SlideShare a Scribd company logo

Implementing Network Access Protection in 40 Characters

Download as PPTX, PDF
Bibekananada Jena
Bibekananada Jena

This document provides an overview of implementing Network Access Protection (NAP). It discusses key NAP concepts like how NAP works, enforcement methods, and the NAP architecture. It also provides step-by-step demonstrations for configuring NAP including health policies, network access policies, tracing, and troubleshooting. The document concludes with a lab scenario where the reader will configure NAP components and client settings to integrate NAP into a VPN remote access solution.

Education
1 of 28
Module 7 Implementing Network Access Protection
Module Overview • Overview of Network Access Protection • How NAP Works • Configuring NAP • Monitoring and Troubleshooting NAP
Lesson 1: Overview of Network Access Protection • What Is Network Access Protection? • NAP Scenarios • NAP Enforcement Methods • NAP Platform Architecture
What Is Network Access Protection? Network Access Protection can: • Enforce health-requirement policies on client computers • Ensure client computers are compliant with policies • Offer remediation support for computers that do not meet health requirements Network Access Protection cannot: • Enforce health requirement policies on client computers • Ensure client computers are compliant with policies
NAP Scenarios NAP helps you verify the health state of: • Roaming laptops • Desktop computers • Visiting laptops • Unmanaged home computers
NAP Enforcement Methods Method Key Points IPsec enforcement for IPsec- protected communications • Computer must be compliant to communicate with other compliant computers • The strongest NAP enforcement type, and can be applied per IP address or protocol port number 802.1X enforcement for IEEE 802.1X-authenticated wired or wireless connections • Computer must be compliant to obtain unlimited access through an 802.1X connection (authentication switch or access point) VPN enforcement for remote access connections • Computer must be compliant to obtain unlimited access through a RAS connection DirectAccess • Computer must be compliant to obtain unlimited network access • For noncompliant computers, access restricted to defined group of infrastructure servers DHCP enforcement for DHCP- based address configuration • Computer must be compliant to receive an unlimited access IPv4 address configuration from DHCP • This is the weakest form of NAP enforcement
NAP Platform Architecture Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network
Lesson 2: How NAP Works • NAP Enforcement Processes • IPsec Enforcement • 802.1x Enforcement • VPN Enforcement • DHCP Enforcement
NAP Enforcement Processes HRA VPN Server DHCP Server IEEE 802.1X Network Access Devices Health Requirement Server Remediation Server NAP Client NAP Health Policy Server RADIUS Messages System Health Updates System Health Requirement Queries
IPsec Enforcement Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Key Points of IPsec NAP Enforcement: • Comprised of a health certificate server and an IPsec NAP EC • Health certificate server issues X.509 certificates to quarantine clients when they are verified as compliant • Certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on an intranet • IPsec Enforcement confines the communication on a network to those nodes that are considered compliant • You can define requirements for secure communications with compliant clients on a per-IP address or a per-TCP/UDP port number basis
802.1x Enforcement Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Key Points of 802.1X Wired or Wireless NAP Enforcement: • Computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection • Noncompliant computers are limited through a restricted-access profile that the Ethernet switch or wireless AP place on the connection • Restricted access profiles can specify IP packet filters or a virtual LAN (VLAN) identifier (ID) that corresponds to the restricted network • 802.1X enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant
VPN Enforcement Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Key Points of VPN NAP Enforcement: • Computer must be compliant to obtain unlimited network access through a remote access VPN connection • Noncompliant computers have network access limited through a set of IP packet filters that are applied to the VPN connection by the VPN server • VPN enforcement actively monitors the health status of the NAP client and applies the IP packet filters for the restricted network to the VPN connection if the client becomes noncompliant
DHCP Enforcement Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Key Points of DHCP NAP Enforcement: • Computer must be compliant to obtain an unlimited access IPv4 address configuration from a DHCP server • Noncompliant computers have IPv4 address configuration, allowing access to restricted network only • DHCP enforcement actively monitors the health status of the NAP client, renewing the IPv4 address configuration for access only to the restricted network if the client becomes noncompliant
Lesson 3: Configuring NAP • What Are System Health Validators? • What Is a Health Policy? • What Are Remediation Server Groups? • NAP Client Configuration • Demonstration: How to Configure Network Access Policies
What Are System Health Validators? System Health Validators are server software counterparts to system health agents • Each SHA on the client has a corresponding SHV in NPS • SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client • SHVs contain the required configuration settings on client computers • The Windows Security SHV corresponds to the Microsoft SHA on client computers
What Is a Health Policy? To make use of the Windows Security Health Validator, you must configure a Health Policy and assign the SHV to it • Health policies consist of one or more SHVs and other settings that allow you to define client computer configuration requirements for NAP-capable computers that attempt to connect to your network • You can define client health policies in NPS by adding one or more SHVs to the health policy • NAP enforcement is accomplished by NPS on a per-network policy basis • After you create a health policy by adding one or more SHVs to the policy, you can add the health policy to the network policy and enable NAP enforcement in the policy
What Are Remediation Server Groups? With NAP enforcement in place, you should specify remediation server groups so the clients have access to resources that bring noncompliant NAP-capable clients into compliance • A remediation server hosts the updates that the NAP agent can use to bring noncompliant client computers into compliance with the health policy that NPS defines • A remediation server group is a list of servers on the restricted network that noncompliant NAP clients can access for software updates
NAP Client Configuration • Some NAP deployments that use Windows Security Health Validator require that you enable Security Center • The Network Access Protection service is required when you deploy NAP to NAP-capable client computers • You also must configure the NAP enforcement clients on the NAP-capable computers
Demonstration: How to Configure Network Access Policies • Install the NPS server role • Configure NPS as a NAP health policy server • Configure health policies • Configure network policies for compliant computers • Configure network policies for noncompliant computers • Configure the DHCP server role for NAP • Configure client NAP settings • Test NAP
Lesson 4: Monitoring and Troubleshooting NAP • What Is NAP Tracing? • Demonstration: How to Configure NAP Tracing • Troubleshooting NAP with Netsh • NAP Event Logs
What Is NAP Tracing? • NAP tracing identifies NAP events and records them to a log file based on the one of the following tracing levels: • Basic • Advanced • Debug • You can use tracing logs to: • Evaluate the health and security of your network • For troubleshooting and maintenance • NAP tracing is disabled by default, which means that no NAP events are recorded in the trace logs
Demonstration: How to Configure NAP Tracing In this demonstration, you will see how to: • Configure tracing from the GUI • Configure tracing from the command-line
Troubleshooting NAP with Netsh You can use the following netsh NAP command to help you to troubleshoot NAP issues • netsh NAP client show state • netsh NAP client show group • netsh NAP client show config
NAP Event Logs Event ID Meaning 6272 Successful authentication has occurred 6273 Successful authentication has not occurred 6274 A configuration problem exists 6276 NAP client quarantined 6277 NAP client is on probation 6278 NAP client granted full access
Lab: Implementing NAP into a VPN Remote Access Solution • Exercise 1: Configuring NAP Components • Exercise 2: Configuring Client Settings to support NAP Estimated time: 60 minutes Logon information Virtual machines 6421B-NYC-DC1 6421B-NYC-EDGE1 6421B-NYC-CL1 User name ContosoAdministrator Password Pa$$w0rd
Lab Scenario Contoso, Ltd. is required to extend their virtual private network solution to include Network Access Protection. As a Contoso, Ltd. technology specialist, you need to establish a way to bring client computers automatically into compliance. You will do this by using Network Policy Server, creating client compliance policies, and configuring a NAP server to check the current health of computers.
Lab Review • The DHCP NAP enforcement method is the weakest enforcement method in Microsoft Windows Server 2008 R2. What makes it less preferable than other ways? • Could you use the remote access NAP solution alongside the IPsec NAP solution? What benefit would be realized by using such a scenario? • Could you have used DHCP NAP enforcement for the client? Why or why not?
Module Review and Takeaways • Review Questions • Tools

Recommended

6421 b Module-05
6421 b Module-056421 b Module-05
6421 b Module-05Bibekananada Jena
 
6421 b Module-06
6421 b Module-066421 b Module-06
6421 b Module-06Bibekananada Jena
 
Network access protection ppt
Network access protection pptNetwork access protection ppt
Network access protection pptDasarathi Dash
 
6421 b Module-14
6421 b Module-146421 b Module-14
6421 b Module-14Bibekananada Jena
 
MS NAP - Security Day
MS NAP - Security DayMS NAP - Security Day
MS NAP - Security Dayvncson
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access ProtectionZernike College
 
Overview and features of NCM
Overview and features of NCMOverview and features of NCM
Overview and features of NCMManageEngine, Zoho Corporation
 
Server and application monitoring webinars [Applications Manager] - Part 4
Server and application monitoring webinars [Applications Manager] - Part 4Server and application monitoring webinars [Applications Manager] - Part 4
Server and application monitoring webinars [Applications Manager] - Part 4ManageEngine, Zoho Corporation
 

Recommended

6421 b Module-05
6421 b Module-056421 b Module-05
6421 b Module-05Bibekananada Jena
 
6421 b Module-06
6421 b Module-066421 b Module-06
6421 b Module-06Bibekananada Jena
 
Network access protection ppt
Network access protection pptNetwork access protection ppt
Network access protection pptDasarathi Dash
 
6421 b Module-14
6421 b Module-146421 b Module-14
6421 b Module-14Bibekananada Jena
 
MS NAP - Security Day
MS NAP - Security DayMS NAP - Security Day
MS NAP - Security Dayvncson
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access ProtectionZernike College
 
Overview and features of NCM
Overview and features of NCMOverview and features of NCM
Overview and features of NCMManageEngine, Zoho Corporation
 
Server and application monitoring webinars [Applications Manager] - Part 4
Server and application monitoring webinars [Applications Manager] - Part 4Server and application monitoring webinars [Applications Manager] - Part 4
Server and application monitoring webinars [Applications Manager] - Part 4ManageEngine, Zoho Corporation
 
Opmanager technical overview
Opmanager technical overviewOpmanager technical overview
Opmanager technical overviewManageEngine, Zoho Corporation
 
Network Configuration Management - Mumbai Seminar
Network Configuration Management - Mumbai SeminarNetwork Configuration Management - Mumbai Seminar
Network Configuration Management - Mumbai SeminarManageEngine, Zoho Corporation
 
Server and application monitoring webinars [Applications Manager] - Part 3
Server and application monitoring webinars [Applications Manager] - Part 3Server and application monitoring webinars [Applications Manager] - Part 3
Server and application monitoring webinars [Applications Manager] - Part 3ManageEngine, Zoho Corporation
 
Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...David Wallom
 
NetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightNetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightManageEngine, Zoho Corporation
 
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerIT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerManageEngine, Zoho Corporation
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)rinnocente
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for SeacoastSithideth Banavong
 
Server and application monitoring webinars [Applications Manager] - Part 2
Server and application monitoring webinars [Applications Manager] - Part 2Server and application monitoring webinars [Applications Manager] - Part 2
Server and application monitoring webinars [Applications Manager] - Part 2ManageEngine, Zoho Corporation
 
Spamtitan_brochure_V3
Spamtitan_brochure_V3Spamtitan_brochure_V3
Spamtitan_brochure_V3Shamal Abeyrathne
 
Hp open view(hp ov)
Hp open view(hp ov)Hp open view(hp ov)
Hp open view(hp ov)Ganesh Kumar Veerla
 
Chapter08
Chapter08Chapter08
Chapter08Muhammad Ahad
 
Requirements for an internet connectivity solution 1
Requirements for an internet connectivity solution 1Requirements for an internet connectivity solution 1
Requirements for an internet connectivity solution 1Dinesh Kumar
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Configuring and administrate server
Configuring and administrate serverConfiguring and administrate server
Configuring and administrate serverGera Paulos
 
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManagerGulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManagerManageEngine, Zoho Corporation
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshellMohamed Daif
 
Metrics are Not Enough: Monitoring Apache Kafka / Gwen Shapira (Confluent)
Metrics are Not Enough: Monitoring Apache Kafka / Gwen Shapira (Confluent)Metrics are Not Enough: Monitoring Apache Kafka / Gwen Shapira (Confluent)
Metrics are Not Enough: Monitoring Apache Kafka / Gwen Shapira (Confluent)Ontico
 
Transparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABTransparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABBenith T
 
Network Access COntrol asdfcxzqwe asd asdd .ppt
Network Access COntrol asdfcxzqwe asd asdd .pptNetwork Access COntrol asdfcxzqwe asd asdd .ppt
Network Access COntrol asdfcxzqwe asd asdd .pptjrsocmad
 
6421 b Module-09
6421 b Module-096421 b Module-09
6421 b Module-09Bibekananada Jena
 

More Related Content

What's hot

Server and application monitoring webinars [Applications Manager] - Part 3
Server and application monitoring webinars [Applications Manager] - Part 3Server and application monitoring webinars [Applications Manager] - Part 3
Server and application monitoring webinars [Applications Manager] - Part 3ManageEngine, Zoho Corporation
 
Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...David Wallom
 
NetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightNetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightManageEngine, Zoho Corporation
 
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerIT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerManageEngine, Zoho Corporation
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)rinnocente
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for SeacoastSithideth Banavong
 
Server and application monitoring webinars [Applications Manager] - Part 2
Server and application monitoring webinars [Applications Manager] - Part 2Server and application monitoring webinars [Applications Manager] - Part 2
Server and application monitoring webinars [Applications Manager] - Part 2ManageEngine, Zoho Corporation
 
Requirements for an internet connectivity solution 1
Requirements for an internet connectivity solution 1Requirements for an internet connectivity solution 1
Requirements for an internet connectivity solution 1Dinesh Kumar
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Configuring and administrate server
Configuring and administrate serverConfiguring and administrate server
Configuring and administrate serverGera Paulos
 
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManagerGulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManagerManageEngine, Zoho Corporation
 
Metrics are Not Enough: Monitoring Apache Kafka / Gwen Shapira (Confluent)
Metrics are Not Enough: Monitoring Apache Kafka / Gwen Shapira (Confluent)Metrics are Not Enough: Monitoring Apache Kafka / Gwen Shapira (Confluent)
Metrics are Not Enough: Monitoring Apache Kafka / Gwen Shapira (Confluent)Ontico
 
Transparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABTransparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABBenith T
 

What's hot (20)

Opmanager technical overview
Opmanager technical overviewOpmanager technical overview
Opmanager technical overview
 
Network Configuration Management - Mumbai Seminar
Network Configuration Management - Mumbai SeminarNetwork Configuration Management - Mumbai Seminar
Network Configuration Management - Mumbai Seminar
 
Server and application monitoring webinars [Applications Manager] - Part 3
Server and application monitoring webinars [Applications Manager] - Part 3Server and application monitoring webinars [Applications Manager] - Part 3
Server and application monitoring webinars [Applications Manager] - Part 3
 
Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...Trust and Cloud computing, removing the need for the consumer to trust their ...
Trust and Cloud computing, removing the need for the consumer to trust their ...
 
NetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightNetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings right
 
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerIT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
 
802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast802.1x Implementation Plan for Seacoast
802.1x Implementation Plan for Seacoast
 
Server and application monitoring webinars [Applications Manager] - Part 2
Server and application monitoring webinars [Applications Manager] - Part 2Server and application monitoring webinars [Applications Manager] - Part 2
Server and application monitoring webinars [Applications Manager] - Part 2
 
Spamtitan_brochure_V3
Spamtitan_brochure_V3Spamtitan_brochure_V3
Spamtitan_brochure_V3
 
Hp open view(hp ov)
Hp open view(hp ov)Hp open view(hp ov)
Hp open view(hp ov)
 
Chapter08
Chapter08Chapter08
Chapter08
 
Requirements for an internet connectivity solution 1
Requirements for an internet connectivity solution 1Requirements for an internet connectivity solution 1
Requirements for an internet connectivity solution 1
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
Configuring and administrate server
Configuring and administrate serverConfiguring and administrate server
Configuring and administrate server
 
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManagerGulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
 
AAA in a nutshell
AAA in a nutshellAAA in a nutshell
AAA in a nutshell
 
Metrics are Not Enough: Monitoring Apache Kafka / Gwen Shapira (Confluent)
Metrics are Not Enough: Monitoring Apache Kafka / Gwen Shapira (Confluent)Metrics are Not Enough: Monitoring Apache Kafka / Gwen Shapira (Confluent)
Metrics are Not Enough: Monitoring Apache Kafka / Gwen Shapira (Confluent)
 
Transparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABTransparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LAB
 

Similar to Implementing Network Access Protection in 40 Characters

Network Access COntrol asdfcxzqwe asd asdd .ppt
Network Access COntrol asdfcxzqwe asd asdd .pptNetwork Access COntrol asdfcxzqwe asd asdd .ppt
Network Access COntrol asdfcxzqwe asd asdd .pptjrsocmad
 
Net Rounds Product Sheet
Net Rounds Product SheetNet Rounds Product Sheet
Net Rounds Product Sheetguest3f034b
 
Network Load Balancing.pptx
Network Load Balancing.pptxNetwork Load Balancing.pptx
Network Load Balancing.pptxVydhehSumod
 
Radio network optimization flow 20090429-a-4.0
Radio network optimization flow 20090429-a-4.0Radio network optimization flow 20090429-a-4.0
Radio network optimization flow 20090429-a-4.0Mashaal322
 
Openstack Overview
Openstack OverviewOpenstack Overview
Openstack Overviewrajdeep
 
4966709.ppt
4966709.ppt4966709.ppt
4966709.pptImXaib
 
KKBOX WWDC17 Security - Antony
KKBOX WWDC17 Security - AntonyKKBOX WWDC17 Security - Antony
KKBOX WWDC17 Security - AntonyLiyao Chen
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hackingDesmond Devendran
 
NCM Training - Part 2 - Automation, Notification, Compliance and Reports
NCM Training - Part 2 - Automation, Notification, Compliance and ReportsNCM Training - Part 2 - Automation, Notification, Compliance and Reports
NCM Training - Part 2 - Automation, Notification, Compliance and ReportsManageEngine, Zoho Corporation
 
Free training on Network Configuration Manager - Season 2 - Part 2
Free training on Network Configuration Manager - Season 2 - Part 2Free training on Network Configuration Manager - Season 2 - Part 2
Free training on Network Configuration Manager - Season 2 - Part 2ManageEngine, Zoho Corporation
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id conceptsMostafa El Lathy
 
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...ManageEngine, Zoho Corporation
 
NFV Use Case_Virtual Network Function As Service
NFV Use Case_Virtual Network Function As ServiceNFV Use Case_Virtual Network Function As Service
NFV Use Case_Virtual Network Function As ServiceAbdul Ravoof
 

Similar to Implementing Network Access Protection in 40 Characters (20)

Network Access COntrol asdfcxzqwe asd asdd .ppt
Network Access COntrol asdfcxzqwe asd asdd .pptNetwork Access COntrol asdfcxzqwe asd asdd .ppt
Network Access COntrol asdfcxzqwe asd asdd .ppt
 
6421 b Module-09
6421 b Module-096421 b Module-09
6421 b Module-09
 
Net Rounds Product Sheet
Net Rounds Product SheetNet Rounds Product Sheet
Net Rounds Product Sheet
 
Network Load Balancing.pptx
Network Load Balancing.pptxNetwork Load Balancing.pptx
Network Load Balancing.pptx
 
Senthil _Updated _Resume_V1
Senthil _Updated _Resume_V1Senthil _Updated _Resume_V1
Senthil _Updated _Resume_V1
 
Radio network optimization flow 20090429-a-4.0
Radio network optimization flow 20090429-a-4.0Radio network optimization flow 20090429-a-4.0
Radio network optimization flow 20090429-a-4.0
 
Openstack Overview
Openstack OverviewOpenstack Overview
Openstack Overview
 
MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01
 
whats-new_Fireware_v11-10
whats-new_Fireware_v11-10whats-new_Fireware_v11-10
whats-new_Fireware_v11-10
 
4966709.ppt
4966709.ppt4966709.ppt
4966709.ppt
 
KKBOX WWDC17 Security - Antony
KKBOX WWDC17 Security - AntonyKKBOX WWDC17 Security - Antony
KKBOX WWDC17 Security - Antony
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
 
NCM Training - Part 2 - Automation, Notification, Compliance and Reports
NCM Training - Part 2 - Automation, Notification, Compliance and ReportsNCM Training - Part 2 - Automation, Notification, Compliance and Reports
NCM Training - Part 2 - Automation, Notification, Compliance and Reports
 
Virtual Private Network
Virtual Private NetworkVirtual Private Network
Virtual Private Network
 
INT_Ch17.pptx
INT_Ch17.pptxINT_Ch17.pptx
INT_Ch17.pptx
 
Vp ns
Vp nsVp ns
Vp ns
 
Free training on Network Configuration Manager - Season 2 - Part 2
Free training on Network Configuration Manager - Season 2 - Part 2Free training on Network Configuration Manager - Season 2 - Part 2
Free training on Network Configuration Manager - Season 2 - Part 2
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id concepts
 
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
 
NFV Use Case_Virtual Network Function As Service
NFV Use Case_Virtual Network Function As ServiceNFV Use Case_Virtual Network Function As Service
NFV Use Case_Virtual Network Function As Service
 

More from Bibekananada Jena

6421 b Module-01 Planning and Configuring IPv4
6421 b Module-01 Planning and Configuring IPv46421 b Module-01 Planning and Configuring IPv4
6421 b Module-01 Planning and Configuring IPv4Bibekananada Jena
 

More from Bibekananada Jena (10)

6421 b Module-13
6421 b Module-136421 b Module-13
6421 b Module-13
 
6421 b Module-12
6421 b Module-126421 b Module-12
6421 b Module-12
 
6421 b Module-11
6421 b Module-116421 b Module-11
6421 b Module-11
 
6421 b Module-10
6421 b Module-106421 b Module-10
6421 b Module-10
 
6421 b Module-08
6421 b Module-086421 b Module-08
6421 b Module-08
 
6421 b Module-04
6421 b Module-046421 b Module-04
6421 b Module-04
 
6421 b Module-03
6421 b Module-036421 b Module-03
6421 b Module-03
 
6421 b Module-02
6421 b Module-026421 b Module-02
6421 b Module-02
 
Course 6421B introduction
Course 6421B introduction Course 6421B introduction
Course 6421B introduction
 
6421 b Module-01 Planning and Configuring IPv4
6421 b Module-01 Planning and Configuring IPv46421 b Module-01 Planning and Configuring IPv4
6421 b Module-01 Planning and Configuring IPv4
 

Recently uploaded

Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxShobhayan Kirtania
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 

Recently uploaded (20)

Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 

Implementing Network Access Protection in 40 Characters

  • 2. Module Overview • Overview of Network Access Protection • How NAP Works • Configuring NAP • Monitoring and Troubleshooting NAP
  • 3. Lesson 1: Overview of Network Access Protection • What Is Network Access Protection? • NAP Scenarios • NAP Enforcement Methods • NAP Platform Architecture
  • 4. What Is Network Access Protection? Network Access Protection can: • Enforce health-requirement policies on client computers • Ensure client computers are compliant with policies • Offer remediation support for computers that do not meet health requirements Network Access Protection cannot: • Enforce health requirement policies on client computers • Ensure client computers are compliant with policies
  • 5. NAP Scenarios NAP helps you verify the health state of: • Roaming laptops • Desktop computers • Visiting laptops • Unmanaged home computers
  • 6. NAP Enforcement Methods Method Key Points IPsec enforcement for IPsec- protected communications • Computer must be compliant to communicate with other compliant computers • The strongest NAP enforcement type, and can be applied per IP address or protocol port number 802.1X enforcement for IEEE 802.1X-authenticated wired or wireless connections • Computer must be compliant to obtain unlimited access through an 802.1X connection (authentication switch or access point) VPN enforcement for remote access connections • Computer must be compliant to obtain unlimited access through a RAS connection DirectAccess • Computer must be compliant to obtain unlimited network access • For noncompliant computers, access restricted to defined group of infrastructure servers DHCP enforcement for DHCP- based address configuration • Computer must be compliant to receive an unlimited access IPv4 address configuration from DHCP • This is the weakest form of NAP enforcement
  • 7. NAP Platform Architecture Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network
  • 8. Lesson 2: How NAP Works • NAP Enforcement Processes • IPsec Enforcement • 802.1x Enforcement • VPN Enforcement • DHCP Enforcement
  • 9. NAP Enforcement Processes HRA VPN Server DHCP Server IEEE 802.1X Network Access Devices Health Requirement Server Remediation Server NAP Client NAP Health Policy Server RADIUS Messages System Health Updates System Health Requirement Queries
  • 10. IPsec Enforcement Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Key Points of IPsec NAP Enforcement: • Comprised of a health certificate server and an IPsec NAP EC • Health certificate server issues X.509 certificates to quarantine clients when they are verified as compliant • Certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on an intranet • IPsec Enforcement confines the communication on a network to those nodes that are considered compliant • You can define requirements for secure communications with compliant clients on a per-IP address or a per-TCP/UDP port number basis
  • 11. 802.1x Enforcement Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Key Points of 802.1X Wired or Wireless NAP Enforcement: • Computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection • Noncompliant computers are limited through a restricted-access profile that the Ethernet switch or wireless AP place on the connection • Restricted access profiles can specify IP packet filters or a virtual LAN (VLAN) identifier (ID) that corresponds to the restricted network • 802.1X enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant
  • 12. VPN Enforcement Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Key Points of VPN NAP Enforcement: • Computer must be compliant to obtain unlimited network access through a remote access VPN connection • Noncompliant computers have network access limited through a set of IP packet filters that are applied to the VPN connection by the VPN server • VPN enforcement actively monitors the health status of the NAP client and applies the IP packet filters for the restricted network to the VPN connection if the client becomes noncompliant
  • 13. DHCP Enforcement Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Key Points of DHCP NAP Enforcement: • Computer must be compliant to obtain an unlimited access IPv4 address configuration from a DHCP server • Noncompliant computers have IPv4 address configuration, allowing access to restricted network only • DHCP enforcement actively monitors the health status of the NAP client, renewing the IPv4 address configuration for access only to the restricted network if the client becomes noncompliant
  • 14. Lesson 3: Configuring NAP • What Are System Health Validators? • What Is a Health Policy? • What Are Remediation Server Groups? • NAP Client Configuration • Demonstration: How to Configure Network Access Policies
  • 15. What Are System Health Validators? System Health Validators are server software counterparts to system health agents • Each SHA on the client has a corresponding SHV in NPS • SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client • SHVs contain the required configuration settings on client computers • The Windows Security SHV corresponds to the Microsoft SHA on client computers
  • 16. What Is a Health Policy? To make use of the Windows Security Health Validator, you must configure a Health Policy and assign the SHV to it • Health policies consist of one or more SHVs and other settings that allow you to define client computer configuration requirements for NAP-capable computers that attempt to connect to your network • You can define client health policies in NPS by adding one or more SHVs to the health policy • NAP enforcement is accomplished by NPS on a per-network policy basis • After you create a health policy by adding one or more SHVs to the policy, you can add the health policy to the network policy and enable NAP enforcement in the policy
  • 17. What Are Remediation Server Groups? With NAP enforcement in place, you should specify remediation server groups so the clients have access to resources that bring noncompliant NAP-capable clients into compliance • A remediation server hosts the updates that the NAP agent can use to bring noncompliant client computers into compliance with the health policy that NPS defines • A remediation server group is a list of servers on the restricted network that noncompliant NAP clients can access for software updates
  • 18. NAP Client Configuration • Some NAP deployments that use Windows Security Health Validator require that you enable Security Center • The Network Access Protection service is required when you deploy NAP to NAP-capable client computers • You also must configure the NAP enforcement clients on the NAP-capable computers
  • 19. Demonstration: How to Configure Network Access Policies • Install the NPS server role • Configure NPS as a NAP health policy server • Configure health policies • Configure network policies for compliant computers • Configure network policies for noncompliant computers • Configure the DHCP server role for NAP • Configure client NAP settings • Test NAP
  • 20. Lesson 4: Monitoring and Troubleshooting NAP • What Is NAP Tracing? • Demonstration: How to Configure NAP Tracing • Troubleshooting NAP with Netsh • NAP Event Logs
  • 21. What Is NAP Tracing? • NAP tracing identifies NAP events and records them to a log file based on the one of the following tracing levels: • Basic • Advanced • Debug • You can use tracing logs to: • Evaluate the health and security of your network • For troubleshooting and maintenance • NAP tracing is disabled by default, which means that no NAP events are recorded in the trace logs
  • 22. Demonstration: How to Configure NAP Tracing In this demonstration, you will see how to: • Configure tracing from the GUI • Configure tracing from the command-line
  • 23. Troubleshooting NAP with Netsh You can use the following netsh NAP command to help you to troubleshoot NAP issues • netsh NAP client show state • netsh NAP client show group • netsh NAP client show config
  • 24. NAP Event Logs Event ID Meaning 6272 Successful authentication has occurred 6273 Successful authentication has not occurred 6274 A configuration problem exists 6276 NAP client quarantined 6277 NAP client is on probation 6278 NAP client granted full access
  • 25. Lab: Implementing NAP into a VPN Remote Access Solution • Exercise 1: Configuring NAP Components • Exercise 2: Configuring Client Settings to support NAP Estimated time: 60 minutes Logon information Virtual machines 6421B-NYC-DC1 6421B-NYC-EDGE1 6421B-NYC-CL1 User name ContosoAdministrator Password Pa$$w0rd
  • 26. Lab Scenario Contoso, Ltd. is required to extend their virtual private network solution to include Network Access Protection. As a Contoso, Ltd. technology specialist, you need to establish a way to bring client computers automatically into compliance. You will do this by using Network Policy Server, creating client compliance policies, and configuring a NAP server to check the current health of computers.
  • 27. Lab Review • The DHCP NAP enforcement method is the weakest enforcement method in Microsoft Windows Server 2008 R2. What makes it less preferable than other ways? • Could you use the remote access NAP solution alongside the IPsec NAP solution? What benefit would be realized by using such a scenario? • Could you have used DHCP NAP enforcement for the client? Why or why not?
  • 28. Module Review and Takeaways • Review Questions • Tools