Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation."— Presentation transcript:

1 Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation

2 2 Agenda Introduction Network Access Protection platform architecture Network Access Protection Client architecture Network Access Protection Server architecture How Network Access Protection works

3 3 Introduction What is Network Access Protection (NAP)? Network infrastructure for Network Access Protection Network Access Protection enforcement methods

4 4 What is Network Access Protection? Platform that enforces compliance with health requirements for network access or communication Operating system components Built into Microsoft® Windows Server® "Longhorn" and Microsoft Windows Vista™ Separate client for Microsoft Windows® XP with Service Pack 2 Application programming interfaces (APIs) Allows for integration with third-party vendors

5 5 Network infrastructure for Network Access Protection Health policy validation Determines whether the computers are compliant with health policy requirements Network access limitation Limits access for noncompliant computers Automatic remediation Provides necessary updates to allow a noncompliant computer to become compliant Ongoing compliance Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements

6 6 Network Access Protection enforcement methods Internet Protocol security (IPsec)-protected communications IEEE 802.1X-authenticated network connections Remote access virtual private network (VPN) connections Dynamic Host Configuration Protocol (DHCP) configuration

7 7 Network Access Protection platform architecture Components of the Network Access Protection platform Interactions between Network Access Protection components

8 8 NAP client with limited access DHCP server Remediation servers VPN server Network Policy Server (NPS) Active Directory Intranet Restricted network Perimeter network Health certificate server (HCS) IEEE 802.1X devices Internet Policy servers Components of the Network Access Protection platform

9 9 NAP client DHCP server Remediation server NPS DHCP messages Remote Authentication Dial-in User Service (RADIUS) messages System health updates HCS Hypertext Transfer Protocol over Secure Sockets Layer (SSL) (HTTPS) messages Network Access Protection component interaction

10 10 NAP client NPS System health requirement queries VPN server Protected Extensible Authentication Protocol (PEAP) messages over the Point-to-Point Protocol (PPP) IEEE 802.1X devices PEAP messages over EAP over LAN (EAPOL) Policy server Network Access Protection component interaction (2) RADIUS messages

11 11 Network Access Protection client architecture components System Health Agent (SHA) NAP Agent NAP Enforcement Client (EC) IPsec NAP EC EAPHost NAP EC VPN NAP EC DHCP NAP EC

12 12 SHA_2SHA_1SHA_3 SHA API NAP Agent NAP EC_BNAP EC_ANAP EC_C NAP server A NAP client... NAP server BNAP server C Remediation server 1 Remediation server 2 NAP EC API Network Access Protection client architecture

13 13 Network Access Protection server architecture components System Health Validator (SHV) NAP Administration Server NPS NAP Enforcement Server (ES) IPsec NAP ES VPN NAP ES DHCP NAP ES

14 14 Network Access Protection Server architecture SHV_2SHV_1 Policy server 1 SHV_3 SHV API NAP Administration Server NAP ES_BNAP ES_ANAP ES_C NAP server... Policy server 2 NAP client NPS RADIUS NPS

15 15 SHA2SHA1 Remediation Server 1 SHA API NAP Agent NAP EC_BNAP EC_A NAP client Remediation Server 2 SHV1SHV2 SHV API NAP Administration Server NAP server SHV3 NAP ES_A NAP ES_B NPS RADIUS Provided by NAP platform Provided by third parties NPS NAP EC API Policy Server 1 Policy Server 2 Matched components

16 16 NAP EC API SHA2SHA1 SHA API NAP Agent NAP EC_A NAP client SHV1SHV2 SHV API NAP Administration Server NAP server NAP ES_A NPS Statement of Health (SoH) List of SoHs NPS Component communication: client to server

17 17 NAP EC API SHA2SHA1 SHA API NAP Agent NAP EC_A NAP client SoH Response (SoHR) List of SoHRs SHV1SHV2 SHV API NAP Administration Server NAP server NAP ES_A NPS Component communication: server to client

18 18 How Network Access Protection works IPsec enforcement IEEE 802.1X enforcement Remote access VPN enforcement DHCP enforcement

19 19 IPsec enforcement For noncompliant computers, prevents communication with compliant computers Compliant computers obtain a health certificate as proof of their health compliance Health certificate is used for peer authentication when negotiating IPsec- protected communications

20 20 Secure network Boundary network Restricted network Client Health certificate server NPS servers Policy servers Remediation servers IPsec enforcement logical networks

21 21 Secure network Boundary network Restricted network Unuathenticated initiated communication IPsec-authenticated initiated communication Allowed communication with IPsec enforcement

22 22 IPsec enforcement startup 1.Client starts up on the restricted network. 2.Client creates an HTTPS secure communication channel with the HCS. 3.Client sends its credentials and its list of SoHs to the HCS. 4.HCS forwards the client identity and health status information to the NPS for validation using RADIUS Access-Request message. 5.NAP Administration Server on the NPS passes the SoHs to their SHVs.

23 23 IPsec enforcement startup (2) 6.SHVs evaluate the SoHs and respond with SoHRs. 7.NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. 8.NPS sends a RADIUS Access-Accept message that contains the System SoHR (SSoHR) and the list of SoHRs to the HCS. 9.HCS sends the SSoHR and list of SoHRs to the client. 10.If compliant, HCS obtains a health certificate for the client. Client is on the secure network.

24 24 Noncompliant IPsec NAP client 1.NAP Agent passes the SoHRs to their SHAs. 2.SHAs perform remediation and pass updated SoHs to the NAP Agent. 3.Client creates a new HTTPS channel with the HCS. 4.Client sends its credentials and its updated list of SoHs to the HCS. 5.HCS validates the credentials and the new list of SoHs with the NPS and obtains a health certificate for the client.

25 25 802.1X enforcement For noncompliant computers, prevents unlimited access to a network through an 802.1X-authenticated connection Network Access Protection-capable 802.1X clients can use either their list of SoHs or a health certificate as proof of their health compliance

26 26 802.1X enforcement using a list of SoHs 1.Client or 802.1X access point starts 802.1X authentication using EAPOL. 2.Client and the NPS create secure channel with PEAP. 3.Client sends the list of SoHs to the NPS with a PEAP-Type-Length-Value (TLV) message. 4.Client performs 802.1X authentication with a negotiated PEAP method. 5.NAP Administration Server on the NPS passes the SoHs to their SHVs.

27 27 802.1X enforcement using a list of SoHs (2) 6.SHVs evaluate their SoHs and respond with SoHRs. 7.NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. 8.NPS sends a PEAP-TLV message containing the SSoHR and the list of SoHRs to the client. 9.NPS sends a RADIUS Access-Accept message to the 802.1X access point indicating either limited or unlimited access. 10.Client and 802.1X access point complete the 802.1X connection.

28 28 Noncompliant 802.1X client using a list of SoHs 1.NAP Agent passes the SoHRs to their SHAs. 2.SHAs perform remediation and pass an updated SoH to the NAP Agent. 3.Client restarts 802.1X authentication to obtain an unlimited access connection.

29 29 802.1X enforcement using a health certificate 1.Client or 802.1X access point starts 802.1X authentication using EAPOL. 2.Client and the NPS create a secure channel with PEAP. 3.Client performs 802.1X authentication with a negotiated PEAP method. 4.Client sends the health certificate to the NPS using a PEAP-TLV message.

30 30 802.1X enforcement using a health certificate (2) 5.NPS validates the health certificate and makes a limited/unlimited network access decision. 6.NPS sends a PEAP-TLV message containing the SSoHR to the client. 7.NPS sends a RADIUS Access-Accept message to the 802.1X access point indicating either limited or unlimited access. 8.Client and 802.1X access point complete the 802.1X connection.

31 31 Noncompliant 802.1X client using a health certificate 1.Client creates an HTTPS channel with the HCS. 2.Client sends its credentials and its current list of SoHs to the HCS. 3.HCS validates the credentials and list of SoHs with the NPS and obtains a health certificate for the client. 4.Client restarts 802.1X authentication to obtain an unlimited access connection.

32 32 VPN enforcement For noncompliant computers, prevents unlimited access to a network through a remote access VPN connection Network Access Protection-capable VPN clients use their list of SoHs as proof of their health compliance

33 33 VPN enforcement (2) 1.VPN client initiates a remote access VPN connection. 2.Client and the NPS create a secure channel with PEAP. 3.Client sends its list of SoHs to the NPS with a PEAP-TLV message. 4.Client performs authentication for VPN connection with a negotiated PEAP method. 5.NAP Administration Server on the NPS passes the SoHs to their SHVs.

34 34 VPN enforcement (3) 6.SHVs evaluate their SoHs and respond with SoHRs. 7.NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. 8.NPS sends a PEAP-TLV message containing the SSoHR and the list of SoHRs to the client. 9.NPS sends RADIUS Access-Accept message to the VPN server indicating either limited or unlimited access. 10.Client and VPN server complete the VPN connection.

35 35 Noncompliant VPN NAP client 1.NAP Agent passes SoHRs to their SHAs. 2.SHAs perform remediation and pass an updated SoH to the NAP Agent. 3.Client sends the updated list of SoHs to the NPS by using a PEAP-TLV message to obtain an unlimited access connection.

36 36 DHCP enforcement For noncompliant computers, prevents unlimited access to a network through a limited DHCP address configuration Network Access Protection-capable DHCP clients use their list of SoHs as proof of their health compliance

37 37 DHCP enforcement (2) 1.DHCP client sends its list of SoHs to its DHCP server using the DHCPDiscover message. 2.DHCP server passes the list of SoHs to the NPS in a RADIUS Access-Request message. 3.NAP Administration Server on the NPS passes the SoHs to their SHVs. 4.SHVs evaluate their SoHs and respond with SoHRs.

38 38 DHCP enforcement (3) 5.NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. 6.NPS sends a RADIUS Access-Accept message containing the SSoHR and list of SoHRs to DHCP server. 7.Client and DHCP server complete the DHCP configuration.

39 39 Noncompliant DHCP NAP client 1.NAP Agent passes the SoHRs to their SHAs. 2.SHAs perform remediation and pass their updated SoHs to the NAP Agent. 3.Client sends a DHCPRequest message containing the updated list of SoHs to the DHCP server. 4.DHCP validates the health state with NPS and assigns the client an unlimited access address configuration.

40 40 Network Access Protection resources Network Access Protection Web site http://www.microsoft.com/nap “Network Access Protection Platform Architecture” white paper http://www.microsoft.com/technet/itsolutions /network/nap/naparch.mspx http://www.microsoft.com/technet/itsolutions /network/nap/naparch.mspx

41 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. Thank you for joining us for today’s event. For information about all upcoming Support WebCasts, and access to the archived content (streaming media files, PowerPoint® slides, and transcripts), visit the Support WebCast site at http://support.microsoft.com/WebCasts/ http://support.microsoft.com/WebCasts/ We sincerely appreciate your feedback. Please submit any comments or suggestions about the Support WebCasts on the “Contact Us” page of the Support Web site at http://support.microsoft.com/servicedesks/webcasts/feedback.asp. http://support.microsoft.com/servicedesks/webcasts/feedback.asp

Download ppt "Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation."

Similar presentations

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
May 30 th – 31 st, 2006 Sheraton Ottawa. Network Access Protection Gene Ferioli Program Manager Customer Advisory Team Microsoft Corporation.

May 30 th – 31 st, 2006 Sheraton Ottawa. Network Access Protection Gene Ferioli Program Manager Customer Advisory Team Microsoft Corporation.
Copyright line. Network Access Protection EXAM OBJECTIVES  Working with NAP.

Copyright line. Network Access Protection EXAM OBJECTIVES  Working with NAP.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Agenda Introduction Network Access Protection platform architecture

Agenda Introduction Network Access Protection platform architecture
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Jayson Ferron CIO Interactive Security Training WSV206.

Jayson Ferron CIO Interactive Security Training WSV206.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Getting Ready for Network Access Protection Jeff Alexander Technology Advisor Microsoft.

Getting Ready for Network Access Protection Jeff Alexander Technology Advisor Microsoft.
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.

Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.

Windows Server 2008 Network Access Protection (NAP) Technical Overview.
Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India

Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
1 © J. Liebeherr, All rights reserved Virtual Private Networks.

1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Chapter 11: Dial-Up Connectivity in Remote Access Designs

Chapter 11: Dial-Up Connectivity in Remote Access Designs

Similar presentations

Ads by Google