Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Network Access Protection Platform Architecture

advertisement 
Network Access Protection
Platform Architecture
Mark Gibson
Senior Consultant
Microsoft Corporation
1
Agenda
Introduction
Network Access Protection platform
architecture
Network Access Protection Client
architecture
Network Access Protection Server
architecture
How Network Access Protection works
2
Introduction
What is Network Access Protection (NAP)?
Network infrastructure for Network Access
Protection
Network Access Protection enforcement
methods
3
What is Network Access
Protection?
Platform that enforces compliance with
health requirements for network access or
communication
Operating system components
Built into Microsoft® Windows Server® 2008
and Microsoft Windows Vista™
Separate client for Microsoft Windows® XP with
Service Pack 2
Application programming interfaces (APIs)
Allows for integration with third-party vendors
4
Network infrastructure for
Network Access Protection
Health policy validation
Determines whether the computers are compliant with
health policy requirements
Network access limitation
Limits access for noncompliant computers
Automatic remediation
Provides necessary updates to allow a noncompliant
computer to become compliant
Ongoing compliance
Automatically updates compliant computers so that they
adhere to ongoing changes in health policy
requirements
5
Network Access Protection
enforcement methods
Internet Protocol security (IPsec)-protected
communications
IEEE 802.1X-authenticated network
connections
Remote access virtual private network
(VPN) connections
Dynamic Host Configuration Protocol
(DHCP) configuration
6
Network Access Protection
platform architecture
Components of the Network Access
Protection platform
Interactions between Network Access
Protection components
7
Components of the Network
Access Protection platform
VPN server
Active Directory
Policy
servers
Internet
IEEE 802.1X devices
Health certificate
server (HCS)
Network Policy Server
(NPS)
DHCP server
Perimeter
network
Intranet
Remediation
servers
Restricted network
8
NAP client with limited access
Network Access Protection
component interaction
Remediation
server
System
health
updates
HCS
NPS
NAP client
DHCP server
Remote Authentication Dial-in User
Service (RADIUS) messages
9
Network Access Protection
component interaction (2)
Policy server
System health
requirement
queries
VPN server
NPS
NAP client
IEEE 802.1X devices
RADIUS messages
10
Network Access Protection client
architecture components
System Health Agent (SHA)
NAP Agent
NAP Enforcement Client (EC)
IPsec NAP EC
EAPHost NAP EC
VPN NAP EC
DHCP NAP EC
11
Network Access Protection client
architecture
Remediation
server 1
Remediation
server 2
SHA_1
SHA_3
...
NAP EC_C
...
SHA_2
SHA API
NAP Agent
NAP
client
NAP EC API
NAP EC_A
NAP server A
NAP EC_B
NAP server B
NAP server C
12
Network Access Protection server
architecture components
System Health Validator (SHV)
NAP Administration Server
NPS
NAP Enforcement Server (ES)
IPsec NAP ES
VPN NAP ES
DHCP NAP ES
13
Network Access Protection Server
architecture
Policy
server 1
SHV_1
Policy
server 2
SHV_2
SHV_3
...
SHV API
NAP Administration Server
NPS
NPS
RADIUS
NAP ES_A
NAP ES_B
NAP ES_C
...
NAP server
NAP client
14
Matched components
Provided by NAP
platform
Remediation
Server 1
Policy
Server 1
Remediation
Server 2
Policy
Server 2
Provided by third
parties
SHV2
SHA1
SHA2
SHA API
SHV1
SHV3
SHV API
NAP Administration Server
NPS
NAP Agent
NAP
client
NPS
NAP EC API
NAP EC_A
RADIUS
NAP EC_B
NAP ES_B
NAP ES_A
NAP server
15
Component communication:
client to server
SHV2
SHA1
SHA2
SHV1
SHV API
NPS
NAP Administration Server
SHA API
NPS
NAP Agent
NAP
client
NAP EC API
NAP ES_A
NAP EC_A
NAP server
Statement of Health (SoH)
16
List of SoHs
Component communication:
server to client
SHV2
SHA1
SHA2
SHV1
SHV API
NPS
NAP Administration Server
SHA API
NPS
NAP Agent
NAP
client
NAP EC API
NAP ES_A
NAP EC_A
NAP server
SoH Response (SoHR)
17
List of SoHRs
How Network Access
Protection works
DHCP enforcement
Remote access VPN enforcement
IEEE 802.1X enforcement
IPsec enforcement
18
DHCP enforcement
For noncompliant computers, prevents
unlimited access to a network through a
limited DHCP address configuration
Network Access Protection-capable DHCP
clients use their list of SoHs as proof of
their health compliance
19
DHCP enforcement (2)
1. DHCP client sends its list of SoHs to its
DHCP server using the DHCPDiscover
message.
2. DHCP server passes the list of SoHs to
the NPS in a RADIUS Access-Request
message.
3. NAP Administration Server on the NPS
passes the SoHs to their SHVs.
4. SHVs evaluate their SoHs and respond
with SoHRs.
20
DHCP enforcement (3)
5. NPS evaluates the SoHRs against policy
settings and makes a limited/unlimited
network access decision.
6. NPS sends a RADIUS Access-Accept
message containing the SSoHR and list of
SoHRs to DHCP server.
7. Client and DHCP server complete the
DHCP configuration.
21
Noncompliant DHCP NAP
client
1. NAP Agent passes the SoHRs to their
SHAs.
2. SHAs perform remediation and pass their
updated SoHs to the NAP Agent.
3. Client sends a DHCPRequest message
containing the updated list of SoHs to the
DHCP server.
4. DHCP validates the health state with NPS
and assigns the client an unlimited access
address configuration.
22
VPN enforcement
For noncompliant computers, prevents
unlimited access to a network through a
remote access VPN connection
Network Access Protection-capable VPN
clients use their list of SoHs as proof of
their health compliance
23
VPN enforcement (2)
1. VPN client initiates a remote access VPN
connection.
2. Client and the NPS create a secure
channel with PEAP.
3. Client sends its list of SoHs to the NPS
with a PEAP-TLV message.
4. Client performs authentication for VPN
connection with a negotiated PEAP
method.
5. NAP Administration Server on the NPS
passes the SoHs to their SHVs.
24
VPN enforcement (3)
6. SHVs evaluate their SoHs and respond with
SoHRs.
7. NPS evaluates the SoHRs against policy
settings and makes a limited/unlimited network
access decision.
8. NPS sends a PEAP-TLV message containing
the SSoHR and the list of SoHRs to the client.
9. NPS sends RADIUS Access-Accept message to
the VPN server indicating either limited or
unlimited access.
10. Client and VPN server complete the VPN
connection.
25
Noncompliant VPN NAP client
1. NAP Agent passes SoHRs to their SHAs.
2. SHAs perform remediation and pass an
updated SoH to the NAP Agent.
3. Client sends the updated list of SoHs to
the NPS by using a PEAP-TLV message
to obtain an unlimited access connection.
26
802.1X enforcement
For noncompliant computers, prevents
unlimited access to a network through an
802.1X-authenticated connection
Network Access Protection-capable
802.1X clients can use either their list of
SoHs or a health certificate as proof of
their health compliance
27
802.1X enforcement using a
list of SoHs
1. Client or 802.1X access point starts
802.1X authentication using EAPOL.
2. Client and the NPS create secure channel
with PEAP.
3. Client sends the list of SoHs to the NPS
with a PEAP-Type-Length-Value (TLV)
message.
4. Client performs 802.1X authentication
with a negotiated PEAP method.
5. NAP Administration Server on the NPS
passes the SoHs to their SHVs.
28
802.1X enforcement using a
list of SoHs (2)
6. SHVs evaluate their SoHs and respond with
SoHRs.
7. NPS evaluates the SoHRs against policy
settings and makes a limited/unlimited network
access decision.
8. NPS sends a PEAP-TLV message containing
the SSoHR and the list of SoHRs to the client.
9. NPS sends a RADIUS Access-Accept message
to the 802.1X access point indicating either
limited or unlimited access.
10. Client and 802.1X access point complete the
802.1X connection.
29
Noncompliant 802.1X client
using a list of SoHs
1. NAP Agent passes the SoHRs to their
SHAs.
2. SHAs perform remediation and pass an
updated SoH to the NAP Agent.
3. Client restarts 802.1X authentication to
obtain an unlimited access connection.
30
802.1X enforcement using a
health certificate
1. Client or 802.1X access point starts
802.1X authentication using EAPOL.
2. Client and the NPS create a secure
channel with PEAP.
3. Client performs 802.1X authentication
with a negotiated PEAP method.
4. Client sends the health certificate to the
NPS using a PEAP-TLV message.
31
802.1X enforcement using a
health certificate (2)
5. NPS validates the health certificate and
makes a limited/unlimited network access
decision.
6. NPS sends a PEAP-TLV message
containing the SSoHR to the client.
7. NPS sends a RADIUS Access-Accept
message to the 802.1X access point
indicating either limited or unlimited
access.
8. Client and 802.1X access point complete
the 802.1X connection.
32
Noncompliant 802.1X client
using a health certificate
1. Client creates an HTTPS channel with the
HCS.
2. Client sends its credentials and its current
list of SoHs to the HCS.
3. HCS validates the credentials and list of
SoHs with the NPS and obtains a health
certificate for the client.
4. Client restarts 802.1X authentication to
obtain an unlimited access connection.
33
IPsec enforcement
For noncompliant computers, prevents
communication with compliant computers
Compliant computers obtain a health
certificate as proof of their health
compliance
Health certificate is used for peer
authentication when negotiating IPsecprotected communications
34
IPsec enforcement logical networks
Client
Health certificate
server
Policy
servers
NPS
servers
Secure network
Remediation
servers
Boundary network
Restricted network
35
Allowed communication with IPsec
enforcement
Secure network
Boundary network
Unuathenticated initiated communication
Restricted network
IPsec-authenticated initiated communication
36
IPsec enforcement startup
1. Client starts up on the restricted network.
2. Client creates an HTTPS secure
communication channel with the HCS.
3. Client sends its credentials and its list of
SoHs to the HCS.
4. HCS forwards the client identity and
health status information to the NPS for
validation using RADIUS Access-Request
message.
5. NAP Administration Server on the NPS
passes the SoHs to their SHVs.
37
IPsec enforcement startup (2)
6. SHVs evaluate the SoHs and respond with
SoHRs.
7. NPS evaluates the SoHRs against policy
settings and makes a limited/unlimited network
access decision.
8. NPS sends a RADIUS Access-Accept message
that contains the System SoHR (SSoHR) and
the list of SoHRs to the HCS.
9. HCS sends the SSoHR and list of SoHRs to the
client.
10. If compliant, HCS obtains a health certificate for
the client. Client is on the secure network.
38
Noncompliant IPsec NAP
client
1. NAP Agent passes the SoHRs to their
SHAs.
2. SHAs perform remediation and pass
updated SoHs to the NAP Agent.
3. Client creates a new HTTPS channel with
the HCS.
4. Client sends its credentials and its
updated list of SoHs to the HCS.
5. HCS validates the credentials and the
new list of SoHs with the NPS and obtains
a health certificate for the client.
39
Network Access Protection
resources
Network Access Protection Web site
http://www.microsoft.com/nap
“Network Access Protection Platform
Architecture” white paper
http://www.microsoft.com/technet/itsolutions
/network/nap/naparch.mspx
40
Related documents
here - Brooklyn School
here - Brooklyn School
File Services
File Services
Module 5: Network Policies and Access Protection
Module 5: Network Policies and Access Protection
STATION TASK CARD
STATION TASK CARD
NAP
NAP
Lab 14 COnfiguring Network Access Protection (NAP)
Lab 14 COnfiguring Network Access Protection (NAP)
Gerund / Infinitive Flashcards
Gerund / Infinitive Flashcards
Sunis68
Sunis68
Download
advertisement