LOGO
Microsoft NAP
Microsoft NAP
Đại học Khoa học tự nhiên TP.HCM
Khoa Điện tử - Viễn thông
Nhóm 2
Tạ Duy Khiêm 0920052
Trần Khánh Trung 0920134
Lê Tấn Hiêp 0920033
Nguyễn Hữu Cường 0920011
GVHD:
Trần Thị Thảo Nguyên
Tháng 11/2012
Tháng 11/2012
LOGO
2
Nội dung
1. Giới thiệu
2. Thành phần và cấu trúc NAP
3. How NAP Works
4. Monitoring and Troubleshooting NAP
5. Vấn đề bảo mật
6. Summary
7. Demo
LOGO
Tháng 11/2012
Tháng 11/2012
1/Giới thiệu
Challenge
How to maintain computer health
How to define and enforce computer health requirements
•
Intranet computers
•
Home computers
•
Traveling portable computers
Risk
Malicious software attacks out-of-date computers
LOGO
NAP là gì ???
4
Đảm bảo các máy trạm khi truy cập tài nguyên mạng tuân thủ cơ chế bảo vệ mạng nó
được thiết kế để khắc phục các vấn đề trên.
Operating system components built into
Microsoft® Windows Server® 2008
Microsoft Windows Vista™
Windows® XP with Service Pack 3 (SP3)
Application programming interfaces (APIs)
Allows for integration with third-party vendors
LOGO
(tt)
5
Compliant computers
Grant unlimited access
Noncompliant computers
•
Do nothing (Report only)
•
Deny access
•
Grant access to remediation network
•
Limit access to restricted network (until they are updated)
LOGO
2/Cấu trúc
6
LOGO
Cấu trúc
NAP Client Architecture
NAP Server-side Architecture
NAP client and Server-side component communication
7
LOGO
NAP Client Architecture
8
LOGO
NAP Server-side Architecture
9
LOGO
Communication Between NAP Platform Components
10
LOGO
Communication Between NAP Agent and NAP Administration Server
+NAP Agent kết nối với NAP Administration Server qua các bước sau
1. The NAP Agent passes the SSoH to the NAP EC.
2. The NAP EC passes the SSoH to the NAP ES.
3. The NAP ES passes the SSoH to the NPS service.
4. The NPS service passes the SSoH to the NAP Administration Server.
+NAP Administration Server kết nối với NAP Agent theo các bước sau:
1. The NAP Administration Server passes the SoHRs to the NPS service.
2. The NPS service passes the SSoHR to the NAP ES.
3. The NAP ES passes the SSoHR to the NAP EC.
4. The NAP EC passes the SSoHR to the NAP Agent.
11
LOGO
Communication Between SHA and SHV
+ SHA kết nối với SHV tương ứng theo các bước sau:
1. The SHA passes its SoH to the NAP Agent.
2. The NAP Agent passes the SoH, contained within the SSoH, to the NAP EC.
3. The NAP EC passes the SoH to the NAP ES.
4. The NAP ES passes the SoH to the NAP Administration Server.
5. The NAP Administration Server passes the SoH to the SHV.
+ SHV kết nối với SHA tương ứng theo các bước sau:
1. The SHV passes its SoHR to the NAP Administration Server.
2. The NAP Administration Server passes the SoHR to the NPS service.
3. The NPS service passes the SoHR, contained within the SSoHR, to the NAP ES.
4. The NAP ES passes the SoHR to the NAP EC.
5. The NAP EC passes the SoHR to the NAP Agent.
6. The NAP Agent passes the SoHR to the SHA.
12
LOGO
2. HOW NAP WORKS
NAP Enforcement Processes
LOGO
NAP ENFORCEMENT PROCESS
Health policy validation: Determines whether computers are compliant with health
policy requirements
Network access limitation: Limit access for noncompliant computers
Automatic remediation: Provides necessary updates to allow a noncompliant computer
to become compliant
Ongoing compliance: Automatically updates compliant computers so that they adherer
to ongoing changes in health policy requirements
To validate network access based on system health, a network infrastructure must provide
the following functionality:
LOGO
HOW IPSec ENFORCEMENT WORKS
Comprised of a health certificate server and an IPSec NAP EC
Health Certificate server issues X.509 certificates to quarantine clients when they are verified
as compliant.
Certificates are then used to authenticate NAP clients when they initiate IPSec-secured
communications with other NAP clients on an Intranet
IPSec Enforcement confines the communication on a network to those nodes that are
considered compliant
You can define requirements for secure communications with compliant clients on a per-IP
address or a per-TCP/UDP port number basis
Key points of IPSec NAP Enforcement:
LOGO
HOW IPSec ENFORCEMENT WORKS
IPSec enforcement defines the following logical networks:
•
Secure network: Computers in secure network can initiate communications with computers in all three logical
networks.
•
Boundary network: Computers in boundary network can initiate communications with computers in the secure or
boundary networks that are authenticated with IPSec and health certificates or with computers in the restricted
network that are not authenticated with IPSec.
•
Restricted network: Computers in restricted network can initiate communications with computers in the restricted
and boundary networks.
LOGO
IPSEC ENFORCEMENT EXAMPLE
1. A NAP client computer provides its statement of health (SoH) and requests a health certificate from HRA that it can use for full
network access.
2. HRA receives the client request and forwards the client’s SoH to NPS for evaluation.
3. NPS evaluates the health state of the client computer, and then responds to HRA with the result.
4. If the client computer is determined to be compliant, HRA requests a health certificate for the client from AD CS.
5. AD CS provides a health certificate to HRA.
6. HRA issues the health certificate to the client computer.
7. The client computer is placed on the secure network.
LOGO
HOW 802.1X ENFORCEMENT WORKS
Key points of 802.1X Wired or Wireless NAP enforcement:
Computer must be compliant to obtain unlimited network access through an 802.1X-
authenticated network connection
Noncompliant computers are limited through a restricted access profile placed on the
connection by the Ethernet switch or wireless AP
Restricted access profiles can specify IP packet filters or a virtual LAN identifier that
corresponds to the restricted network
802.1X enforcement actively monitors the heath status of the connected NAP client and
applies the restricted access profile to the connection if the client becomes noncompliant
LOGO
802.1X Enforcement Example
1. The NAP client computer requests network access from an 802.1X-compliant network access device and provides security
credentials and system health information.
2. The network access device forwards the client computer’s access request to the NAP health policy server for analysis.
3. If the connection is authenticated and the client computer is compliant, the NAP health policy server instructs the network access
device to allow the connection and place the client computer on the corporate VLAN.
4. The network access device forwards the access response to the client computer.
5. The network access device places the client computer on the corporate VLAN.
LOGO
HOW VPN ENFORCEMENT WORKS
Key points of VPN NAP enforcement:
Computer must be compliant to obtain unlimited network access through a remote
access VPN connection.
Noncompliant computers have network access limited through a set of IP packet
filters that are applied to the VPN connection by the VPN server.
VPN enforcement actively monitors the health status of the NAP client and applies the
IP packet filters for the restricted network to the VPN connection if the client
becomes noncompliant.
LOGO
VPN Enforcement Example
1. A NAP client computer initiates a VPN connection and requests network access from a server running RRAS
and NPS.
2. The client computer’s access request is forwarded to the NPS service for analysis
3. If the connection is approved and the client is compliant, NPS instructs the VPN server to provide full network
access.
4. The VPN server accepts the connection and forwards the access response to the client computer.
5. The client computer is granted full access to the intranet.
LOGO
HOW DHCP ENFORCEMENT WORKS
Key points of DHCP NAP enforcement:
Computer must be compliant to obtain an unlimited access IPv4 address
configuration from a DHCP server.
Noncompliant computers have network access limited by an IPv4 address
configuration that allows access only to the restricted network
DHCP enforcement actively monitors the health status of the NAP client and
renews the IPv4 address configuration for access only to the restricted network if
the client becomes noncompliant.
LOGO
DHCP ENFORCEMENT EXAMPLE
1. A NAP client computer requests an IPv4 address configuration from a DHCP server.
2. The client’s health credentials are forwarded by the DHCP service to the NPS service for analysis.
3. If the client is compliant with health requirements, NPS instructs the DHCP service to provide a corporate
IPv4 address configuration.
4. The DHCP service provides the client computer with a corporate IPv4 address configuration.
5. The client computer is granted access to the corporate network.
LOGO
4. Monitoring and Troubleshooting
Xử lý sự cố và giám sát cấu trúc NAP là một nhiệm vụ quan trọng .
Các bản ghi này phục vụ hai mục đích: xử lý sự cố và đánh giá sự
ổn định và an ninh của mạng.
LOGO
NAP Tracing là gì ?
NAP Tracing xác định những sự kiện của NAP và ghi lại chúng
trong một file log theo các mức độ :
Basic , Advanced , Debug .
Mặc định bị tắt.
Kích hoạt NAP tracing khi nào ???