connectivity
Internet access routerLAN router
gConnection Manager Administration Kit
LAN routerMulticast scope configuartionUnicast routingAuthentication schemesStrong encryption
Configure SSTP Remote Access Server
Configure the RRAS Server:Configure the RRAS Server:Install Active Directory Certificate Services and Web ServerCreate and install the Ser er A thentication certificateCreate and install the Server Authentication certificateInstall Routing and Remote AccessConfigure Routing and Remote AccessConfigure Routing and Remote Access
Configure SSTP Remote Access Client
Configure the SSTP enabled client:Configure the SSTP enabled client:Windows Vista with Service Pack 1 is required for SSTP VPN Obtain a tr sted root CA certificateObtain a trusted root CA certificateMove the certificate to the Trusted Root Certification Authorities locationConfigure an SSTP-based connection
Using Packet Filtering
Packet filtering prevents certain types of packets from being sent g p yp p gor received across a router
Inbound FilterInbound Filter
Outbound FilterRouter
Use packet filtering to:
Outbound Filter
Prevent access by unauthorized computersPrevent access to resourcesI t k fImprove network performance
How Packet Filters Are Applied
RouterPacket
Component Example Component Example
Inbound Exclusion Filter
Component ExampleSource networkDestination
Component ExampleSource networkDestination
192.168.0.48
192 168 0 32
Any
192 168 0 32networkProtocol
networkProtocol
192.168.0.32
UDP
192.168.0.32
UDP Action: Drop
How filters are applied:AND is used within a filterOR i d b t filtOR is used between filters
Recommended