1 / 46

Welcome

Welcome. Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008. Overview. Network Policies Access Protection Enforcement Options Network Access Protection Scenarios. Lesson 1: Network Policies Access Protection. Why Use Network Access Protection?

kuper
Download Presentation

Welcome

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Welcome Windows Server 2008 安全功能-NAP

  2. Network Access Protection in Windows Server 2008

  3. Overview • Network Policies Access Protection • Enforcement Options • Network Access Protection Scenarios

  4. Lesson 1: Network Policies Access Protection • Why Use Network Access Protection? • Network Protection Services Overview • Network Access Protection Solution • NAP Architecture Overview • Network Layer Protection with NAP • Host Layer Protection with NAP

  5. Why Use Network Access Protection? Healthy computer Private Network Unhealthy computer

  6. NAP vs. Network Access Quarantine Control • Network Access Protection

  7. Network Protection Services Overview • Network Policy Server (NPS) • Network Access Protection (NAP) Policy Server • IEEE 802.11 Wireless • IEEE 802.3 Wired • RADIUS Server • RADIUS Proxy • Routing and Remote Access • Remote Access Service • Routing • Health Registration Authority (HRA)

  8. Network Access Protection Solution Policy Validation Network Restriction Remediation Ongoing Compliance Polices, Procedures & Awareness Data Application Host Internal Network Perimeter

  9. NAP Architecture Overview System Health Servers Remediation Servers Updates Health policy Network Access Requests Client Health Statements MS Network Policy Server System Health Agent (SHA) MS and 3rd Parties Health Certificate System Health Validator Quarantine Agent (QA) Network Access Devices and Servers Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN) Quarantine Server (QS)

  10. Network Layer Protection with NAP Restricted Network System Health Servers Remediation Servers Here you go. Can I have updates? Ongoing policy updates to Network Policy Server May I have access? Here’s my current health status. Should this client be restricted based on its health? Requesting access. Here’s my new health status. According to policy, the client is not up to date. Quarantine client, request it to update. MS NPS Client According to policy, the client is up to date. Grant access. You are given restricted access until fix-up. 802.1x Switch Client is granted access to full intranet.

  11. Host Layer Protection with NAP No Policy Authentication Optional Authentication Required May I have a health certificate? Here’s my SoH. Client ok? Yes. Issue health certificate. No. Needs fix-up. You don’t get a health certificate. Go fix up. Here’s your health certificate.  X HRA Client I need updates. Accessing the network Here you go. NPS Remediation Server No Policy Authentication Optional Authentication Required X HRA Client Accessing the network NPS Remediation Server

  12. Technical Background • NAP Infrastructure • NAP Platform Architecture • NAP Enforcement Methods • NAP Client Architecture • NAP Server Architecture • Component Communication

  13. NAP Infrastructure • Automatic Remediation • Health Policy Validation • Health Policy Compliance • Limited Access

  14. NAP Platform Architecture

  15. Network Access Protection Components (1 of 5) • NAP Clients • IPSec, 802.1X, VPN, DHCP • NAP Servers-determine the System Health of any NAP Client • Windows Server 2008 + Network Policy Server • Remediation action are required for computers that are not compliant • Health Registration Authority • VPN Server • DHCP Server

  16. Network Access Protection Components (2 of 5) • NAP Clients • IPSec, 802.1X, VPN, DHCP • NAP Servers-determine the SH of any NAP Client • Windows Server 2008 + Network Policy Server • Remediation action are required for computers that are not compliant • Health Registration Authority • VPN Server • DHCP Server

  17. Network Access Protection Components (3 of 5) • NPS Servers • Replacement for the Internet Authentication Service (IAS) • Windows server 2008 + Validate System Health Policy • Active Directory Directory Service • Group Policy Setting for IPSec • 802.1X credential are stored in directory service

  18. Network Access Protection Components (4 of 5) • Restricted Network • Separate network segment (logical/physical) • Contains the Remediation Servers • Remediation Server • Bring NAP Client into compliance with health policy • System Health Agent (SHA) • Check for particular health parameter • Send a Statement of Health (SoH) to System Health Validator (SHV)

  19. Network Access Protection Components (5 of 5) • System Health Validator • Compare the System of Health (SoH) sent from a System Health Agent (SHA) • Statement of Health (SoH) • SoH is response sent by a System Health Agent to a System Health Validator

  20. Misconception • Quarantine network is anything but empty • SMS Server form within Quarantine Mode • For starters, must have a DNS Server • Don’t be a primary DNS server • Finally, the DHCP and IAS server (VPN Quarantine Mode only) must accessable. • Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been update.

  21. Lesson 2: Enforcement Options • NAP – Enforcement Options • NAP with DHCP • IPsec-based Communication • NAP with RRAS

  22. NAP – Enforcement Options Enforcement Healthy Client Unhealthy Client DHCP Full IP address given, full access Restricted set of routes VPN Full access Restricted VLAN 802.1X Full access Restricted VLAN IPsec Can communicate with any trusted peer Healthy peers reject connection requests from unhealthy systems Complements layer 2 protection Works with existing servers and infrastructure Offers flexible isolation

  23. NAP with DHCP IEEE 802.1X Devices I need to Lease an IP address Requesting access. Here’s my new health status. DHCP Server NPS Server You are not within the Health Policy requirements The client requests and receives updates Access Granted. Here is your new IP Address VPN Server Remediation Servers Client

  24. Demo1: Using Network Access Protection • Exercise 1: Configuring Network Access Protection for DHCP

  25. NAP with RRAS RADIUS Messages PEAP Messages Client NPS Server VPN Server Remediation Servers

  26. Demo2: Using Network Access Protection • Exercise 1: Configuring Network Access Protection for VPN

  27. IPSec-based Communication IPsec Authenticated Unauthenticated Secure network Boundary network Restricted network

  28. NAP Enforcement Client • IPSec • 802.1X • VPN • DHCP • NPS RADIUS

  29. How NAP Works • Logical Networks • IPSec Enforcement • IEEE 802.1X • Remote Access VPNs • DHCP

  30. IPSec Enforcement in Logical Networks

  31. Communication Initiation Process with IPSec Enforcement

  32. NAP Client Health Certificate Process

  33. IPSec Enforcement in NAP

  34. IPSec Reviewing • IPSec functionality • OSI 7 Layer - Layer 3 • Authentication methods for IPSec • Pre-share Key • Kerberos • Certificate

  35. Certificate Reviewing • What’s Digital Certificate • What’s Certificate Authority • Digital Certificate for what? • Identity user, computer, service • Digital Certificate for IPSec

  36. Demo3: Network Access Protection - IPSec Create a Certificate Template for NAP Exemptions Enable Certificate AutoEnrollment Config NAP to Issue Health Certificates Config Health Registration Authority to request Certificate from subordinate CA Add System Health Validation Certificate to NPS Config GPO to Ensure Client are Configured to Implement NAP Verify Network Access Protection

  37. 802.1x Authenticated Connections

  38. Lesson 3: Network Access Protection Scenarios • Scenario 1: Roaming Laptops • Scenario 2: Health of Desktop Computers • Scenario 3: Health of Visiting Laptops • Scenario 4: Unmanaged Home Computers

  39. Scenario 1: Roaming Laptops NAP

  40. Scenario 2: Health of Desktop Computers Network Policy Server

  41. Scenario 3: Health of Visiting Laptops Network Policy Server

  42. Scenario 4: Unmanaged Home Computers

  43. NAP Authentication Process Background • Authentication Process • Network Access Protection Settings • Authorization Policies

  44. Implementation/Usage Scenarios • Checking the Health and Status of Roaming Laptops • Ensuring the Health of Corporate Desktops • Determining the Health of Visiting Laptops • Verify the Compliance of Home Computers

  45. Summary • Network Access Protection: • Secures Remote Computers before accessing the Network • Has Client and Server Components • Can Use One or More of Several methods for Enforcement • IPSec • 802.1X • VPN • DHCP • Provides Support for Third Party Software

  46. What Next? Windows Server 2008 Beta: https://connect.microsoft.com Home Page: http://www.microsoft.com/windowsserver/longhorn/default.mspx Webcasts: http://www.microsoft.com/windowsserver/longhorn/webcasts.mspx Forums: http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17 Network Access Protection • Home Page: http://www.microsoft.com/nap • Introduction to Network Access Protection: http://go.microsoft.com/fwlink/?LinkId=49884 • Network Access Protection Platform Architecture: http://go.microsoft.com/fwlink/?LinkId=49885 • Network Access Protection Frequently Asked Questions: http://go.microsoft.com/fwlink/?LinkId=49886 • IPSec: http://www.microsoft.com/ipsec • Server and Domain Isolation: http://www.microsoft.com/technet/network/sdiso/default.mspx

More Related