Configuring Network Access Protection

advertisement
Module 12
Configuring Network
Access Protection
Module Overview
• Overview of Network Access Protection
• How NAP Works
• Configuring NAP
• Monitoring and Troubleshooting NAP
Lesson 1: Overview of Network Access Protection
• What Is Network Access Protection?
• NAP Scenarios
• NAP Enforcement Methods
• NAP Platform Architecture
• NAP Architecture Interactions
• NAP Client Infrastructure
What Is Network Access Protection?
Network Access Protection can:
• Enforce health-requirement policies on client computers
• Ensure client computers are compliant with policies
• Offer remediation support for computers that do not
meet health requirements
Network Access Protection cannot:
• Prevent authorized users with compliant computers
from performing malicious activity
• Restrict access for Windows XP SP2 and earlier when
exception rules are configured for those computers
NAP Scenarios
NAP benefits the network infrastructure by verifying
the health state of:
• Roaming laptops
• Desktop computers
• Visiting laptops
• Unmanaged home computers
NAP Enforcement Methods
Method
Key Points
• Computer must be compliant to communicate
IPsec enforcement for IPsecprotected communications
with other compliant computers
• The strongest NAP enforcement type, and can be
applied per IP address or protocol port number
802.1X enforcement for IEEE
802.1X-authenticated wired
or wireless connections
• Computer must be compliant to obtain unlimited
VPN enforcement for remote
access connections
• Computer must be compliant to obtain unlimited
access through an 802.1X connection
(authentication switch or access point)
access through a RAS connection
• Computer must be compliant to receive an
DHCP enforcement for DHCPbased address configuration
unlimited access IPv4 address configuration from
DHCP
• This is the weakest form of NAP enforcement
NAP Platform Architecture
VPN Server
Active
Directory
IEEE 802.1X
Devices
Health
Registration
Authority
Internet
Perimeter
Network
DHCP Server
Intranet
NAP Health
Policy Server
Restricted
Network
Remediation
Servers
NAP Client with
limited access
NAP Architecture Interactions
Remediation
Server
RADIUS Messages
HRA
Health Requirement
Server
System
Health
Requirement
Queries
System
Health
Updates
DHCP Server
NAP Health
Policy Server
NAP Client
VPN Server
IEEE 802.1X
Network Access Devices
NAP Client Infrastructure
Remediation Server 1
Remediation Server 2
SHA_1
SHA_2
SHA_3
...
SHA API
NAP Agent
NAP EC API
NAP EC_A
NAP EC_B
NAP Client
NAP EC_C
...
Lesson 2: How NAP Works
• NAP Enforcement Processes
• How IPsec Enforcement Works
• How 802.1X Enforcement Works
• How VPN Enforcement Works
• How DHCP Enforcement Works
How IPsec Enforcement Works
Key Points of IPsec NAP Enforcement:
• Comprised of a health certificate server and an IPsec NAP EC
• Health certificate server issues X.509 certificates to
clients when they are verified as compliant
• Certificates are then used to authenticate NAP clients when
they initiate IPsec-secured communications with other
NAP clients on an intranet
• IPsec Enforcement confines the communication on a network
to those nodes that are considered compliant
• You can define requirements for secure communications with
compliant clients on a per-IP address or a
per-TCP/UDP port number basis
How 802.1X Enforcement Works
Key Points of 802.1X Wired or Wireless NAP Enforcement:
• Computer must be compliant to obtain unlimited network
access through an 802.1X-authenticated network connection
• Non-compliant computers are limited through a
restricted-access profile that the Ethernet switch or
wireless AP place on the connection
• Restricted access profiles can specify IP packet filters or a
virtual LAN (VLAN) identifier (ID) that corresponds to the
restricted network
• 802.1X enforcement actively monitors the health status of the
connected NAP client and applies the restricted access profile
to the connection if the client becomes non-compliant
802.1X enforcement consists of NPS in Windows Server 2008 and an
EAPHost EC in Windows Vista, Windows XP with SP2 (with the NAP
Client for Windows XP), and Windows Server 2008
How VPN Enforcement Works
Key Points of VPN NAP Enforcement:
• Computer must be compliant to obtain unlimited network
access through a remote access VPN connection
• Non-compliant computers have network access limited through
a set of IP packet filters that are applied to the VPN connection
by the VPN server
• VPN enforcement actively monitors the health status of the NAP
client and applies the IP packet filters for the restricted network
to the VPN connection if the client becomes non-compliant
VPN enforcement consists of NPS in Windows Server 2008 and a VPN EC
as part of the remote access client in Windows Vista, Windows XP with
SP2 (with the NAP Client for Windows XP), and Windows Server 2008
How DHCP Enforcement Works
Key Points of DHCP NAP Enforcement:
• Computer must be compliant to obtain an unlimited access
IPv4 address configuration from a DHCP server
• Non-compliant computers have network access limited by an
IPv4 address configuration that allows access only to the
restricted network
• DHCP enforcement actively monitors the health status of the
NAP client and renews the IPv4 address configuration for access
only to the restricted network if the client becomes non-compliant
DHCP enforcement consist of a DHCP ES that is part of the DHCP Server
service in Windows Server 2008 and a DHCP EC that is part of the DHCP
Client service in Windows Vista, Windows XP with SP2 (with NAP Client
for Windows XP), and Windows Server 2008
Lesson 3: Configuring NAP
• What Are System Health Validators?
• What Is a Health Policy?
• What Are Remediation Server Groups?
• NAP Client Configuration
What Are System Health Validators?
System Health Validators are server software
counterparts to system health agents
• Each SHA on the client has a
corresponding SHV in NPS
• SHVs allow NPS to verify the
statement of health made by its
corresponding SHA on the client
• SHVs contain the required
configuration settings on
client computers
• The Windows Security SHV
corresponds to the Microsoft SHA
on client computers
What Is a Health Policy?
To make use of the Windows Security Health Validator, you
must configure a Health Policy and assign the SHV to it
• Health policies consist of one or more SHVs and other settings that
allow you to define client computer configuration requirements for
NAP-capable computers that attempt to connect to your network
• You can define client health policies in NPS by adding one or more
SHVs to the health policy
• NAP enforcement is accomplished by NPS on a per-network
policy basis
• After you create a health policy by adding one or more SHVs to
the policy, you can add the health policy to the network policy and
enable NAP enforcement in the policy
What Are Remediation Server Groups?
With NAP enforcement in place, you should specify remediation
server groups so the clients have access to resources that bring
non-compliant NAP-capable clients into compliance
• A remediation server hosts the updates that the NAP agent can
use to bring non-compliant client computers into compliance with
the health policy that NPS defines
• A remediation server group is a list of servers on the restricted
network that non-compliant NAP clients can access for
software updates
NAP Client Configuration
• Some NAP deployments that use Windows Security Health Validator
require that you enable Security Center
• The Network Access Protection service is required when you deploy
NAP to NAP-capable client computers
• You also must configure the NAP enforcement clients on the
NAP-capable computers
Lesson 4: Monitoring and Troubleshooting NAP
• What Is NAP Tracing?
• Configuring NAP Tracing
What Is NAP Tracing?
• NAP tracing identifies NAP events and records them to a
log file based on the one of the following tracing levels:
• Basic
• Advanced
• Debug
• You can use tracing logs to:
• Evaluate the health and security of your network
• For troubleshooting and maintenance
• NAP tracing is disabled by default, which means that
no NAP events are recorded in the trace logs
Configuring NAP Tracing
• You can configure NAP tracing by using one of the
following tools:
• The NAP Client Management console
• The Netsh command-line tool
• To enable logging functionality, you must be a member
of the Local Administrators group
• Trace logs are located in the following directory:
%systemroot%\tracing\nap
Download