Module 6: Network Policies and Access Protection
Module Overview Describe how Network Policies Access Protection (NAP) works Identify NAP enforcement options Identify scenarios for NAP usage Describe Routing and Remote Access (RRAS)
Lesson 1: Network Policies Access Protection Identify uses for NAP Describe NAP Describe how NAP integrates with other components Describe NAP architecture Describe Network Layer Protection ti with NAP Describe Host Layer Protection with NAP
Why Use Network Access Protection? Healthy computer Pi Private Network Unhealthy computer
Network Protection Services Overview Network Policy Server (NPS) Network Access Protection (NAP) Policy Server IEEE 802.11 Wireless IEEE 802.3 Wired RADIUS Server RADIUS Proxy Routing and Remote Access Remote Access Service Routing Health Registration Authority (HRA)
Network Access Protection Solution Policy Validation Network Restriction Remediation Ongoing Compliance Data Application Host Internal Network Perimeter Polices, Procedures & Awareness
NAP Architecture Overview Remediation Servers System Health Servers Updates Client System Health Agent (SHA) MS and 3rd Parties Quarantine Agent (QA) Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN) Health Statements Health Certificate Network Access Requests Network Access Devices and Servers Health policy MS Network Policy Server System Health Validator Quarantine Server (QS)
Network Layer Protection with NAP Restricted Network Remediation Servers System Health Servers Here you go. Client Can I have updates? Requesting May I have access? access. Here s Here s my current my new health health status. status. Ongoing policy updates to Network Policy Server Should this client be restricted based on its health? According to policy, MS NPS You are given According the client to is policy, not up to restricted access the 802.1x date. client Quarantine is up to until fix-up. Switch Client date. client, is granted request it access to to full update. intranet. dt t Grant access.
Host Layer Protection with NAP No Policy Authentication Optional Authentication Required May I have a health certificate? Here s my SoH. Client ok? Client You don t get a health certificate. Here s your health certificate. Go fix up. I need updates. HRA Accessing the network Here you go. No. Yes. Needs Issue fix-up. health certificate. NPS Remediation Server
Lesson 2: Enforcement Options Identify the NAP enforcement options Show how NAP works with DHCP enforcement Show how NAP works with IPsec-based communication Show how NAP works with RRAS
NAP Enforcement Options Enforcement DHCP VPN 802.1X IPsec Healthy Client Full IP address given, full access Full access Full access Can communicate with any trusted peer Unhealthy Client Restricted set of routes Restricted VLAN Restricted VLAN Healthy peers reject connection requests from unhealthy systems Complements layer 2 protection Works with existing servers and infrastructure Offers flexible isolation
NAP with DHCP I need to Lease an IP address IEEE 802.1X Requesting access. Devices Here s my new health status. Client DHCP Server NPS Server The client requests and receives updates Remediation Servers VPN Server You are not within the Health Policy requirements Access Granted. Here is your new IP Address
IPsec-based Communication Secure network IPsec Authenticated Unauthenticated Restricted network Boundary network
NAP with RRAS PEAP Messages RADIUS Messages Client VPN Server NPS Server Remediation Servers
Lesson 3: Network Access Protection Scenarios Describe a roaming laptops NAP scenario Describe a desktop computers NAP scenario Describe a visiting laptops NAP scenario Describe an unmanaged home computer NAP scenario
Scenario 1: Roaming Laptops NAP
Scenario 2: Health of Desktop Computers Network Policy Server
Scenario 3: Health of Visiting Laptops Network Policy Server
Scenario 4: Unmanaged Home Computers
Lesson 4: Routing and Remote Access (RRAS) Plan RRAS Configuration Describe Scenarios and Features of Microsoft RRAS Configure SSTP remote access servers Configure SSTP remote access clients Using Packet Filtering i How Packet Filters Are Applied
RRAS configuration considerations VPN Client VPN Server IP Addressing Tunneling Remote Access Policy Filtering
Features of Microsoft RRAS Scenarios Remote access Site-to-site to connectivity Internet access router LAN router Optional Features RRAS packet filter configuration Connection Manager Administration Kit Multicast scope configuartion Unicast routing Authentication schemes Strong encryption
Configure SSTP Remote Access Server Configure the RRAS Server: Install Active Directory Certificate Services and Web Server Create and install the Server Authentication certificate Install Routing and Remote Access Configure Routing and Remote Access
Configure SSTP Remote Access Client Configure the SSTP enabled client: Windows Vista with Service Pack 1 is required for SSTP VPN Obtain a trusted root CA certificate Move the certificate to the Trusted Root Certification Authorities location Configure an SSTP-based connection
Using Packet Filtering Packet filtering gprevents certain types of packets from being sent or received across a router Inbound Filter Router Use packet filtering to: Outbound Filter Prevent access by unauthorized computers Prevent access to resources Improve network performance
How Packet Filters Are Applied Packet Router Inbound Exclusion Filter Component Example Component Example Source network 192.168.0.48 Source network Any Destination Destination network 192.168.0.32168 network 192.168.0.32168 Protocol UDP Protocol UDP Action: Drop How filters are applied: AND is used within a filter OR is used between filters