M d l 6Module 6:Network Policies and Access Network Policies and Access

ProtectionProtection

Module Overview

Describe how Network Policies Access Protection (NAP) Describe how Network Policies Access Protection (NAP) worksIdentify NAP enforcement optionsy pIdentify scenarios for NAP usageDescribe Routing and Remote Access (RRAS)Describe Routing and Remote Access (RRAS)

Lesson 1: Network Policies Access Protection

Identify uses for NAPIdentify uses for NAPDescribe NAPDescribe how NAP integrates with other componentsDescribe how NAP integrates with other componentsDescribe NAP architectureD ib N t k L P t ti ith NAPDescribe Network Layer Protection with NAPDescribe Host Layer Protection with NAP

Why Use Network Access Protection?

P i t N t kHealthy computer

Private Network

Unhealthy computery p

Network Protection Services Overview

Network Policy Server (NPS)Network Policy Server (NPS)Network Access Protection (NAP) Policy ServerIEEE 802 11 WirelessIEEE 802.11 WirelessIEEE 802.3 WiredRADIUS SRADIUS ServerRADIUS ProxyRouting and Remote Access

Remote Access ServiceRouting

Health Registration Authority (HRA)Health Registration Authority (HRA)

Network Access Protection Solution

Policy Validation

DataNetwork RestrictionRemediation

Application

Host

Ongoing Compliance

Host

Internal Network

Perimeter

Polices, Procedures & Awareness

NAP Architecture Overview

System Health Servers

Remediation Servers

MS Network Policy Server

Client

Updates

HealthStatements

NetworkAccess

RequestsSystem Health Agent (SHA)

Health policy

y

Quarantine Agent (QA)Health

Certificate

Network Access Devices

System Health Agent (SHA)MS and 3rd Parties

System Health Validator

Quarantine Server (QS)Network Access Devices and Servers

Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)

Network Layer Protection with NAP

Remediation Restricted Network System Health S Servers Servers

Ongoing policy updates Can I have updates?

Here you go.

Should this client be restricted based

Requesting access. Here’s my new

May I have access?Here’s my current

Ongoing policy updates to Network Policy Server

updates?

According to policy, th li t i t t

restricted basedon its health?

Here s my newhealth status.

MS NPSClient

yhealth status.

Y i According to policy the client is not up to date. Quarantine client, request it to

d t

Client

802.1xSwitch

You are given restricted accessuntil fix-up. Client is granted access to

f ll i t t

According to policy, the client is up to date.

update.full intranet. Grant access.

Host Layer Protection with NAP

No PolicyNo Policy

AuthenticationOptional

AuthenticationRequired

AuthenticationOptional

AuthenticationRequired

May I have a health certificate? Here’s my SoH.

Client ok?

Accessing the networkHRA

No. Needs fix-up.You don’t get a health certificate.Go fix up.

I need updates.

Here’s your health certificate.Yes. Issue health certificate.

Client Accessing the networkHRA

Client

Remediation ServerNPS

Here you go.

Remediation ServerNPS

Remediation ServerRemediation Server

Lesson 2: Enforcement Options

Identify the NAP enforcement optionsIdentify the NAP enforcement optionsShow how NAP works with DHCP enforcementShow how NAP works with IPsec based communicationShow how NAP works with IPsec-based communicationShow how NAP works with RRAS

NAP – Enforcement Options

Unhealthy ClientHealthy ClientEnforcement

Restricted set of routesFull IP address given, full access

DHCP

Restricted VLANFull access802.1X

Restricted VLANFull access VPN

Restricted VLANFull access802.1X

Healthy peers reject connection requests

Can communicate with any trusted peerIPsec connection requests

from unhealthy systemswith any trusted peer

Complements layer 2 protection

IPsec

Complements layer 2 protection

Works with existing servers and infrastructure

Offers flexible isolationOffers flexible isolation

NAP with DHCP

I need to Lease an IP address IEEE 802.1X DevicesRequesting access.

Here’s my new health status.

Devices

NPS SDHCP ServerClient

NPS Server

Th li t t You are not within the The client requests and receives updates

You are not within the Health Policy requirements

Access Granted. Here is your new IP AddressRemediation your new IP Address

VPN ServerServers

IPsec-based Communication

Secure network

Boundary network

Restricted network

IPsec AuthenticatedUnauthenticated

NAP with RRAS

RADIUS MessagesPEAP Messages

VPN ServerClient NPS Server

Remediation Servers

Lesson 3: Network Access Protection Scenarios

Describe a roaming laptops NAP scenarioDescribe a roaming laptops NAP scenarioDescribe a desktop computers NAP scenarioDescribe a visiting laptops NAP scenarioDescribe a visiting laptops NAP scenarioDescribe an unmanaged home computer NAP scenario

Scenario 1: Roaming Laptops

NAP

Scenario 2: Health of Desktop Computers

Network Policy Server

Scenario 3: Health of Visiting Laptops

Network Policy Server

Scenario 4: Unmanaged Home Computers

Lesson 4: Routing and Remote Access (RRAS)

Plan RRAS ConfigurationPlan RRAS ConfigurationDescribe Scenarios and Features of Microsoft RRASConfigure SSTP remote access serversConfigure SSTP remote access serversConfigure SSTP remote access clientsU i P k t Filt iUsing Packet FilteringHow Packet Filters Are Applied

RRAS configuration considerations

VPN ClientVPN ClientVPN Server

IP AddressingIP AddressingTunnelingR t A P liRemote Access PolicyFiltering

Features of Microsoft RRAS

Scenarios Optional FeaturesScenariosRemote accessSite to site connectivity

Optional FeaturesRRAS packet filter configurationSite-to-site connectivity

Internet access routerLAN router

gConnection Manager Administration Kit

LAN routerMulticast scope configuartionUnicast routingAuthentication schemesStrong encryption

Configure SSTP Remote Access Server

Configure the RRAS Server:Configure the RRAS Server:Install Active Directory Certificate Services and Web ServerCreate and install the Ser er A thentication certificateCreate and install the Server Authentication certificateInstall Routing and Remote AccessConfigure Routing and Remote AccessConfigure Routing and Remote Access

Configure SSTP Remote Access Client

Configure the SSTP enabled client:Configure the SSTP enabled client:Windows Vista with Service Pack 1 is required for SSTP VPN Obtain a tr sted root CA certificateObtain a trusted root CA certificateMove the certificate to the Trusted Root Certification Authorities locationConfigure an SSTP-based connection

Using Packet Filtering

Packet filtering prevents certain types of packets from being sent g p yp p gor received across a router

Inbound FilterInbound Filter

Outbound FilterRouter

Use packet filtering to:

Outbound Filter

Prevent access by unauthorized computersPrevent access to resourcesI t k fImprove network performance

How Packet Filters Are Applied

RouterPacket

Component Example Component Example

Inbound Exclusion Filter

Component ExampleSource networkDestination

Component ExampleSource networkDestination

192.168.0.48

192 168 0 32

Any

192 168 0 32networkProtocol

networkProtocol

192.168.0.32

UDP

192.168.0.32

UDP Action: Drop

How filters are applied:AND is used within a filterOR i d b t filtOR is used between filters