Overview - Microsoft Center

advertisement
Windows Server 2008
安全功能-NAP
Welcome
Network Access Protection
in Windows Server 2008
Overview
Network Policies Access Protection
Enforcement Options
Network Access Protection Scenarios
Lesson 1: Network Policies Access Protection
Why Use Network Access Protection?
Network Protection Services Overview
Network Access Protection Solution
NAP Architecture Overview
Network Layer Protection with NAP
Host Layer Protection with NAP
Why Use Network Access Protection?
Healthy computer
Unhealthy computer
Private Network
NAP vs. Network Access Quarantine Control
Network Access Protection
Net work Access Protection
Network Access Quarantine
Control
Internal, VPN and Remote Access
Client
Only VPN and Remote Access
Clients
IPSec, 802.1X, DHCP and VPN
DHCP and VPN
NAP NPS and Client included in
Windows Server 2008 ; NAP client
included in Vista
Installed from Windows Server 2003
Resource Kit
Network Protection Services Overview
Network Policy Server (NPS)
Network Access Protection (NAP) Policy Server
IEEE 802.11 Wireless
IEEE 802.3 Wired
RADIUS Server
RADIUS Proxy
Routing and Remote Access
 Remote Access Service
 Routing
Health Registration Authority (HRA)
Network Access Protection Solution
Policy Validation
Network Restriction
Remediation
Ongoing Compliance
Data
Application
Host
Internal Network
Perimeter
Polices, Procedures
& Awareness
NAP Architecture Overview
Remediation
Servers
System Health
Servers
Updates
Client
Health
Statements
Network
Access
Requests
System Health Agent (SHA)
Health policy
MS Network
Policy Server
MS and 3rd Parties
Quarantine Agent (QA)
Enforcement Client (EC)
(DHCP, IPSec, 802.1X, VPN)
Health
Certificate
Network Access Devices
and Servers
System Health Validator
Quarantine Server (QS)
Network Layer Protection with NAP
Restricted Network
Remediation
Servers
System Health
Servers
Here you go.
Can I have
updates?
Ongoing policy updates
to Network Policy Server
May
I have access?
Requesting
access.
Here’s
my current
Here’s
my new
healthhealth
status.status.
Client
You are given
restricted access
until fix-up.
Should this client be
restricted based
on its health?
802.1x
Switch
According to policy, MS NPS
According
the clientto
is policy,
not up to
the
client
is
up
to
date. Quarantine
date.
client,
it to
Client
is request
granted
access to
fullupdate.
intranet.
Grant access.
Host Layer Protection with NAP
No Policy
Authentication
Optional
Authentication
Required
May I have a health certificate?
Here’s my SoH.
Client
Client
You don’t get a health certificate.
Here’s your health
Go fix up.
certificate.
I need updates.
Client ok?
HRA
HRA
Accessing the network
Yes.
Issue
No.
Needs
fix-up.
health certificate.

Here you go.
NPS
NPS
Remediation
Remediation Server
Server
Technical Background
NAP Infrastructure
NAP Platform Architecture
NAP Enforcement Methods
NAP Client Architecture
NAP Server Architecture
Component Communication
NAP Infrastructure
Automatic Remediation
Health Policy Validation
Health Policy Compliance
Limited Access
NAP Platform Architecture
Network Access Protection Components (1 of 5)
NAP Clients
IPSec, 802.1X, VPN, DHCP
NAP Servers-determine the System Health of any
NAP Client
Windows Server 2008 + Network Policy Server
Remediation action are required for
computers that are not compliant
Health Registration Authority
VPN Server
DHCP Server
Network Access Protection Components (2 of 5)
NAP Clients
IPSec, 802.1X, VPN, DHCP
NAP Servers-determine the SH of any NAP Client
Windows Server 2008 + Network Policy Server
Remediation action are required for
computers that are not compliant
Health Registration Authority
VPN Server
DHCP Server
Network Access Protection Components (3 of 5)
NPS Servers
Replacement for the Internet Authentication
Service (IAS)
Windows server 2008 + Validate System
Health Policy
Active Directory Directory Service
Group Policy Setting for IPSec
802.1X credential are stored in directory
service
Network Access Protection Components (4 of 5)
Restricted Network
Separate network segment (logical/physical)
Contains the Remediation Servers
Remediation Server
Bring NAP Client into compliance with health
policy
System Health Agent (SHA)
Check for particular health parameter
Send a Statement of Health (SoH) to System
Health Validator (SHV)
Network Access Protection Components (5 of 5)
System Health Validator
Compare the System of Health (SoH) sent
from a System Health Agent (SHA)
Statement of Health (SoH)
SoH is response sent by a System Health
Agent to a System Health Validator
Misconception
Quarantine network is anything but empty
SMS Server form within Quarantine Mode
For starters, must have a DNS Server
Don’t be a primary DNS server
Finally, the DHCP and IAS server (VPN
Quarantine Mode only) must accessable.
Otherwise, a client would never be able to get out
of Quarantine Mode after its Statement of Health
has been update.
Lesson 2: Enforcement Options
NAP – Enforcement Options
NAP with DHCP
IPsec-based Communication
NAP with RRAS
NAP – Enforcement Options
Enforcement
Healthy Client
Unhealthy Client
DHCP
Full IP address given,
Restricted set of routes
full access
VPN
Full access
Restricted VLAN
802.1X
Full access
Restricted VLAN
Can communicate
Healthy peers reject
with any trusted peer
connection requests
IPsec
from unhealthy systems
Complements layer 2 protection
Works with existing servers and infrastructure
Offers flexible isolation
NAP with DHCP
I need to Lease an IP address
Requesting access.
Here’s my new health status.
Client
IEEE 802.1X
Devices
DHCP Server
You are not within the
Health Policy requirements
Access Granted. Here is
your new IP Address
The client requests
and receives updates
Remediation
Servers
NPS Server
VPN Server
Demo1: Using Network Access Protection
Exercise 1: Configuring Network
Access Protection for DHCP
NAP with RRAS
RADIUS Messages
PEAP Messages
Client
VPN Server
Remediation
Servers
NPS Server
Demo2: Using Network Access Protection
Exercise 1: Configuring Network
Access Protection for VPN
IPSec-based Communication
Secure network
IPsec Authenticated
Unauthenticated
Boundary network
Restricted network
NAP Enforcement Client
IPSec
802.1X
VPN
DHCP
NPS
RADIUS
How NAP Works
Logical Networks
IPSec Enforcement
IEEE 802.1X
Remote Access VPNs
DHCP
IPSec Enforcement in Logical Networks
Communication Initiation Process with IPSec Enforcement
NAP Client Health Certificate Process
IPSec Enforcement in NAP
IPSec Reviewing
IPSec functionality
OSI 7 Layer - Layer 3
Authentication methods for IPSec
Pre-share Key
Kerberos
Certificate
Certificate Reviewing
What’s Digital Certificate
What’s Certificate Authority
Digital Certificate for what?
Identity user, computer, service
Digital Certificate for IPSec
Demo3: Network Access Protection - IPSec
•
Create a Certificate Template for NAP
Exemptions
•
Enable Certificate AutoEnrollment
•
Config NAP to Issue Health Certificates
•
Config Health Registration Authority to
request Certificate from subordinate CA
•
Add System Health Validation Certificate to
NPS
•
Config GPO to Ensure Client are
Configured to Implement NAP
•
Verify Network Access Protection
802.1x Authenticated Connections
Lesson 3: Network Access Protection Scenarios
Scenario 1: Roaming Laptops
Scenario 2: Health of Desktop Computers
Scenario 3: Health of Visiting Laptops
Scenario 4: Unmanaged Home Computers
Scenario 1: Roaming Laptops
NAP
Scenario 2: Health of Desktop Computers
Network Policy Server
Scenario 3: Health of Visiting Laptops
Network Policy Server
Scenario 4: Unmanaged Home Computers
NAP Authentication Process Background
Authentication Process
Network Access Protection Settings
Authorization Policies
Implementation/Usage Scenarios
Checking the Health and Status of Roaming
Laptops
Ensuring the Health of Corporate Desktops
Determining the Health of Visiting Laptops
Verify the Compliance of Home Computers
Summary
Network Access Protection:
Secures Remote Computers before accessing the
Network
Has Client and Server Components
Can Use One or More of Several methods for
Enforcement
IPSec
802.1X
VPN
DHCP
Provides Support for Third Party Software
What Next?
Windows Server 2008
Beta: https://connect.microsoft.com
Home Page: http://www.microsoft.com/windowsserver/longhorn/default.mspx
Webcasts: http://www.microsoft.com/windowsserver/longhorn/webcasts.mspx
Forums: http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17
Network Access Protection
•
•
Home Page: http://www.microsoft.com/nap
Introduction to Network Access Protection:
http://go.microsoft.com/fwlink/?LinkId=49884
•
Network Access Protection Platform Architecture:
http://go.microsoft.com/fwlink/?LinkId=49885
•
Network Access Protection Frequently Asked Questions:
http://go.microsoft.com/fwlink/?LinkId=49886
•
•
IPSec: http://www.microsoft.com/ipsec
Server and Domain Isolation:
http://www.microsoft.com/technet/network/sdiso/default.mspx
Download