Part 41 – Upgrade Server 2008 – Network Access Protection (NAP) DHCP
5. Network Access Protection (NAP)
-
Upload
rixwan-ahmed-khan -
Category
Documents
-
view
50 -
download
0
description
Transcript of 5. Network Access Protection (NAP)
NETWORK ACCESS PROTECTION
Need for NAP NAP Component Enforcement Types
NEED FOR NAP:
A single vulnerable host poses threat to entire network Especially laptop, guests or home Need to detect + Remediate unhealthy clients
Little or No user actionRestricted network until resolveFull network IP Healthy
NAP COMPONENTS: System Health Agent (SHA)
NAP Client (security center)Report health statVista, XP-SP3
System Health Validator (SHV)NAP on W2K8Possibly Combined With Radius
Remediation ServersAntivirus updatesWSUS
RADIUS (Remote Access Dial-In User Server)AAA (Authentication, Authorization, Accounting)
CA (Certificate Authority)Must be W2K8
Vender SHA/SHV Pair
ENFORCMENT TYPES:
IPSecHealth Check Health CertCan be IP Address or Port-SpecificW2K8 CA required
802.1x Switch/ APConstant MonitoringACLVLAN
VPNW2K8Packet Filter
DHCPCompliant clients: Full access IP configurationNon-Compliant: Single Host Routes
CONFIGURING NAP:
Administrative templates Windows Components Security Center 'Turn On security center’
Windows 7 Client > run > ipconfig /all 'show no default gateway'Windows 7 Client > run > route print 'no default route'Windows 7 Client > run > ping 192.168.1.39Windows 7 Client > run > netsh nap client show state
Windows 7 Client > run > ipconfig /releaseWindows 7 Client > run > ipconfig /renewWindows 7 Client > run > route printr 'default gateway show if its healthy client'Windows 7 Client > web > google.com 'if its healthy client'