Network Access Protection

1,068 views

Published on

WINDOWS 2008
Network Access Protection

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,068
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • This scenario will examine how Network Access Protection works with DHCP/VPN.
    [BUILD1] Health policy is set by the IT administrator. It is asynchronously plumbed by the system health servers to the IAS policy server. The IAS policy server keeps a health cache at any given time.
    [BUILD2] The client requests network access, and forwards its statement of health (SoH).
    [BUILD3] The Network Access Device sends this information to the IAS policy server.
    [BUILD4] IAS compares it to what’s in cache and if the SoH doesn’t meet health policy, the IAS policy server notifies the Network Access Device to restrict the client – it could be put in a VLAN or separate subnet. The IAS policy server also informs the NAD what the client needs to become healthy.
    [BUILD5] The NAP system information passed to the client by the NAP systems tells it how to access the fix-up servers.
    [BUILD6] The client contacts the remediation server and requests update.
    [BUILD7] The Remediation Server provides the client with the necessary updates so it will pass the required system health policies.
    [BUILD8] The client returns to the Network Access Device with an updated SoH.
    [BUILD9] The Network Access Device sends this information to the IAS policy server.
    [BUILD10] This time it matches policy so the client gains full access to network resources. The SoH is re-used to continue to access network resources until the policy is updated.
  • Enforcement works virtually the same whether you are using DHCP, VPN, 802.1X, or IPsec: healthy clients are given full access and unhealthy clients are restricted.
    Administrators can configure Dynamic Host Configuration Protocol (DHCP) Enforcement, virtual private network (VPN) Enforcement, IEEE 802.1X Enforcement, Internet Protocol security (IPsec) Enforcement, or all four, depending on their network needs.
    Network Access Protection provides an infrastructure and an API set for extending Network Access Protection functionality. Vendors and software developers can use the API set to build their own network policy validation, ongoing network policy compliance, and network isolation components that are compatible with Network Access Protection. Network Access Protection allows for customer choice by providing options beyond just DHCP and VPN enforcement. Some extra benefits of IPsec-based enforcement include the ability to isolate unhealthy clients. In addition, secure enforcement cannot be bypassed by a reconfiguring client or by use of hubs and virtual PC technology. With IPsec, infrastructure upgrade aren’t necessary, because it works with today’s switches and routers. IPsec also offers flexible isolation: healthy systems can connect to quarantined systems but not vice versa, and the isolation model defined by policy
    Microsoft recommends that organizations use the enforcement mechanisms in combination. Each customer is different and will need to assess many factors, such as risk, business models, health policies and management, access scenarios, infrastructure investments, and upgrade schedule, among other things. NAP empowers the customer to make a selection based on the unique circumstances of a customer’s environment without compromising on the need for a strong, multi-layered network security and access policy management solution.
  • Network Access Protection

    1. 1. •Layered Infrastructure •Policy based •Open to third parties •Denied network access/Quarantine •Remediation •NAP clients
    2. 2. Private Network Unhealthy computer Healthy computer
    3. 3. Accessing the network X Remediation Server NPS HRA Client No Policy Authentication Optional Authentication Required
    4. 4. Client System Health Agent (SHA) Quarantine Agent (QA) Enforcement Client (EC) Services Remediation Server Network Access Device and Server System Health Server Network Policy Server (NPS) Quarantine Server (RADIUS) System Health Validator (SHV) Client SHV NPS Remediation Network Access Device or Server (RADIUS) (SHV)
    5. 5. According to policy, the client is not up to date. Quarantine client, request it to update. Should this client be restricted based on its health? Requesting access. Here’s my new health status. MS NPSClient 802.1x Switch Remediation Servers May I have access? Here’s my current health status. Ongoing policy updates to Network Policy Server You are given restricted access until fix-up. Can I have updates? Here you go. Restricted Network Client is granted access to full intranet. System Health Servers According to policy, the client is up to date. Grant access.
    6. 6. •Nap client available for XP sp2 •Cisco Network Admission Control (NAC) •Avenda Linux NAP Agent
    7. 7. Features  Authentication Methods PEAPv0 (EAP-MSCHAPv2)  PEAPv0 (EAP-TLS)  Health Check Firewall Status - Check for firewall status, with auto-remediation  Service Status - Check for different services. Auto-remediate by starting or stopping services.  Firewall Ports - Check status of open or blocked TCP/UDP ports  Anti-Virus Status - Check if anti-virus software is up-to-date  Supported Platforms; Redhat Enterprise Linux 4 and above CentOS 5 and above Fedora Core 6 and above Avenda Linux NAP SHV for Microsoft NPS Features  Health Check Firewall Status - Check for firewall status and open/blocked ports. Auto Remediation - Turn on firewall; block or open ports.  Service Status - Check status of different services running on the system. Auto Remediation - Start or stop services.  Anti-Virus Status - Check if anti-virus is running. Auto Remediation - Start anti-virus.
    8. 8. Features  Authentication Methods PEAPv0 (EAP-MSCHAPv2)  PEAPv0 (EAP-TLS)  Health Check Firewall Status - Check for firewall status, with auto-remediation  Service Status - Check for different services. Auto-remediate by starting or stopping services.  Firewall Ports - Check status of open or blocked TCP/UDP ports  Anti-Virus Status - Check if anti-virus software is up-to-date  Supported Platforms; Redhat Enterprise Linux 4 and above CentOS 5 and above Fedora Core 6 and above Avenda Linux NAP SHV for Microsoft NPS Features  Health Check Firewall Status - Check for firewall status and open/blocked ports. Auto Remediation - Turn on firewall; block or open ports.  Service Status - Check status of different services running on the system. Auto Remediation - Start or stop services.  Anti-Virus Status - Check if anti-virus is running. Auto Remediation - Start anti-virus.

    ×