Welcome

Windows Server 2008安全功能 -NAP

Network Access Protection in Windows Server 2008

Overview

Network Policies Access Protection

Enforcement Options

Network Access Protection Scenarios

Lesson 1: Network Policies Access Protection

Why Use Network Access Protection?

Network Protection Services Overview

Network Access Protection Solution

NAP Architecture Overview

Network Layer Protection with NAP

Host Layer Protection with NAP

Why Use Network Access Protection?

Private Network

Unhealthy computer

Healthy computer

NAP vs. Network Access Quarantine Control

Network Access ProtectionNetwork Access Protection

Net work Access Protection Network Access Quarantine Control

Internal, VPN and Remote Access Client

Only VPN and Remote Access Clients

IPSec, 802.1X, DHCP and VPN DHCP and VPN

NAP NPS and Client included in Windows Server 2008 ; NAP client

included in Vista

Installed from Windows Server 2003 Resource Kit

Network Protection Services Overview

Network Policy Server (NPS)

Network Access Protection (NAP) Policy Server

IEEE 802.11 Wireless

IEEE 802.3 Wired

RADIUS Server

RADIUS Proxy

Routing and Remote Access

Remote Access Service Routing

Health Registration Authority (HRA)

Network Access Protection Solution

Polices, Procedures & Awareness

Data

Application

Host

Internal Network

Perimeter

Policy Validation

Network Restriction

Remediation

Ongoing Compliance

NAP Architecture Overview

MS Network Policy Server

Quarantine Server (QS)

Client

Quarantine Agent (QA)

Updates

HealthStatements

NetworkAccess

Requests

System Health Servers

Remediation Servers

HealthCertificate

Network Access Devices and Servers

System Health Agent (SHA)MS and 3rd Parties

System Health Validator

Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)

Health policy

According to policy, the client is not up to date. Quarantine client, request it to update.

Should this client be restricted basedon its health?

Network Layer Protection with NAP

Requesting access. Here’s my new

health status.

MS NPSClient

802.1xSwitch

Remediation Servers

May I have access?Here’s my current health status.

Ongoing policy updates to Network Policy Server

You are given restricted accessuntil fix-up.

Can I have updates?

Here you go.

Restricted Network

Client is granted access to full intranet.

System Health Servers

According to policy, the client is up to date.

Grant access.

Host Layer Protection with NAP

Accessing the networkX

Remediation ServerNPS

HRA

May I have a health certificate? Here’s my SoH.

Client ok?

No. Needs fix-up.

You don’t get a health certificate.Go fix up. I need updates.

Here you go.

Here’s your health certificate.

Yes. Issue health certificate.Client

No Policy

AuthenticationOptional

AuthenticationRequired

Accessing the networkX

Remediation ServerNPS

HRAClient

No Policy

AuthenticationOptional

AuthenticationRequired

Technical Background

NAP Platform ArchitectureNAP Platform Architecture

NAP Enforcement MethodsNAP Enforcement Methods

NAP InfrastructureNAP Infrastructure

NAP Client ArchitectureNAP Client Architecture

NAP Server ArchitectureNAP Server Architecture

Component CommunicationComponent Communication

NAP Infrastructure

Health Policy ValidationHealth Policy Validation

Health Policy ComplianceHealth Policy Compliance

Automatic RemediationAutomatic Remediation

Limited AccessLimited Access

NAP Platform Architecture

Network Access Protection Components (1 of 5)

NAP ClientsIPSec, 802.1X, VPN, DHCP

NAP Servers-determine the System Health of any NAP Client

Windows Server 2008 + Network Policy Server

Remediation action are required for computers that are not compliant

Health Registration Authority

VPN Server

DHCP Server

NAP ClientsIPSec, 802.1X, VPN, DHCP

NAP Servers-determine the System Health of any NAP Client

Windows Server 2008 + Network Policy Server

Remediation action are required for computers that are not compliant

Health Registration Authority

VPN Server

DHCP Server

Network Access Protection Components (2 of 5)

NAP ClientsIPSec, 802.1X, VPN, DHCP

NAP Servers-determine the SH of any NAP Client

Windows Server 2008 + Network Policy Server

Remediation action are required for computers that are not compliant

Health Registration Authority

VPN Server

DHCP Server

NAP ClientsIPSec, 802.1X, VPN, DHCP

NAP Servers-determine the SH of any NAP Client

Windows Server 2008 + Network Policy Server

Remediation action are required for computers that are not compliant

Health Registration Authority

VPN Server

DHCP Server

Network Access Protection Components (3 of 5)

NPS Servers

Replacement for the Internet Authentication Service (IAS)

Windows server 2008 + Validate System Health Policy

Active Directory Directory Service

Group Policy Setting for IPSec

802.1X credential are stored in directory service

NPS Servers

Replacement for the Internet Authentication Service (IAS)

Windows server 2008 + Validate System Health Policy

Active Directory Directory Service

Group Policy Setting for IPSec

802.1X credential are stored in directory service

Network Access Protection Components (4 of 5)

Restricted Network

Separate network segment (logical/physical)

Contains the Remediation Servers

Remediation Server

Bring NAP Client into compliance with health policy

System Health Agent (SHA)

Check for particular health parameter

Send a Statement of Health (SoH) to System Health Validator (SHV)

Restricted Network

Separate network segment (logical/physical)

Contains the Remediation Servers

Remediation Server

Bring NAP Client into compliance with health policy

System Health Agent (SHA)

Check for particular health parameter

Send a Statement of Health (SoH) to System Health Validator (SHV)

Network Access Protection Components (5 of 5)

System Health Validator

Compare the System of Health (SoH) sent from a System Health Agent (SHA)

Statement of Health (SoH)

SoH is response sent by a System Health Agent to a System Health Validator

System Health Validator

Compare the System of Health (SoH) sent from a System Health Agent (SHA)

Statement of Health (SoH)

SoH is response sent by a System Health Agent to a System Health Validator

Misconception

Quarantine network is anything but empty

SMS Server form within Quarantine Mode

For starters, must have a DNS Server

Don’t be a primary DNS server

Finally, the DHCP and IAS server (VPN Quarantine Mode only) must accessable.

Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been update.

Quarantine network is anything but empty

SMS Server form within Quarantine Mode

For starters, must have a DNS Server

Don’t be a primary DNS server

Finally, the DHCP and IAS server (VPN Quarantine Mode only) must accessable.

Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been update.

Lesson 2: Enforcement Options

NAP – Enforcement Options

NAP with DHCP

IPsec-based Communication

NAP with RRAS

NAP – Enforcement Options

NAP with DHCP

NPS ServerDHCP Server

Requesting access. Here’s my new health status.

The client requests and receives updates

I need to Lease an IP address

You are not within the Health Policy requirements

Access Granted. Here is your new IP Address

VPN Server

Client

IEEE 802.1X Devices

Remediation Servers

Demo1: Using Network Access Protection

Exercise 1: Configuring Network Access Protection for DHCP

NAP with RRAS

VPN Server

Remediation Servers

RADIUS MessagesPEAP Messages

Client NPS Server

Demo2: Using Network Access Protection

Exercise 1: Configuring Network Access Protection for VPN

IPSec-based Communication

Secure network

Boundary network

Restricted network

IPsec AuthenticatedUnauthenticated

NAP Enforcement Client

802.1X802.1X

VPNVPN

IPSecIPSec

DHCPDHCP

NPS RADIUSNPS RADIUS

How NAP Works

IPSec EnforcementIPSec Enforcement

IEEE 802.1XIEEE 802.1X

Logical NetworksLogical Networks

Remote Access VPNsRemote Access VPNs

DHCPDHCP

IPSec Enforcement in Logical Networks

Communication Initiation Process with IPSec Enforcement

NAP Client Health Certificate Process

IPSec Enforcement in NAP

IPSec Reviewing

IPSec functionality

OSI 7 Layer - Layer 3

Authentication methods for IPSec

Pre-share Key

Kerberos

Certificate

IPSec functionality

OSI 7 Layer - Layer 3

Authentication methods for IPSec

Pre-share Key

Kerberos

Certificate

Certificate Reviewing

What’s Digital Certificate

What’s Certificate Authority

Digital Certificate for what?

Identity user, computer, service

Digital Certificate for IPSec

What’s Digital Certificate

What’s Certificate Authority

Digital Certificate for what?

Identity user, computer, service

Digital Certificate for IPSec

Demo3: Network Access Protection - IPSec

• Create a Certificate Template for NAP Exemptions

• Enable Certificate AutoEnrollment

• Config NAP to Issue Health Certificates

• Config Health Registration Authority to request Certificate from subordinate CA

• Add System Health Validation Certificate to NPS

• Config GPO to Ensure Client are Configured to Implement NAP

• Verify Network Access Protection

802.1x Authenticated Connections

Lesson 3: Network Access Protection Scenarios

Scenario 1: Roaming Laptops

Scenario 2: Health of Desktop Computers

Scenario 3: Health of Visiting Laptops

Scenario 4: Unmanaged Home Computers

Scenario 1: Roaming Laptops

NAP

Scenario 2: Health of Desktop Computers

Network Policy Server

Scenario 3: Health of Visiting Laptops

Network Policy Server

Scenario 4: Unmanaged Home Computers

NAP Authentication Process Background

Network Access Protection SettingsNetwork Access Protection Settings

Authorization PoliciesAuthorization Policies

Authentication ProcessAuthentication Process

Implementation/Usage Scenarios

Ensuring the Health of Corporate DesktopsEnsuring the Health of Corporate Desktops

Checking the Health and Status of Roaming LaptopsChecking the Health and Status of Roaming Laptops

Determining the Health of Visiting LaptopsDetermining the Health of Visiting Laptops

Verify the Compliance of Home ComputersVerify the Compliance of Home Computers

Summary

Network Access Protection:

Secures Remote Computers before accessing the Network

Has Client and Server Components

Can Use One or More of Several methods for Enforcement

IPSec

802.1X

VPN

DHCP

Provides Support for Third Party Software

Network Access Protection:

Secures Remote Computers before accessing the Network

Has Client and Server Components

Can Use One or More of Several methods for Enforcement

IPSec

802.1X

VPN

DHCP

Provides Support for Third Party Software

What Next?

Windows Server 2008 Beta: https://connect.microsoft.com

Home Page: http://www.microsoft.com/windowsserver/longhorn/default.mspx

Webcasts: http://www.microsoft.com/windowsserver/longhorn/webcasts.mspx

Forums: http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17

Network Access Protection• Home Page: http://www.microsoft.com/nap

• Introduction to Network Access Protection: http://go.microsoft.com/fwlink/?LinkId=49884

• Network Access Protection Platform Architecture: http://go.microsoft.com/fwlink/?LinkId=49885

• Network Access Protection Frequently Asked Questions: http://go.microsoft.com/fwlink/?LinkId=49886

• IPSec: http://www.microsoft.com/ipsec

• Server and Domain Isolation: http://www.microsoft.com/technet/network/sdiso/default.mspx