NAPTechnicalOverview

advertisement
Joe Davies
Principal Writer
Windows Server Information Experience
Presented at:
Windows Networking User Group
November 2, 2011
© 2011 Microsoft Corporation



NAP overview
NAP enforcement methods
NAP components and architecture
© 2011 Microsoft Corporation
What is NAP and why do you
need it?

Challenge
◦ How to maintain computer health
◦ How to define and enforce computer health
requirements
 Intranet computers
 Home computers
 Traveling portable computers

Risk
◦ Malicious software attacks out-of-date computers
© 2011 Microsoft Corporation
4


Platform that monitors and enforces compliance
with health requirements for network access or
communication
Operating system components built into
◦
◦
◦
◦

Microsoft® Windows Server® 2008/R2
Microsoft Windows 7
Microsoft Windows Vista™
Windows® XP with Service Pack 3 (SP3)
Application programming interfaces (APIs)
◦ Allows for integration with third-party vendors
© 2011 Microsoft Corporation
5



Health state validation
Health policy compliance
Limited access
© 2011 Microsoft Corporation
6


Computer that is trying to connect to or
communicate on the network is evaluated
for system health requirements
Compliant computers
◦ Grant unlimited access

Noncompliant computers
◦ Monitoring-only environment
 Grant unlimited access but log compliance state of
computer
◦ Restricted access environment
 Limit access to restricted network
© 2011 Microsoft Corporation
7

Automatically update noncompliant
computers (autoremediation)
◦ Monitoring-only environment
 Noncompliant computers will have unlimited access
before they are updated
◦ Restricted access environment
 Noncompliant computers will have limited access until
they are updated

Automatically update compliant computers to
guarantee ongoing compliance
© 2011 Microsoft Corporation
8


Limiting network access to a restricted
network
Health update resources
◦ Located on the restricted network
◦ Used by NAP clients to obtain updates for
compliance
 Example: antivirus signature and operating system
update servers

Computers can be excepted from having their
access limited
© 2011 Microsoft Corporation
9

NAP infrastructure servers run Windows Server
2008/R2
◦ Windows-based NAP enforcement points
◦ NAP health policy servers

NAP clients run
◦
◦
◦
◦
Windows
Windows
Windows
Windows
7
Vista
XP with Service Pack 3
Server 2008/R2
© 2011 Microsoft Corporation
10




Verify the health
Verify the health
Verify the health
Verify the health
computers
© 2011 Microsoft Corporation
state
state
state
state
of
of
of
of
roaming laptops
desktop computers
visiting laptops
unmanaged home
11



NAP is about stopping the next big virus or
vulnerability by ensuring clients are well
maintained and isolated if deemed unhealthy
NAP is not designed for:
◦ Blocking unauthorized users
◦ Rogue machine control
◦ Software distribution control
NAP is a flexible health control solution that is
reliant on other mechanisms to solve these issues
◦ It is the compliance check and enforcement
solution for these mechanisms
© 2011 Microsoft Corporation
What types of ways of
connecting or communicating
can NAP help protect?




Internet Protocol security (IPsec)-protected
communications
IEEE 802.1X-authenticated network connections
Remote access virtual private network (VPN)
connections
Dynamic Host Configuration Protocol (DHCP)
configuration
© 2011 Microsoft Corporation
14
Enforcement
Healthy Client
Unhealthy Client
DHCP
Full IP address given,
full access
Restricted set of routes
Remote access
VPN (RRAS)
Full access
IP filters on VPN server
802.1X
Full access
Restricted VLAN or port
ACLs
IPsec
Can communicate with
any trusted peer
Healthy peers reject
connection requests from
unhealthy systems
© 2011 Microsoft Corporation

Require proof of health compliance for IPsecprotected end-to-end traffic
◦ Health certificate is used during IPsec authentication

In a restricted access environment, a computer
must be compliant to initiate communications
with other compliant computers
◦ IPsec policy that requires a health certificate for
authentication
◦ Noncompliant computers cannot initiate communication
with compliant computers

A Health Registration Authority (HRA) obtains
X.509-based health certificates for NAP clients
© 2011 Microsoft Corporation
16

Require health evaluation when making an
802.1X-authenticated connection
◦ Wireless
◦ Wired

In a restricted access environment
◦ A computer must be compliant to obtain unlimited
network access
◦ Noncompliant computers have limited access
 A set of Internet Protocol (IP) packet filters specified by
an access control list (ACL)
 A virtual LAN (VLAN) identifier
© 2011 Microsoft Corporation
17


Require health evaluation when making a
remote access VPN connection to a Windows
Server 2008/R2-based VPN server
In a restricted access environment
◦ A computer must be compliant to obtain unlimited
network access
◦ Noncompliant computers have limited access
 A set of IP packet filters
© 2011 Microsoft Corporation
18


Require health evaluation when requesting an IP
version 4 (IPv4) address configuration from a
Windows Server 2008/R2-based DHCP server
In a restricted access environment
◦ A computer must be compliant to obtain an unlimited
access IPv4 address configuration
◦ Noncompliant DHCP clients have IPv4 address
configurations with limited access
 Limited IPv4 configuration and special routes in the IPv4
routing table
© 2011 Microsoft Corporation
19
© 2011 Microsoft Corporation




Can be eased into current IP management
scheme
Can be used in conjunction with any of the
other enforcement options
A NAP capable DHCP server (Windows Server
2008/R2) will still issue addresses to non-NAP
capable clients
Quick and easy to set up either in production
or as a proof of concept
© 2011 Microsoft Corporation




Requires an instance of NPS to be running on
the DHCP server (either as a proxy or as the
NPS server itself)
Can be bypassed by static IP addressing of
clients
Has no authentication or encryption built into
the protocol
Frequency of health check is associated with
lease time
© 2011 Microsoft Corporation


All required technologies are built into
Windows (client and server platforms)
Supports secure authentication methods (EAP)
© 2011 Microsoft Corporation


Uses IP filters for quarantine and filter size
can be an issue
Only works with the Routing and Remote
Access service built into Windows Server
2008/R2
© 2011 Microsoft Corporation




Industry standard protocol supported by all
switch and AP vendors
Supplicant is built into Windows
Supports password based or certificates as the
credential
Can be deployed in conjunction with DHCP or
IPsec enforcements
© 2011 Microsoft Corporation





Requires compatible hardware
Bootstrapping clients with credentials is
challenging
Dynamic VLAN switching during the boot
process can be problematic
Requires designing multiple VLANs based on
health state
Requires Windows supplicant to be used
© 2011 Microsoft Corporation




Unhealthy clients are truly isolated (credential
automatically revoked by the NAP agent)
Offers strong authentication AND encryption
(encryption is optional, not required)
Works with any switch, router or AP
Technologies are built into Windows (client
and server platforms)
© 2011 Microsoft Corporation




Requires PKI to be deployed
Only works in a managed environment
(machines must be domain joined)
Certificates are the only supported credential
Requires an additional role to be deployed on
the network
◦ Health Registration Authority (HRA)
© 2011 Microsoft Corporation
What are the pieces of NAP
and how does it all work?
VPN server
Active
Directory
IEEE 802.1X devices
Internet
Health Registration
Authority
Perimeter
network
Intranet
Remediation
servers
© 2011 Microsoft Corporation
NPS server
DHCP server
Restricted network
NAP client with limited
access




System health agents and system health
validators
Enforcement components and methods
Network Policy Server (NPS)
Remediation servers
© 2011 Microsoft Corporation
31


Provide health state tracking and validation
System health agents (SHAs)
 NAP client component
 Report the health state of a computer

System health validators (SHVs)
 NAP health policy server component
 Validate the health state of a computer

NAP APIs allow vendors to create custom SHAs
and SHVs
© 2011 Microsoft Corporation
32

Windows Security Health Agent
◦ Runs on Windows 7, Windows Vista, and Windows XP
with SP3-based NAP clients
◦ Integrated with Windows Action/Security Center





Firewall software installed and enabled
Antivirus software installed, enabled, and updated
Antispyware software installed, enabled, and updated
Automatic updates enabled
Windows Security Health Validator
◦ Runs on NAP health policy server (Windows Server
2008/R2)
© 2011 Microsoft Corporation
33


Remote Authentication Dial-In User Service
(RADIUS) server and proxy for Windows Server
2008/R2
NAP health policy server
◦ Allows configuration of system health requirement
policies
◦ Determines health compliance and remediation
actions for noncompliance
 Autoremediation
 Limited access
© 2011 Microsoft Corporation
34

Servers, services, or other resources that a
noncompliant computer on the restricted
network can access to correct system health
◦ Domain Name System (DNS) server
◦ Antivirus signature file server
◦ Software update server
© 2011 Microsoft Corporation
35
© 2011 Microsoft Corporation
© 2011 Microsoft Corporation
© 2011 Microsoft Corporation
© 2011 Microsoft Corporation
© 2011 Microsoft Corporation
© 2011 Microsoft Corporation




IPsec enforcement
802.1X enforcement
VPN enforcement
DHCP enforcement
© 2011 Microsoft Corporation
42


NAP client sends its health state to the HRA,
which sends it to the NAP health policy server
(an NPS)
NAP health policy server evaluates the health
state of the NAP client
◦ If compliant
 The HRA obtains a health certificate for the NAP client
◦ If not compliant
 The HRA does not obtain a health certificate and
instructs the NAP client to correct its health state
© 2011 Microsoft Corporation
43
© 2011 Microsoft Corporation
© 2011 Microsoft Corporation


During 802.1X authentication, the NAP client
sends its health state to the NAP health policy
server
The NAP health policy server evaluates the health
state of the NAP client
◦ If compliant
 NAP health policy server instructs the 802.1X access point to
grant unlimited access
◦ If not compliant
 NAP health policy server instructs the NAP client to correct
its health state and can instruct the 802.1X access point to
grant limited access
 ACLs on the port for the IP addresses of remediation servers
 Limited access VLAN
© 2011 Microsoft Corporation
46


During authentication, the NAP client sends its
health state to the NAP health policy server
The NAP health policy server validates the health
state of the NAP client
◦ If compliant
 NAP health policy server instructs the VPN server to grant
unlimited access
◦ If not compliant
 NAP health policy server instructs the NAP client to correct
its health state and can instruct the VPN server to grant
limited access
 Packet filters on VPN connection for the IP addresses of
remediation servers
© 2011 Microsoft Corporation
47
© 2011 Microsoft Corporation


During configuration, the NAP client sends its
health state to the DHCP server, which then
sends it to the NAP health policy server
The NAP health policy server evaluates the health
state of the NAP client
◦ If compliant
 NAP health policy server instructs the DHCP server to assign
an unlimited access configuration
◦ If not compliant
 NAP health policy server instructs the NAP client to correct
its health state and can instruct the DHCP server to assign a
limited access configuration
 DHCP options for an address without a subnet, no default
gateway, static routes for the IP addresses of remediation
servers
© 2011 Microsoft Corporation
49



Portal page
Demonstrate Remote Access VPNs
Demonstrate NAP for Remote Access VPN
© 2011 Microsoft Corporation



Portal page
Demonstrate DirectAccess
Demonstrate DirectAccess with NAP
© 2011 Microsoft Corporation


NAP product information site
(http://www.microsoft.com/nap)
NAP TechNet site
(http://technet.microsoft.com/enus/network/bb545879.aspx)
◦ Introduction to Network Access Protection
Network Access Protection Platform Architecture

Step-by-step guides
◦ Step-by-Step Guide: Demonstrate IPsec NAP
Enforcement in a Test Lab
◦ Step-by-Step Guide: Demonstrate 802.1X NAP
Enforcement in a Test Lab
◦ Step-by-Step Guide: Demonstrate DHCP NAP
Enforcement in a Test Lab
© 2011 Microsoft Corporation
© 2011 Microsoft Corporation




Windows
Windows
Windows
Windows
Server Networking on TechNet
Server Networking on MSDN
Networking Writing Team blog
Server Documentation Twitter feed
© 2011 Microsoft Corporation
Download