Agenda Introduction Network Access Protection platform architecture

Slides:



Advertisements
Similar presentations
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Advertisements

Tech·Ed North America /6/2017 9:33 AM
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
May 30 th – 31 st, 2006 Sheraton Ottawa. Network Access Protection Gene Ferioli Program Manager Customer Advisory Team Microsoft Corporation.
Copyright line. Network Access Protection EXAM OBJECTIVES  Working with NAP.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Jayson Ferron CIO Interactive Security Training WSV206.
Security and Policy Enforcement Mark Gibson Dave Northey
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Getting Ready for Network Access Protection Jeff Alexander Technology Advisor Microsoft.
Internet Protocol Security (IPSec)
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.
Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India
Remote Networking Architectures
1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Chapter 11: Dial-Up Connectivity in Remote Access Designs
Maintaining Network Health Lesson 10. Skills Matrix Technology SkillObjective DomainObjective # Understanding the Components of NAP Configure Network.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
Clinic Security and Policy Enforcement in Windows Server 2008.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Selecting the Right Network Access Protection Architecture
Module 6: Configuring and Troubleshooting Routing and Remote Access
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Module 11: Remote Access Fundamentals
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
Module 8: Configuring Network Access Protection
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Module 9: Fundamentals of Securing Network Communication.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Configuring Network Access Protection
Yaniv Feldman Senior Infrasec Architect Microsoft Security Regional Director
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Securing Your Network – End to End Connectivity Pat Fetty Senior Program Manager Windows Customer Advisory.
NAC-NAP Interoperability
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Module 6: Network Policies and Access Protection.
Module 5: Network Policies and Access Protection
Asif Jinnah Field Desktop Services Enabling a Flexible Workforce, an insider’s view.
Maintaining Network Health Lesson 10. Active Directory Certificates Services 2 A component of Microsoft Identity Lifecycle Management (ILM) ILM allow.
Managing Network Access Protection. Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Port Based Network Access Control
D-Link Wireless AP with NAP 802.1x solution
Maintaining Network Health
Module 9: Configuring Network Access
Microsoft Windows NT 4.0 Authentication Protocols
Implementing Network Access Protection
Configuring and Troubleshooting Routing and Remote Access
Goals Introduce the Windows Server 2003 family of operating systems
Security and identity (Network Access Protection, Parental Controls)
Designing IIS Security (IIS – Internet Information Service)
NAP / PWG Discussion August 17, 2009.
Presentation transcript:

Network Access Protection Platform Architecture Mark Gibson Senior Consultant Microsoft Corporation

Agenda Introduction Network Access Protection platform architecture 2004 MVP Global Summit April 4-7, 2004 Agenda Introduction Network Access Protection platform architecture Network Access Protection Client architecture Network Access Protection Server architecture How Network Access Protection works © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Introduction What is Network Access Protection (NAP)? 2004 MVP Global Summit April 4-7, 2004 Introduction What is Network Access Protection (NAP)? Network infrastructure for Network Access Protection Network Access Protection enforcement methods © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

What is Network Access Protection? 2004 MVP Global Summit April 4-7, 2004 What is Network Access Protection? Platform that enforces compliance with health requirements for network access or communication Operating system components Built into Microsoft® Windows Server® 2008 and Microsoft Windows Vista™ Separate client for Microsoft Windows® XP with Service Pack 2 Application programming interfaces (APIs) Allows for integration with third-party vendors © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Network infrastructure for Network Access Protection 2004 MVP Global Summit April 4-7, 2004 Network infrastructure for Network Access Protection Health policy validation Determines whether the computers are compliant with health policy requirements Network access limitation Limits access for noncompliant computers Automatic remediation Provides necessary updates to allow a noncompliant computer to become compliant Ongoing compliance Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Network Access Protection enforcement methods 2004 MVP Global Summit April 4-7, 2004 Network Access Protection enforcement methods Internet Protocol security (IPsec)-protected communications IEEE 802.1X-authenticated network connections Remote access virtual private network (VPN) connections Dynamic Host Configuration Protocol (DHCP) configuration © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Network Access Protection platform architecture 2004 MVP Global Summit April 4-7, 2004 Network Access Protection platform architecture Components of the Network Access Protection platform Interactions between Network Access Protection components © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Components of the Network Access Protection platform VPN server Active Directory Policy servers IEEE 802.1X devices Internet Health certificate server (HCS) Network Policy Server (NPS) DHCP server Perimeter network Intranet Remediation servers Restricted network NAP client with limited access

Network Access Protection component interaction Remediation server System health updates Hypertext Transfer Protocol over Secure Sockets Layer (SSL) (HTTPS) messages HCS DHCP messages NPS NAP client DHCP server Remote Authentication Dial-in User Service (RADIUS) messages

Network Access Protection component interaction (2) Policy server System health requirement queries Protected Extensible Authentication Protocol (PEAP) messages over the Point-to-Point Protocol (PPP) VPN server NPS NAP client PEAP messages over EAP over LAN (EAPOL) IEEE 802.1X devices RADIUS messages

Network Access Protection client architecture components System Health Agent (SHA) NAP Agent NAP Enforcement Client (EC) IPsec NAP EC EAPHost NAP EC VPN NAP EC DHCP NAP EC

Network Access Protection client architecture Remediation server 1 Remediation server 2 SHA_1 SHA_2 SHA_3 . . . SHA API NAP Agent NAP client NAP EC API NAP EC_A NAP EC_B NAP EC_C . . . NAP server A NAP server B NAP server C

Network Access Protection server architecture components System Health Validator (SHV) NAP Administration Server NPS NAP Enforcement Server (ES) IPsec NAP ES VPN NAP ES DHCP NAP ES

Network Access Protection Server architecture 2004 MVP Global Summit April 4-7, 2004 Network Access Protection Server architecture Policy server 1 Policy server 2 . . . SHV_1 SHV_2 SHV_3 SHV API NAP Administration Server NPS NPS RADIUS NAP ES_A NAP ES_B NAP ES_C . . . NAP server NAP client © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

NAP Administration Server Matched components Provided by NAP platform Remediation Server 1 Policy Server 1 Provided by third parties Remediation Server 2 Policy Server 2 SHV2 SHV1 SHV3 SHA1 SHA2 SHV API SHA API NAP Administration Server NPS NAP Agent NPS NAP client NAP EC API RADIUS NAP EC_A NAP EC_B NAP ES_B NAP ES_A NAP server

Component communication: client to server SHV2 SHV1 SHA1 SHA2 SHV API NPS NAP Administration Server SHA API NPS NAP Agent NAP client NAP EC API NAP ES_A NAP EC_A NAP server Statement of Health (SoH) List of SoHs

Component communication: server to client SHV2 SHV1 SHA1 SHA2 SHV API NPS NAP Administration Server SHA API NPS NAP Agent NAP client NAP EC API NAP ES_A NAP EC_A NAP server SoH Response (SoHR) List of SoHRs

How Network Access Protection works 2004 MVP Global Summit April 4-7, 2004 How Network Access Protection works DHCP enforcement Remote access VPN enforcement IEEE 802.1X enforcement IPsec enforcement © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2004 MVP Global Summit April 4-7, 2004 DHCP enforcement For noncompliant computers, prevents unlimited access to a network through a limited DHCP address configuration Network Access Protection-capable DHCP clients use their list of SoHs as proof of their health compliance © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

DHCP enforcement (2) DHCP client sends its list of SoHs to its DHCP server using the DHCPDiscover message. DHCP server passes the list of SoHs to the NPS in a RADIUS Access-Request message. NAP Administration Server on the NPS passes the SoHs to their SHVs. SHVs evaluate their SoHs and respond with SoHRs.

DHCP enforcement (3) NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. NPS sends a RADIUS Access-Accept message containing the SSoHR and list of SoHRs to DHCP server. Client and DHCP server complete the DHCP configuration.

Noncompliant DHCP NAP client NAP Agent passes the SoHRs to their SHAs. SHAs perform remediation and pass their updated SoHs to the NAP Agent. Client sends a DHCPRequest message containing the updated list of SoHs to the DHCP server. DHCP validates the health state with NPS and assigns the client an unlimited access address configuration.

2004 MVP Global Summit April 4-7, 2004 VPN enforcement For noncompliant computers, prevents unlimited access to a network through a remote access VPN connection Network Access Protection-capable VPN clients use their list of SoHs as proof of their health compliance © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

VPN enforcement (2) VPN client initiates a remote access VPN connection. Client and the NPS create a secure channel with PEAP. Client sends its list of SoHs to the NPS with a PEAP-TLV message. Client performs authentication for VPN connection with a negotiated PEAP method. NAP Administration Server on the NPS passes the SoHs to their SHVs.

VPN enforcement (3) SHVs evaluate their SoHs and respond with SoHRs. NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. NPS sends a PEAP-TLV message containing the SSoHR and the list of SoHRs to the client. NPS sends RADIUS Access-Accept message to the VPN server indicating either limited or unlimited access. Client and VPN server complete the VPN connection.

Noncompliant VPN NAP client NAP Agent passes SoHRs to their SHAs. SHAs perform remediation and pass an updated SoH to the NAP Agent. Client sends the updated list of SoHs to the NPS by using a PEAP-TLV message to obtain an unlimited access connection.

2004 MVP Global Summit April 4-7, 2004 802.1X enforcement For noncompliant computers, prevents unlimited access to a network through an 802.1X-authenticated connection Network Access Protection-capable 802.1X clients can use either their list of SoHs or a health certificate as proof of their health compliance © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

802.1X enforcement using a list of SoHs Client or 802.1X access point starts 802.1X authentication using EAPOL. Client and the NPS create secure channel with PEAP. Client sends the list of SoHs to the NPS with a PEAP-Type-Length-Value (TLV) message. Client performs 802.1X authentication with a negotiated PEAP method. NAP Administration Server on the NPS passes the SoHs to their SHVs.

802.1X enforcement using a list of SoHs (2) SHVs evaluate their SoHs and respond with SoHRs. NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. NPS sends a PEAP-TLV message containing the SSoHR and the list of SoHRs to the client. NPS sends a RADIUS Access-Accept message to the 802.1X access point indicating either limited or unlimited access. Client and 802.1X access point complete the 802.1X connection.

Noncompliant 802.1X client using a list of SoHs NAP Agent passes the SoHRs to their SHAs. SHAs perform remediation and pass an updated SoH to the NAP Agent. Client restarts 802.1X authentication to obtain an unlimited access connection.

802.1X enforcement using a health certificate Client or 802.1X access point starts 802.1X authentication using EAPOL. Client and the NPS create a secure channel with PEAP. Client performs 802.1X authentication with a negotiated PEAP method. Client sends the health certificate to the NPS using a PEAP-TLV message.

802.1X enforcement using a health certificate (2) NPS validates the health certificate and makes a limited/unlimited network access decision. NPS sends a PEAP-TLV message containing the SSoHR to the client. NPS sends a RADIUS Access-Accept message to the 802.1X access point indicating either limited or unlimited access. Client and 802.1X access point complete the 802.1X connection.

Noncompliant 802.1X client using a health certificate Client creates an HTTPS channel with the HCS. Client sends its credentials and its current list of SoHs to the HCS. HCS validates the credentials and list of SoHs with the NPS and obtains a health certificate for the client. Client restarts 802.1X authentication to obtain an unlimited access connection.

2004 MVP Global Summit April 4-7, 2004 IPsec enforcement For noncompliant computers, prevents communication with compliant computers Compliant computers obtain a health certificate as proof of their health compliance Health certificate is used for peer authentication when negotiating IPsec-protected communications © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

IPsec enforcement logical networks Client Health certificate server Policy servers NPS servers Secure network Remediation servers Boundary network Restricted network

Allowed communication with IPsec enforcement Secure network Boundary network Unuathenticated initiated communication Restricted network IPsec-authenticated initiated communication

IPsec enforcement startup Client starts up on the restricted network. Client creates an HTTPS secure communication channel with the HCS. Client sends its credentials and its list of SoHs to the HCS. HCS forwards the client identity and health status information to the NPS for validation using RADIUS Access-Request message. NAP Administration Server on the NPS passes the SoHs to their SHVs.

IPsec enforcement startup (2) SHVs evaluate the SoHs and respond with SoHRs. NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. NPS sends a RADIUS Access-Accept message that contains the System SoHR (SSoHR) and the list of SoHRs to the HCS. HCS sends the SSoHR and list of SoHRs to the client. If compliant, HCS obtains a health certificate for the client. Client is on the secure network.

Noncompliant IPsec NAP client NAP Agent passes the SoHRs to their SHAs. SHAs perform remediation and pass updated SoHs to the NAP Agent. Client creates a new HTTPS channel with the HCS. Client sends its credentials and its updated list of SoHs to the HCS. HCS validates the credentials and the new list of SoHs with the NPS and obtains a health certificate for the client.

Network Access Protection resources 2004 MVP Global Summit April 4-7, 2004 Network Access Protection resources Network Access Protection Web site http://www.microsoft.com/nap “Network Access Protection Platform Architecture” white paper http://www.microsoft.com/technet/itsolutions /network/nap/naparch.mspx © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.