Windows Server 2008 Network Access Protection (NAP) Technical Overview

• Introducing Network Access Protection

• Network Access Protection Architecture

• Reviewing NAP Enforcement Options

What Will We Cover?

Level 300

• Familiarity with DHCP

• Knowledge of IPsec

• Familiarity with RRAS and VPN

Helpful Experience

• Introducing Network Access Protection

• Using NAP with DHCP

• Using NAP with VPN

• Using NAP with IPsec

Agenda

Network Access Protection Solution

• Policy Validation

• Network Restriction

• Remediation

• Ongoing CompliancePolices, Procedures,

and Awareness

Data

Application

Host

Internal Network

Perimeter

NAP Architecture Overview

Network Policy Server

Quarantine Server (QS)

Client

Quarantine Agent (QA)

Health policyUpdates

HealthStatements

NetworkAccess

Requests

System Health Servers

Remediation Servers

HealthCertificate

Network Access Devices and Servers

System Health Agent (SHA)MS and 3rd Parties

System Health Validator

Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)

Network Layer Protection with NAP

Requesting access. Here’s my new

health status.

MS NPSClient

802.1xSwitch

Remediation Servers

May I have access?Here’s my current health status.

Should this client be restricted basedon its health?

Ongoing policy updates to Network Policy Server

You are given restricted accessuntil fix-up.

Can I have updates?

Here you go.

According to policy, the client is not up to date. Quarantine client, request it to update.

Restricted Network

Client is granted access to full intranet.

System Health Servers

According to policy, the client is up to date.

Grant access.

Host Layer Protection with NAP

Accessing the networkX

Remediation Server

NPSHRA

May I have a health certificate? Here’s my SoH.

Client ok?

No. Needs fix-up.You don’t get a health certificate.Go fix up. I need updates.

Here you go.

Here’s your health certificate.

Yes. Issue health certificate.

Client

No Policy

AuthenticationOptional

AuthenticationRequired

NAP – Enforcement Options

Restricted VLANFull access802.1X

Healthy peers reject

connection requests from

unhealthy systems

Can communicate with any

trusted peer

Complements layer 2 protection

Works with existing servers and infrastructure

Offers flexible isolation

IPsec

Restricted VLANFull access VPN

Restricted set of routesFull IP address given, full

access

DHCP

Unhealthy ClientHealthy ClientEnforcement

Infrastructure and API Setv

Customer Choice

IPsec-based Enforcement

• Introducing Network Access Protection

• Using NAP with DHCP

• Using NAP with VPN

• Using NAP with IPsec

Agenda

NAP with DHCP

NPS ServerClient DHCP Server

VPN Server

IEEE 802.1X Devices

Remediation Servers

Requesting access. Here’s my newhealth status.

The client requests and receives updates

I need to lease an IP address

You are not within the Health Policy requirements

Access granted. Here is your new IP address

Demonstration Environment

External VPN Network10.0.10.0/24

Internal Network192.168.16.0/20

SEA-DC-01.contoso.comWindows Server 2008

Domain Controller, DNS192.168.16.1/20

10.0.10.1/24

`

SEA-WRK-001.contoso.comWindows Vista Ultimate

DHCP assigned IP address

`

SEA-WRK-002.contoso.comWindows Vista Ultimate

192.168.16.100/2010.0.10.10/24

Demo

Configuring NAP for DHCP

Configure Health Policies Configure Network Policies Enable Client NAP Settings

demonstration

• Introducing Network Access Protection

• Using NAP with DHCP

• Using NAP with VPN

• Using NAP with IPsec

Agenda

NAP with VPN and RRAS

NPS ServerClient VPN Server

Remediation Servers

RADIUS MessagesPEAP Messages

Demo

Configuring NAP for VPN

Configure RRAS Settings Configure Connection Request Policy Configure Network Policies

demonstration

• Introducing Network Access Protection

• Using NAP with DHCP

• Using NAP with VPN

• Using NAP with IPsec

Agenda

IPsec-based Communication

Secure network

Boundary network

Restricted network

IPsec Authenticated

Unauthenticated

Demo

Configuring NAP for IPsec

Configure Exemption Group Configure Certificate Settings Configure Health Registration Authority

demonstration

• NAP provides policy-driven access control

• Customer choice—flexible, selectable enforcement

• Broad industry support

Session Summary

www.microsoft.com/technet/add-302

Visit TechNet at:

www.microsoft.com/technet

Visit the following site for additional information:

For More Information

Course ID Title

5934 Introducing Microsoft Windows Server

2008

5939 Introducing Server Management in

Microsoft Windows Server 2008

For training information and availability www.microsoft.com/learning

Training Resources

• Self-study learning tool, free to anyone

• Determines skills gaps

• Provides learning plans

• Post your score, see how you rank

Visit:www.microsoft.com/assessment

Readiness with Skills Assessment

Become a Microsoft Certified Professional

• What are MCP certifications?

Validation in performing critical IT functions

• Why certify?

WW recognition of skills gained through experience

More effective deployments with reduced costs

• What certifications are there for IT Pros?

MCP, MCSE, MCSA, MCDST, MCDBA

www.microsoft.com/learning/mcp

TechNet PlusTechNet Plus is an essential premium web-enabled and live support resource that provides IT Professionals with fast and easy access to Microsoft experts, software and technical information, enhancing IT productivity, control and planning.

Evaluate full versions of all Microsoft commercial software for evaluation—without time limits. This includes all client, server and Office applications.

Try out all the latest betas before public release

Keep your skills current with select Microsoft E-Learning courses free each quarter

Evaluate & Learn Plan & Deploy Support & Maintain

Use the TechNet Library to plan for deployment using the Knowledge Base, resource kits, and technical training

Use exclusive tools like System Center Capacity Planner to accurately plan for and deploy Exchange Server and System Center Operations Manager

Stay informed with your free subscription to TechNet Magazine.

2 complimentary Professional Support incidents for use 24/7 (20% discount on additional incidents)

Access over 100 managed newsgroups and get next business day response--guaranteed

Use the TechNet Library to maintain your IT environment with security updates, service packs and utilities

Get all these resources and more with a TechNet Plus subscription.

For more information visit: technet.microsoft.com/subscriptions