Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
-
Upload
stuart-lynch -
Category
Documents
-
view
225 -
download
1
Transcript of Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Welcome
Windows Server 2008安全功能 -NAP
Network Access Protection in Windows Server 2008
Overview
Network Policies Access Protection
Enforcement Options
Network Access Protection Scenarios
Lesson 1: Network Policies Access Protection
Why Use Network Access Protection?
Network Protection Services Overview
Network Access Protection Solution
NAP Architecture Overview
Network Layer Protection with NAP
Host Layer Protection with NAP
Why Use Network Access Protection?
Private Network
Unhealthy computer
Healthy computer
NAP vs. Network Access Quarantine Control
Network Access ProtectionNetwork Access Protection
Net work Access Protection Network Access Quarantine Control
Internal, VPN and Remote Access Client
Only VPN and Remote Access Clients
IPSec, 802.1X, DHCP and VPN DHCP and VPN
NAP NPS and Client included in Windows Server 2008 ; NAP client
included in Vista
Installed from Windows Server 2003 Resource Kit
Network Protection Services Overview
Network Policy Server (NPS)
Network Access Protection (NAP) Policy Server
IEEE 802.11 Wireless
IEEE 802.3 Wired
RADIUS Server
RADIUS Proxy
Routing and Remote Access
Remote Access Service Routing
Health Registration Authority (HRA)
Network Access Protection Solution
Polices, Procedures & Awareness
Data
Application
Host
Internal Network
Perimeter
Policy Validation
Network Restriction
Remediation
Ongoing Compliance
NAP Architecture Overview
MS Network Policy Server
Quarantine Server (QS)
Client
Quarantine Agent (QA)
Updates
HealthStatements
NetworkAccess
Requests
System Health Servers
Remediation Servers
HealthCertificate
Network Access Devices and Servers
System Health Agent (SHA)MS and 3rd Parties
System Health Validator
Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)
Health policy
According to policy, the client is not up to date. Quarantine client, request it to update.
Should this client be restricted basedon its health?
Network Layer Protection with NAP
Requesting access. Here’s my new
health status.
MS NPSClient
802.1xSwitch
Remediation Servers
May I have access?Here’s my current health status.
Ongoing policy updates to Network Policy Server
You are given restricted accessuntil fix-up.
Can I have updates?
Here you go.
Restricted Network
Client is granted access to full intranet.
System Health Servers
According to policy, the client is up to date.
Grant access.
Host Layer Protection with NAP
Accessing the networkX
Remediation ServerNPS
HRA
May I have a health certificate? Here’s my SoH.
Client ok?
No. Needs fix-up.
You don’t get a health certificate.Go fix up. I need updates.
Here you go.
Here’s your health certificate.
Yes. Issue health certificate.Client
No Policy
AuthenticationOptional
AuthenticationRequired
Accessing the networkX
Remediation ServerNPS
HRAClient
No Policy
AuthenticationOptional
AuthenticationRequired
Technical Background
NAP Platform ArchitectureNAP Platform Architecture
NAP Enforcement MethodsNAP Enforcement Methods
NAP InfrastructureNAP Infrastructure
NAP Client ArchitectureNAP Client Architecture
NAP Server ArchitectureNAP Server Architecture
Component CommunicationComponent Communication
NAP Infrastructure
Health Policy ValidationHealth Policy Validation
Health Policy ComplianceHealth Policy Compliance
Automatic RemediationAutomatic Remediation
Limited AccessLimited Access
NAP Platform Architecture
Network Access Protection Components (1 of 5)
NAP ClientsIPSec, 802.1X, VPN, DHCP
NAP Servers-determine the System Health of any NAP Client
Windows Server 2008 + Network Policy Server
Remediation action are required for computers that are not compliant
Health Registration Authority
VPN Server
DHCP Server
NAP ClientsIPSec, 802.1X, VPN, DHCP
NAP Servers-determine the System Health of any NAP Client
Windows Server 2008 + Network Policy Server
Remediation action are required for computers that are not compliant
Health Registration Authority
VPN Server
DHCP Server
Network Access Protection Components (2 of 5)
NAP ClientsIPSec, 802.1X, VPN, DHCP
NAP Servers-determine the SH of any NAP Client
Windows Server 2008 + Network Policy Server
Remediation action are required for computers that are not compliant
Health Registration Authority
VPN Server
DHCP Server
NAP ClientsIPSec, 802.1X, VPN, DHCP
NAP Servers-determine the SH of any NAP Client
Windows Server 2008 + Network Policy Server
Remediation action are required for computers that are not compliant
Health Registration Authority
VPN Server
DHCP Server
Network Access Protection Components (3 of 5)
NPS Servers
Replacement for the Internet Authentication Service (IAS)
Windows server 2008 + Validate System Health Policy
Active Directory Directory Service
Group Policy Setting for IPSec
802.1X credential are stored in directory service
NPS Servers
Replacement for the Internet Authentication Service (IAS)
Windows server 2008 + Validate System Health Policy
Active Directory Directory Service
Group Policy Setting for IPSec
802.1X credential are stored in directory service
Network Access Protection Components (4 of 5)
Restricted Network
Separate network segment (logical/physical)
Contains the Remediation Servers
Remediation Server
Bring NAP Client into compliance with health policy
System Health Agent (SHA)
Check for particular health parameter
Send a Statement of Health (SoH) to System Health Validator (SHV)
Restricted Network
Separate network segment (logical/physical)
Contains the Remediation Servers
Remediation Server
Bring NAP Client into compliance with health policy
System Health Agent (SHA)
Check for particular health parameter
Send a Statement of Health (SoH) to System Health Validator (SHV)
Network Access Protection Components (5 of 5)
System Health Validator
Compare the System of Health (SoH) sent from a System Health Agent (SHA)
Statement of Health (SoH)
SoH is response sent by a System Health Agent to a System Health Validator
System Health Validator
Compare the System of Health (SoH) sent from a System Health Agent (SHA)
Statement of Health (SoH)
SoH is response sent by a System Health Agent to a System Health Validator
Misconception
Quarantine network is anything but empty
SMS Server form within Quarantine Mode
For starters, must have a DNS Server
Don’t be a primary DNS server
Finally, the DHCP and IAS server (VPN Quarantine Mode only) must accessable.
Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been update.
Quarantine network is anything but empty
SMS Server form within Quarantine Mode
For starters, must have a DNS Server
Don’t be a primary DNS server
Finally, the DHCP and IAS server (VPN Quarantine Mode only) must accessable.
Otherwise, a client would never be able to get out of Quarantine Mode after its Statement of Health has been update.
Lesson 2: Enforcement Options
NAP – Enforcement Options
NAP with DHCP
IPsec-based Communication
NAP with RRAS
NAP – Enforcement Options
NAP with DHCP
NPS ServerDHCP Server
Requesting access. Here’s my new health status.
The client requests and receives updates
I need to Lease an IP address
You are not within the Health Policy requirements
Access Granted. Here is your new IP Address
VPN Server
Client
IEEE 802.1X Devices
Remediation Servers
Demo1: Using Network Access Protection
Exercise 1: Configuring Network Access Protection for DHCP
NAP with RRAS
VPN Server
Remediation Servers
RADIUS MessagesPEAP Messages
Client NPS Server
Demo2: Using Network Access Protection
Exercise 1: Configuring Network Access Protection for VPN
IPSec-based Communication
Secure network
Boundary network
Restricted network
IPsec AuthenticatedUnauthenticated
NAP Enforcement Client
802.1X802.1X
VPNVPN
IPSecIPSec
DHCPDHCP
NPS RADIUSNPS RADIUS
How NAP Works
IPSec EnforcementIPSec Enforcement
IEEE 802.1XIEEE 802.1X
Logical NetworksLogical Networks
Remote Access VPNsRemote Access VPNs
DHCPDHCP
IPSec Enforcement in Logical Networks
Communication Initiation Process with IPSec Enforcement
NAP Client Health Certificate Process
IPSec Enforcement in NAP
IPSec Reviewing
IPSec functionality
OSI 7 Layer - Layer 3
Authentication methods for IPSec
Pre-share Key
Kerberos
Certificate
IPSec functionality
OSI 7 Layer - Layer 3
Authentication methods for IPSec
Pre-share Key
Kerberos
Certificate
Certificate Reviewing
What’s Digital Certificate
What’s Certificate Authority
Digital Certificate for what?
Identity user, computer, service
Digital Certificate for IPSec
What’s Digital Certificate
What’s Certificate Authority
Digital Certificate for what?
Identity user, computer, service
Digital Certificate for IPSec
Demo3: Network Access Protection - IPSec
• Create a Certificate Template for NAP Exemptions
• Enable Certificate AutoEnrollment
• Config NAP to Issue Health Certificates
• Config Health Registration Authority to request Certificate from subordinate CA
• Add System Health Validation Certificate to NPS
• Config GPO to Ensure Client are Configured to Implement NAP
• Verify Network Access Protection
802.1x Authenticated Connections
Lesson 3: Network Access Protection Scenarios
Scenario 1: Roaming Laptops
Scenario 2: Health of Desktop Computers
Scenario 3: Health of Visiting Laptops
Scenario 4: Unmanaged Home Computers
Scenario 1: Roaming Laptops
NAP
Scenario 2: Health of Desktop Computers
Network Policy Server
Scenario 3: Health of Visiting Laptops
Network Policy Server
Scenario 4: Unmanaged Home Computers
NAP Authentication Process Background
Network Access Protection SettingsNetwork Access Protection Settings
Authorization PoliciesAuthorization Policies
Authentication ProcessAuthentication Process
Implementation/Usage Scenarios
Ensuring the Health of Corporate DesktopsEnsuring the Health of Corporate Desktops
Checking the Health and Status of Roaming LaptopsChecking the Health and Status of Roaming Laptops
Determining the Health of Visiting LaptopsDetermining the Health of Visiting Laptops
Verify the Compliance of Home ComputersVerify the Compliance of Home Computers
Summary
Network Access Protection:
Secures Remote Computers before accessing the Network
Has Client and Server Components
Can Use One or More of Several methods for Enforcement
IPSec
802.1X
VPN
DHCP
Provides Support for Third Party Software
Network Access Protection:
Secures Remote Computers before accessing the Network
Has Client and Server Components
Can Use One or More of Several methods for Enforcement
IPSec
802.1X
VPN
DHCP
Provides Support for Third Party Software
What Next?
Windows Server 2008 Beta: https://connect.microsoft.com
Home Page: http://www.microsoft.com/windowsserver/longhorn/default.mspx
Webcasts: http://www.microsoft.com/windowsserver/longhorn/webcasts.mspx
Forums: http://forums.microsoft.com/TechNet/default.aspx?ForumGroupID=161&SiteID=17
Network Access Protection• Home Page: http://www.microsoft.com/nap
• Introduction to Network Access Protection: http://go.microsoft.com/fwlink/?LinkId=49884
• Network Access Protection Platform Architecture: http://go.microsoft.com/fwlink/?LinkId=49885
• Network Access Protection Frequently Asked Questions: http://go.microsoft.com/fwlink/?LinkId=49886
• IPSec: http://www.microsoft.com/ipsec
• Server and Domain Isolation: http://www.microsoft.com/technet/network/sdiso/default.mspx