Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda Introduction Network Access Protection platform architecture

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Agenda Introduction Network Access Protection platform architecture"— Presentation transcript:

1 Network Access Protection Platform Architecture Mark Gibson Senior Consultant Microsoft Corporation

2 Agenda Introduction Network Access Protection platform architecture
2004 MVP Global Summit April 4-7, 2004 Agenda Introduction Network Access Protection platform architecture Network Access Protection Client architecture Network Access Protection Server architecture How Network Access Protection works © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

3 Introduction What is Network Access Protection (NAP)?
2004 MVP Global Summit April 4-7, 2004 Introduction What is Network Access Protection (NAP)? Network infrastructure for Network Access Protection Network Access Protection enforcement methods © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

4 What is Network Access Protection?
2004 MVP Global Summit April 4-7, 2004 What is Network Access Protection? Platform that enforces compliance with health requirements for network access or communication Operating system components Built into Microsoft® Windows Server® 2008 and Microsoft Windows Vista™ Separate client for Microsoft Windows® XP with Service Pack 2 Application programming interfaces (APIs) Allows for integration with third-party vendors © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

5 Network infrastructure for Network Access Protection
2004 MVP Global Summit April 4-7, 2004 Network infrastructure for Network Access Protection Health policy validation Determines whether the computers are compliant with health policy requirements Network access limitation Limits access for noncompliant computers Automatic remediation Provides necessary updates to allow a noncompliant computer to become compliant Ongoing compliance Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

6 Network Access Protection enforcement methods
2004 MVP Global Summit April 4-7, 2004 Network Access Protection enforcement methods Internet Protocol security (IPsec)-protected communications IEEE 802.1X-authenticated network connections Remote access virtual private network (VPN) connections Dynamic Host Configuration Protocol (DHCP) configuration © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

7 Network Access Protection platform architecture
2004 MVP Global Summit April 4-7, 2004 Network Access Protection platform architecture Components of the Network Access Protection platform Interactions between Network Access Protection components © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

8 Components of the Network Access Protection platform
VPN server Active Directory Policy servers IEEE 802.1X devices Internet Health certificate server (HCS) Network Policy Server (NPS) DHCP server Perimeter network Intranet Remediation servers Restricted network NAP client with limited access

9 Network Access Protection component interaction
Remediation server System health updates Hypertext Transfer Protocol over Secure Sockets Layer (SSL) (HTTPS) messages HCS DHCP messages NPS NAP client DHCP server Remote Authentication Dial-in User Service (RADIUS) messages

10 Network Access Protection component interaction (2)
Policy server System health requirement queries Protected Extensible Authentication Protocol (PEAP) messages over the Point-to-Point Protocol (PPP) VPN server NPS NAP client PEAP messages over EAP over LAN (EAPOL) IEEE 802.1X devices RADIUS messages

11 Network Access Protection client architecture components
System Health Agent (SHA) NAP Agent NAP Enforcement Client (EC) IPsec NAP EC EAPHost NAP EC VPN NAP EC DHCP NAP EC

12 Network Access Protection client architecture
Remediation server 1 Remediation server 2 SHA_1 SHA_2 SHA_3 . . . SHA API NAP Agent NAP client NAP EC API NAP EC_A NAP EC_B NAP EC_C . . . NAP server A NAP server B NAP server C

13 Network Access Protection server architecture components
System Health Validator (SHV) NAP Administration Server NPS NAP Enforcement Server (ES) IPsec NAP ES VPN NAP ES DHCP NAP ES

14 Network Access Protection Server architecture
2004 MVP Global Summit April 4-7, 2004 Network Access Protection Server architecture Policy server 1 Policy server 2 . . . SHV_1 SHV_2 SHV_3 SHV API NAP Administration Server NPS NPS RADIUS NAP ES_A NAP ES_B NAP ES_C . . . NAP server NAP client © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

15 NAP Administration Server
Matched components Provided by NAP platform Remediation Server 1 Policy Server 1 Provided by third parties Remediation Server 2 Policy Server 2 SHV2 SHV1 SHV3 SHA1 SHA2 SHV API SHA API NAP Administration Server NPS NAP Agent NPS NAP client NAP EC API RADIUS NAP EC_A NAP EC_B NAP ES_B NAP ES_A NAP server

16 Component communication: client to server
SHV2 SHV1 SHA1 SHA2 SHV API NPS NAP Administration Server SHA API NPS NAP Agent NAP client NAP EC API NAP ES_A NAP EC_A NAP server Statement of Health (SoH) List of SoHs

17 Component communication: server to client
SHV2 SHV1 SHA1 SHA2 SHV API NPS NAP Administration Server SHA API NPS NAP Agent NAP client NAP EC API NAP ES_A NAP EC_A NAP server SoH Response (SoHR) List of SoHRs

18 How Network Access Protection works
2004 MVP Global Summit April 4-7, 2004 How Network Access Protection works DHCP enforcement Remote access VPN enforcement IEEE 802.1X enforcement IPsec enforcement © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

19 2004 MVP Global Summit April 4-7, 2004 DHCP enforcement For noncompliant computers, prevents unlimited access to a network through a limited DHCP address configuration Network Access Protection-capable DHCP clients use their list of SoHs as proof of their health compliance © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

20 DHCP enforcement (2) DHCP client sends its list of SoHs to its DHCP server using the DHCPDiscover message. DHCP server passes the list of SoHs to the NPS in a RADIUS Access-Request message. NAP Administration Server on the NPS passes the SoHs to their SHVs. SHVs evaluate their SoHs and respond with SoHRs.

21 DHCP enforcement (3) NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. NPS sends a RADIUS Access-Accept message containing the SSoHR and list of SoHRs to DHCP server. Client and DHCP server complete the DHCP configuration.

22 Noncompliant DHCP NAP client
NAP Agent passes the SoHRs to their SHAs. SHAs perform remediation and pass their updated SoHs to the NAP Agent. Client sends a DHCPRequest message containing the updated list of SoHs to the DHCP server. DHCP validates the health state with NPS and assigns the client an unlimited access address configuration.

23 2004 MVP Global Summit April 4-7, 2004 VPN enforcement For noncompliant computers, prevents unlimited access to a network through a remote access VPN connection Network Access Protection-capable VPN clients use their list of SoHs as proof of their health compliance © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

24 VPN enforcement (2) VPN client initiates a remote access VPN connection. Client and the NPS create a secure channel with PEAP. Client sends its list of SoHs to the NPS with a PEAP-TLV message. Client performs authentication for VPN connection with a negotiated PEAP method. NAP Administration Server on the NPS passes the SoHs to their SHVs.

25 VPN enforcement (3) SHVs evaluate their SoHs and respond with SoHRs.
NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. NPS sends a PEAP-TLV message containing the SSoHR and the list of SoHRs to the client. NPS sends RADIUS Access-Accept message to the VPN server indicating either limited or unlimited access. Client and VPN server complete the VPN connection.

26 Noncompliant VPN NAP client
NAP Agent passes SoHRs to their SHAs. SHAs perform remediation and pass an updated SoH to the NAP Agent. Client sends the updated list of SoHs to the NPS by using a PEAP-TLV message to obtain an unlimited access connection.

27 2004 MVP Global Summit April 4-7, 2004 802.1X enforcement For noncompliant computers, prevents unlimited access to a network through an 802.1X-authenticated connection Network Access Protection-capable 802.1X clients can use either their list of SoHs or a health certificate as proof of their health compliance © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

28 802.1X enforcement using a list of SoHs
Client or 802.1X access point starts 802.1X authentication using EAPOL. Client and the NPS create secure channel with PEAP. Client sends the list of SoHs to the NPS with a PEAP-Type-Length-Value (TLV) message. Client performs 802.1X authentication with a negotiated PEAP method. NAP Administration Server on the NPS passes the SoHs to their SHVs.

29 802.1X enforcement using a list of SoHs (2)
SHVs evaluate their SoHs and respond with SoHRs. NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. NPS sends a PEAP-TLV message containing the SSoHR and the list of SoHRs to the client. NPS sends a RADIUS Access-Accept message to the 802.1X access point indicating either limited or unlimited access. Client and 802.1X access point complete the 802.1X connection.

30 Noncompliant 802.1X client using a list of SoHs
NAP Agent passes the SoHRs to their SHAs. SHAs perform remediation and pass an updated SoH to the NAP Agent. Client restarts 802.1X authentication to obtain an unlimited access connection.

31 802.1X enforcement using a health certificate
Client or 802.1X access point starts 802.1X authentication using EAPOL. Client and the NPS create a secure channel with PEAP. Client performs 802.1X authentication with a negotiated PEAP method. Client sends the health certificate to the NPS using a PEAP-TLV message.

32 802.1X enforcement using a health certificate (2)
NPS validates the health certificate and makes a limited/unlimited network access decision. NPS sends a PEAP-TLV message containing the SSoHR to the client. NPS sends a RADIUS Access-Accept message to the 802.1X access point indicating either limited or unlimited access. Client and 802.1X access point complete the 802.1X connection.

33 Noncompliant 802.1X client using a health certificate
Client creates an HTTPS channel with the HCS. Client sends its credentials and its current list of SoHs to the HCS. HCS validates the credentials and list of SoHs with the NPS and obtains a health certificate for the client. Client restarts 802.1X authentication to obtain an unlimited access connection.

34 2004 MVP Global Summit April 4-7, 2004 IPsec enforcement For noncompliant computers, prevents communication with compliant computers Compliant computers obtain a health certificate as proof of their health compliance Health certificate is used for peer authentication when negotiating IPsec-protected communications © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

35 IPsec enforcement logical networks
Client Health certificate server Policy servers NPS servers Secure network Remediation servers Boundary network Restricted network

36 Allowed communication with IPsec enforcement
Secure network Boundary network Unuathenticated initiated communication Restricted network IPsec-authenticated initiated communication

37 IPsec enforcement startup
Client starts up on the restricted network. Client creates an HTTPS secure communication channel with the HCS. Client sends its credentials and its list of SoHs to the HCS. HCS forwards the client identity and health status information to the NPS for validation using RADIUS Access-Request message. NAP Administration Server on the NPS passes the SoHs to their SHVs.

38 IPsec enforcement startup (2)
SHVs evaluate the SoHs and respond with SoHRs. NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. NPS sends a RADIUS Access-Accept message that contains the System SoHR (SSoHR) and the list of SoHRs to the HCS. HCS sends the SSoHR and list of SoHRs to the client. If compliant, HCS obtains a health certificate for the client. Client is on the secure network.

39 Noncompliant IPsec NAP client
NAP Agent passes the SoHRs to their SHAs. SHAs perform remediation and pass updated SoHs to the NAP Agent. Client creates a new HTTPS channel with the HCS. Client sends its credentials and its updated list of SoHs to the HCS. HCS validates the credentials and the new list of SoHs with the NPS and obtains a health certificate for the client.

40 Network Access Protection resources
2004 MVP Global Summit April 4-7, 2004 Network Access Protection resources Network Access Protection Web site “Network Access Protection Platform Architecture” white paper /network/nap/naparch.mspx © Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Agenda Introduction Network Access Protection platform architecture"

Similar presentations

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Tech·Ed North America /6/2017 9:33 AM

Tech·Ed North America /6/2017 9:33 AM
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
May 30 th – 31 st, 2006 Sheraton Ottawa. Network Access Protection Gene Ferioli Program Manager Customer Advisory Team Microsoft Corporation.

May 30 th – 31 st, 2006 Sheraton Ottawa. Network Access Protection Gene Ferioli Program Manager Customer Advisory Team Microsoft Corporation.
Copyright line. Network Access Protection EXAM OBJECTIVES  Working with NAP.

Copyright line. Network Access Protection EXAM OBJECTIVES  Working with NAP.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.

Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Jayson Ferron CIO Interactive Security Training WSV206.

Jayson Ferron CIO Interactive Security Training WSV206.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Getting Ready for Network Access Protection Jeff Alexander Technology Advisor Microsoft.

Getting Ready for Network Access Protection Jeff Alexander Technology Advisor Microsoft.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.

Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.

Windows Server 2008 Network Access Protection (NAP) Technical Overview.
Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India

Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India
Remote Networking Architectures

Remote Networking Architectures

Similar presentations

Ads by Google