Embed Size (px)
Citation preview
Chapter 5Configuring Network Access
Protection
5.1 Overview of Network Access ProtectionWhat is Network Access ProtectionNAP ScenariosNAP Enforcement MethodsNAP Platform ArchitectureNAP Architecture InteractionsNAP Client InfrastructureNAP Server-side InfrastructureCommunication Between NAP Platform
Components
What is Network Access ProtectionNAP can:- Enforce heath-requirement policies on client computers- Ensure client computers are compliant with policies- Offer remediation support for computers that do not
meet health requirementsNAP cannot:- Enforce health requirement policies on client
computers- Ensure client computers are compliant with policies3 important & distinct aspects:- Health state validation- Health policy compliance- Limited access
NAP ScenariosNAP benefits the network infrastructure by
verifying the health state of:- Roaming laptops- Desktop computers- Visiting laptops- Unmanaged home computers
NAP Enforcement MethodsMethod Key points
IPsec enforcement for IPsec-protected communications
• Computer must be compliant to communicate with other compliant computers• The strongest NAP enforcement type and can be applied per IP address or protocol port number
802.1X enforcement for IEEE 802.1X-authenticated wired or wireless connections
• Computer must be compliant to obtain unlimited access through an 802.1X connection (authentication switch /access point)
VPN enforcement for remote access connections
• Computer must be compliant to obtain unlimited access through a RAS connection
DHCP enforcement for DHCP-based address configuration
• Computer must be compliant to receive an unlimited access IPv4 address configuration from DHCP•This is the weakest form of NAP enforcement
NAP Platform Architecture
Intranet
Remediation Servers
Internet
NAP Health Policy Server
DHCP Server
Health Registration Authority
IEEE 802.1X Devices
Active Directory
VPN Server
Restricted Network NAP Client
with limited access
Perimeter Network
NAP Architecture Interactions HR
A
VPN Server
DHCP Server
IEEE 802.1X Network Access Devices
Health Requirement Server
Remediation Server
NAP Client
NAP Health Policy Server
RADIUS Messages
System Health Updates
HTTP or HTTP over S
SL Messa
ges
System Health
Requirement Queries
DHCP Messages
PEAP Messages over PPP
PEAP Messages over EAPOL
NAP Client InfrastructureThe NAP client architecture consists of:- A layer of NAP EC components- A layer of system health agent (SHA)
components- NAP agent- SHA application programming interface (API)- NAP EC API
NAP Client
Remediation Server 2
Remediation Server 1
NAP Agent
NAP EC API
NAP EC_A NAP EC_B NAP EC_C
SHA API
SHA_1 SHA_2 SHA_3 . . .
. . .
NAP Server-side Infrastructure Health
Requirement Server 2
Health Requirement Server 1
NAP Administration Server
SHV API
SHV_1 SHV_2 SHV_3. . .
NPS Service
NAP Health Policy Server
NAP ES_A NAP ES_B NAP ES_C. . .
Windows-based NAP Enforcement Point
RADIUS
Communication Between NAP Platform Components The NAP Agent component can communicate with the NAP
Administration Server component through the following process:1. The NAP Agent passes the SSoH to the NAP EC2. The NAP EC passes the SSoH to the NAP ES3. The NAP ES passes the SSoH to the NPS service4. The NPS service passes the SSoH to the NAP Administrator
Server
The NAP Administration Server can communicate with the NAP Agent through the following process:
1. The NAP Administration Server passes the SSoHRs to the NPS service
2. The NAP service passes the system statement of health response (SSoHR) to the NAP ES
3. The NAP ES passes the SSoHR to the NAP EC4. The NAP EC passes the SSoHR to the NAP Agent
An SHA can communicate with its corresponding SHV through the following process:
1. The SHA passes its SoH to the NAP Agent2. The NAP Agent passes the SoH, contained within the SSoH to the
NAP EC3. The NAP EC passes the SoH to the NAP ES4. The NAP ES passes the SoH to the NAP Administration Server5. The NAP Administration Server passes the SoH to the SHV
The SHV can communicate with its corresponding SHA through the following process:
1. The SHV passes its SoHR to the NAP Administration Server2. The NAP Administration Server passes the SoHR to the NPS service3. The NPS service passes the SoHR, contained within the SSoR to the
NAP ES4. The NAP ES passes the SoHR to the NAP EC5. The NAP EC passes the SoHR to the NAP Agent6. The NAP Agent passes the SoHR to the SHA
NAP Health Policy Server
Windows-based NAP Enforcement Point
NAP Administration Server
SHV API
SHV_1 SHV_2 SHV_2
NPS Service
RADIUS
Health Requirement Server 1
Health Requirement Server 2
NAP Agent
NAP EC API
NAP EC_A NAP EC_B
SHA API
SHA1 SHA2
NAP Client
Remediation Server 1
Remediation Server 2
NAP ES_B NAP ES_A
5.2 How NAP WorksNAP Enforcement ProcessHow IPsec Enforcement WorksHow 802.1X Enforcement WorksHow VPN Enforcement WorksHow DHCP Enforcement Works
NAP Enforcement ProcessTo validate network access based on system health, a
network infrastructure must provide the following functionality:
- Health policy validation: Determines whether computers are compliant with health policy requirements
- Network access limitation: Limits access for noncompliant computers
- Automatic remediation: Provides necessary updates to allow a noncompliant computer to become compliant
- Ongoing compliance: Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements
How IPsec Enforcement Works Comprised of a health certificate server and an IPsec
NAP ECHealth certificate server issues X.509 certificates to
quarantine clients when they are verified as compliantCertificates are then used to authenticate NAP clients
when the initiate IPsec-secured communications with other NAP clients on an intranet
IPsec Enforcement confines the communications on a network to those nodes that are considered compliant
You can define requirements for secure communications with compliant clients on a per-IP address or a per-TCP/UDP port number basis
How 802.1x Enforcement Works Computer must be compliant to obtain unlimited
network access through an 802.1x-authenticated network connection
Noncompliant computers are limited through a restricted-access profile that the Ethernet switch or wireless AP place on the connection
Restricted access profiles can specify IP packet filters or a virtual LAN (VLAN) identifier (ID) that corresponds to the restricted network
802.1x enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant
How VPN Enforcement WorksComputer must be compliant to obtain
unlimited network access through a remote access VPN connection
Noncompliant computers have network access limited through a set of IP packet filters that are applied to the VPN connection by the VPN server
VPN enforcement actively monitors the health status of the NAP client and applies the IP packet filters for the restricted network to the VPN connection if the client becomes noncompliant
How DHCP Enforcement WorksComputer must be compliant to obtain an
unlimited access IPv4 address configuration from a DHCP server
Noncompliant computers have network access limited by an IPv4 address configuration that allows access only to the restricted network
DHCP enforcement actively monitors the health status of the NAP client and renews the IPv4 address configuration for access only to the restricted network if the client becomes noncompliant
5.3 Configuring NAPWhat are System Health ValidatorsWhat is a Health PolicyWhat are Remediation Server GroupsNAP Client Configuration
What are System Health Validators?
• Each SHA on the client has a corresponding SHV in NPS
• SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client
• SHVs contain the required configuration settings on client computers
• The Windows Security SHV corresponds to the Microsoft SHA
on client computers
What is a Health Policy?
• Health policies consist of one or more SHVs and other settings that allow you to define client computer configuration requirements for NAP-capable computers that attempt to connect to your network
• You can define client health policies in NPS by adding one or more SHVs to the health policy
• NAP enforcement is accomplished by NPS on a per-network policy basis
• After you create a health policy by adding one or more SHVs to the policy, you can add the health policy to the network policy and enable NAP enforcement in the policy
What are Remediation Server Groups?A remediation server hosts the updates that
the NAP agent can use to bring noncompliant client computers into compliance with the health policy that NPS defines
A remediation server group is a list of servers on the restricted network that noncompliant NAP clients can access for software updates
NAP Client Configuration Some NAP deployments that use Windows
Security Health Validator require that you enable Security Center
The network Access Protection service is required when you deploy NAP to NAP-capable client computer
You also must configure the NAP enforcement clients on the NAP-capable computers
5.4 Monitoring and Troubleshooting NAPWhat is NAP TracingConfiguring NAP Tracing
What is NAP Tracing?
NAP tracing identifies NAP events and records them to a log file based on one of the tracing levels :
- Basic- Advanced- DebugYou can use tracing logs to :- Evaluate the health and security of your network- For troubleshooting and maintenanceNAP tracing is disabled by default, which means
that no NAP events are recorded in the trace logs
Configuring NAP TracingYou can configure NAP tracing by using :- The NAP Client Management console- The Netsh command-line toolTo enable logging functionality, you must be a
member of the Local Administrators groupTrace logs are located in the directory :%systemroot%\tracing\nap
End of Chapter 5
