Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.

Slides:



Advertisements
Similar presentations
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Advertisements

Tech·Ed North America /6/2017 9:33 AM
Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
May 30 th – 31 st, 2006 Sheraton Ottawa. Network Access Protection Gene Ferioli Program Manager Customer Advisory Team Microsoft Corporation.
Module 5: Configuring Access for Remote Clients and Networks.
Chapter 13 Securing Windows Server 2008
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
Agenda Introduction Network Access Protection platform architecture
Module 3 Windows Server 2008 Branch Office Scenario.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Jayson Ferron CIO Interactive Security Training WSV206.
Security and Policy Enforcement Mark Gibson Dave Northey
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Windows Clients and Windows Server 2008 NAP: Session objectives See why using the built functionality of Windows in both.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Getting Ready for Network Access Protection Jeff Alexander Technology Advisor Microsoft.
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.
Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Using RADIUS Within the Framework of the School Environment Ed Register Consultant April 6, 2011.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.
Clinic Security and Policy Enforcement in Windows Server 2008.
Windows Server 2008 Chapter 10 Last Update
Chapter 20: Getting from the Office to the Road: VPNs BAI617.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Selecting the Right Network Access Protection Architecture
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 11: Remote Access Fundamentals
Module 7 Planning Server and Network Security. Module Overview Overview of Defense-in-Depth Planning for Windows Firewall with Advanced Security Planning.
Module 8: Configuring Network Access Protection
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Configuring Network Access Protection
Module 5: Designing Security for Internal Networks.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Securing Your Network – End to End Connectivity Pat Fetty Senior Program Manager Windows Customer Advisory.
NAC-NAP Interoperability
Understand Server Protection LESSON Security Fundamentals.
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Module 6: Network Policies and Access Protection.
1 Welcome to Designing a Microsoft Windows 2000 Network Infrastructure.
Module 5: Network Policies and Access Protection
Asif Jinnah Field Desktop Services Enabling a Flexible Workforce, an insider’s view.
Maintaining Network Health Lesson 10. Active Directory Certificates Services 2 A component of Microsoft Identity Lifecycle Management (ILM) ILM allow.
Managing Network Access Protection. Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of.
D-Link Wireless AP with NAP 802.1x solution
Implementing Network Access Protection
Configuring and Troubleshooting Routing and Remote Access
Module 8: Securing Network Traffic by Using IPSec and Certificates
Deriving more value from your Windows investment
Server-to-Client Remote Access and DirectAccess
Module 8: Securing Network Traffic by Using IPSec and Certificates
NAP / PWG Discussion August 17, 2009.
Presentation transcript:

Welcome Windows Server 2008 安全功能 -NAP

Network Access Protection in Windows Server 2008

Overview Network Policies Access Protection Enforcement Options Network Access Protection Scenarios

Lesson 1: Network Policies Access Protection Why Use Network Access Protection? Network Protection Services Overview Network Access Protection Solution NAP Architecture Overview Network Layer Protection with NAP Host Layer Protection with NAP

Why Use Network Access Protection? Private Network Unhealthy computer Healthy computer

NAP vs. Network Access Quarantine Control Network Access Protection Network Access Quarantine Control Internal, VPN and Remote Access Client Only VPN and Remote Access Clients IPSec, 802.1X, DHCP and VPNDHCP and VPN NAP NPS and Client included in Windows Server 2008 ; NAP client included in Vista Installed from Windows Server 2003 Resource Kit

Network Protection Services Overview Network Policy Server (NPS) Network Access Protection (NAP) Policy Server IEEE Wireless IEEE Wired RADIUS Server RADIUS Proxy Routing and Remote Access  Remote Access Service  Routing Health Registration Authority (HRA)

Network Access Protection Solution Polices, Procedures & Awareness Data Application Host Internal Network Perimeter Policy Validation Network Restriction Remediation Ongoing Compliance

NAP Architecture Overview MS Network Policy Server Quarantine Server (QS) Client Quarantine Agent (QA) Updates Health Statements Network Access Requests System Health Servers Remediation Servers Health Certificate Network Access Devices and Servers System Health Agent (SHA) MS and 3rd Parties System Health Validator Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN) Health policy

According to policy, the client is not up to date. Quarantine client, request it to update. Should this client be restricted based on its health? Network Layer Protection with NAP Requesting access. Here’s my new health status. MS NPS Client 802.1x Switch Remediation Servers May I have access? Here’s my current health status. Ongoing policy updates to Network Policy Server You are given restricted access until fix-up. Can I have updates? Here you go. Restricted Network Client is granted access to full intranet. System Health Servers According to policy, the client is up to date. Grant access.

Host Layer Protection with NAP Accessing the network X Remediation Server NPS HRA May I have a health certificate? Here’s my SoH. Client ok? No. Needs fix-up. You don’t get a health certificate. Go fix up. I need updates. Here you go. Here’s your health certificate. Yes. Issue health certificate. Client No Policy Authentication Optional Authentication Required Accessing the network X Remediation Server NPS HRA Client No Policy Authentication Optional Authentication Required

Technical Background NAP Platform Architecture NAP Enforcement Methods NAP Infrastructure NAP Client Architecture NAP Server Architecture Component Communication

NAP Infrastructure Health Policy Validation Health Policy Compliance Automatic Remediation Limited Access

NAP Platform Architecture

Network Access Protection Components (1 of 5) NAP Clients IPSec, 802.1X, VPN, DHCP NAP Servers-determine the System Health of any NAP Client Windows Server Network Policy Server Remediation action are required for computers that are not compliant Health Registration Authority VPN Server DHCP Server NAP Clients IPSec, 802.1X, VPN, DHCP NAP Servers-determine the System Health of any NAP Client Windows Server Network Policy Server Remediation action are required for computers that are not compliant Health Registration Authority VPN Server DHCP Server

Network Access Protection Components (2 of 5) NAP Clients IPSec, 802.1X, VPN, DHCP NAP Servers-determine the SH of any NAP Client Windows Server Network Policy Server Remediation action are required for computers that are not compliant Health Registration Authority VPN Server DHCP Server NAP Clients IPSec, 802.1X, VPN, DHCP NAP Servers-determine the SH of any NAP Client Windows Server Network Policy Server Remediation action are required for computers that are not compliant Health Registration Authority VPN Server DHCP Server

Network Access Protection Components (3 of 5) NPS Servers Replacement for the Internet Authentication Service (IAS) Windows server Validate System Health Policy Active Directory Directory Service Group Policy Setting for IPSec 802.1X credential are stored in directory service NPS Servers Replacement for the Internet Authentication Service (IAS) Windows server Validate System Health Policy Active Directory Directory Service Group Policy Setting for IPSec 802.1X credential are stored in directory service

Network Access Protection Components (4 of 5) Restricted Network Separate network segment (logical/physical) Contains the Remediation Servers Remediation Server Bring NAP Client into compliance with health policy System Health Agent (SHA) Check for particular health parameter Send a Statement of Health (SoH) to System Health Validator (SHV) Restricted Network Separate network segment (logical/physical) Contains the Remediation Servers Remediation Server Bring NAP Client into compliance with health policy System Health Agent (SHA) Check for particular health parameter Send a Statement of Health (SoH) to System Health Validator (SHV)

Network Access Protection Components (5 of 5) System Health Validator Compare the System of Health (SoH) sent from a System Health Agent (SHA) Statement of Health (SoH) SoH is response sent by a System Health Agent to a System Health Validator System Health Validator Compare the System of Health (SoH) sent from a System Health Agent (SHA) Statement of Health (SoH) SoH is response sent by a System Health Agent to a System Health Validator

Misconception Quarantine network is anything but empty SMS Server form within Quarantine Mode For starters, must have a DNS Server Don’t be a primary DNS server Finally, the DHCP and IAS server (VPN Quarantine Mode only) must accessable. Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been update. Quarantine network is anything but empty SMS Server form within Quarantine Mode For starters, must have a DNS Server Don’t be a primary DNS server Finally, the DHCP and IAS server (VPN Quarantine Mode only) must accessable. Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been update.

Lesson 2: Enforcement Options NAP – Enforcement Options NAP with DHCP IPsec-based Communication NAP with RRAS

NAP – Enforcement Options Restricted VLANFull access802.1X Healthy peers reject connection requests from unhealthy systems Can communicate with any trusted peer Complements layer 2 protection Works with existing servers and infrastructure Offers flexible isolation IPsec Restricted VLANFull accessVPN Restricted set of routesFull IP address given, full access DHCP Unhealthy ClientHealthy ClientEnforcement

NAP with DHCP NPS Server DHCP Server Requesting access. Here’s my new health status. The client requests and receives updates I need to Lease an IP address You are not within the Health Policy requirements Access Granted. Here is your new IP Address VPN Server Client IEEE 802.1X Devices Remediation Servers

Demo1: Using Network Access Protection Exercise 1: Configuring Network Access Protection for DHCP

NAP with RRAS VPN Server Remediation Servers RADIUS Messages PEAP Messages Client NPS Server

Demo2: Using Network Access Protection Exercise 1: Configuring Network Access Protection for VPN

IPSec-based Communication Secure network Boundary network Restricted network IPsec Authenticated Unauthenticated

NAP Enforcement Client 802.1X VPN IPSec DHCP NPS RADIUS

How NAP Works IPSec Enforcement IEEE 802.1X Logical Networks Remote Access VPNs DHCP

IPSec Enforcement in Logical Networks

Communication Initiation Process with IPSec Enforcement

NAP Client Health Certificate Process

IPSec Enforcement in NAP

IPSec Reviewing IPSec functionality OSI 7 Layer - Layer 3 Authentication methods for IPSec Pre-share Key Kerberos Certificate IPSec functionality OSI 7 Layer - Layer 3 Authentication methods for IPSec Pre-share Key Kerberos Certificate

Certificate Reviewing What’s Digital Certificate What’s Certificate Authority Digital Certificate for what? Identity user, computer, service Digital Certificate for IPSec What’s Digital Certificate What’s Certificate Authority Digital Certificate for what? Identity user, computer, service Digital Certificate for IPSec

Demo3: Network Access Protection - IPSec Create a Certificate Template for NAP Exemptions Enable Certificate AutoEnrollment Config NAP to Issue Health Certificates Config Health Registration Authority to request Certificate from subordinate CA Add System Health Validation Certificate to NPS Config GPO to Ensure Client are Configured to Implement NAP Verify Network Access Protection

802.1x Authenticated Connections

Lesson 3: Network Access Protection Scenarios Scenario 1: Roaming Laptops Scenario 2: Health of Desktop Computers Scenario 3: Health of Visiting Laptops Scenario 4: Unmanaged Home Computers

Scenario 1: Roaming Laptops NAP

Scenario 2: Health of Desktop Computers Network Policy Server

Scenario 3: Health of Visiting Laptops Network Policy Server

Scenario 4: Unmanaged Home Computers

NAP Authentication Process Background Network Access Protection Settings Authorization Policies Authentication Process

Implementation/Usage Scenarios Ensuring the Health of Corporate Desktops Checking the Health and Status of Roaming Laptops Determining the Health of Visiting Laptops Verify the Compliance of Home Computers

Summary Network Access Protection: Secures Remote Computers before accessing the Network Has Client and Server Components Can Use One or More of Several methods for Enforcement IPSec 802.1X VPN DHCP Provides Support for Third Party Software Network Access Protection: Secures Remote Computers before accessing the Network Has Client and Server Components Can Use One or More of Several methods for Enforcement IPSec 802.1X VPN DHCP Provides Support for Third Party Software

What Next? Windows Server 2008 Beta: Home Page: Webcasts: Forums: Network Access Protection Home Page : : Introduction to Network Access Protection : Network Access Protection Platform Architecture : Network Access Protection Frequently Asked Questions : IPSec : Server and Domain Isolation :

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.