Transcript 6416B_06

Module 6:
Network Policies and Access
Protection
Module Overview
Describe how Network Policies Access Protection (NAP)
works
Identify NAP enforcement options
Identify scenarios for NAP usage
Describe Routing and Remote Access (RRAS)
Lesson 1: Network Policies Access Protection
Identify uses for NAP
Describe NAP
Describe how NAP integrates with other components
Describe NAP architecture
Describe Network Layer Protection with NAP
Describe Host Layer Protection with NAP
Why Use Network Access Protection?
Healthy computer
Unhealthy computer
Private Network
Network Protection Services Overview
Network Policy Server (NPS)
Network Access Protection (NAP) Policy Server
IEEE 802.11 Wireless
IEEE 802.3 Wired
RADIUS Server
RADIUS Proxy
Routing and Remote Access
 Remote Access Service
 Routing
Health Registration Authority (HRA)
NAP Architecture Overview
Remediation
Servers
System Health
Servers
Updates
Client
Health
Statements
Network
Access
Requests
System Health Agent (SHA)
Health policy
MS Network
Policy Server
MS and 3rd Parties
Quarantine Agent (QA)
Enforcement Client (EC)
(DHCP, IPSec, 802.1X, VPN)
Health
Certificate
Network Access Devices
and Servers
System Health Validator
Quarantine Server (QS)
Network Layer Protection with NAP
Restricted Network
Remediation
Servers
System Health
Servers
Here you go.
Can I have
updates?
Ongoing policy updates
to Network Policy Server
May
I have access?
Requesting
access.
Here’s
my current
Here’s
my new
healthhealth
status.status.
Client
You are given
restricted access
until fix-up.
Should this client be
restricted based
on its health?
802.1x
Switch
According to policy, MS NPS
According
the clientto
is policy,
not up to
the
client
is
up
to
date. Quarantine
date.
client,
it to
Client
is request
granted
access to
fullupdate.
intranet.
Grant access.
Host Layer Protection with NAP
No Policy
Authentication
Optional
Authentication
Required
May I have a health certificate?
Here’s my SoH.
Client
Client
You don’t get a health
Here’s your health
certificate.
certificate.
Go fix up.
I need updates.
Client ok?
HRA
HRA
Accessing the network
Yes.
Issue
No.
Needs
fix-up.
health certificate.

Here you go.
NPS
NPS
Remediation
Remediation Server
Server
Lesson 2: Enforcement Options
Identify the NAP enforcement options
Show how NAP works with DHCP enforcement
Show how NAP works with IPsec-based communication
Show how NAP works with RRAS
NAP – Enforcement Options
Enforcement
Healthy Client
Unhealthy Client
DHCP
Full IP address given,
Restricted set of routes
full access
VPN
Full access
Restricted VLAN
802.1X
Full access
Restricted VLAN
Can communicate
Healthy peers reject
with any trusted peer
connection requests
IPsec
from unhealthy systems
Complements layer 2 protection
Works with existing servers and infrastructure
Offers flexible isolation
NAP with DHCP
I need to Lease an IP address
Requesting access.
Here’s my new health status.
Client
IEEE 802.1X
Devices
DHCP Server
You are not within the
Health Policy requirements
Access Granted. Here is
your new IP Address
The client requests
and receives updates
Remediation
Servers
NPS Server
VPN Server
IPsec-based Communication
Secure network
IPsec Authenticated
Unauthenticated
Boundary network
Restricted network
NAP with RRAS
RADIUS Messages
PEAP Messages
Client
VPN Server
Remediation
Servers
NPS Server
Lesson 3: Network Access Protection Scenarios
Describe a roaming laptops NAP scenario
Describe a desktop computers NAP scenario
Describe a visiting laptops NAP scenario
Describe an unmanaged home computer NAP scenario
Scenario 1: Roaming Laptops
NAP
Scenario 2: Health of Desktop Computers
Network Policy Server
Scenario 3: Health of Visiting Laptops
Network Policy Server
Scenario 4: Unmanaged Home Computers