network access protection platform architecture joseph davies technical writer windows networking...
Post on 19-Dec-2015
215 views
TRANSCRIPT
Network Access Protection Network Access Protection Platform ArchitecturePlatform Architecture
Joseph DaviesJoseph DaviesTechnical writerTechnical writerWindows Networking and Device TechnologiesWindows Networking and Device TechnologiesMicrosoft CorporationMicrosoft Corporation
Network Access Protection Network Access Protection Platform ArchitecturePlatform Architecture
Joseph DaviesJoseph DaviesTechnical writerTechnical writerWindows Networking and Device TechnologiesWindows Networking and Device TechnologiesMicrosoft CorporationMicrosoft Corporation
2
AgendaAgenda
IntroductionIntroduction
Network Access Protection platform Network Access Protection platform architecturearchitecture
Network Access Protection Client Network Access Protection Client architecturearchitecture
Network Access Protection Server Network Access Protection Server architecturearchitecture
How Network Access Protection works How Network Access Protection works
3
IntroductionIntroduction
What is Network Access Protection (NAP)?What is Network Access Protection (NAP)?
Network infrastructure for Network Access Network infrastructure for Network Access ProtectionProtection
Network Access Protection enforcement Network Access Protection enforcement methodsmethods
4
What is Network Access What is Network Access Protection?Protection?
Platform that enforces compliance with Platform that enforces compliance with health requirements for network access or health requirements for network access or communicationcommunication
Operating system componentsOperating system componentsBuilt into MicrosoftBuilt into Microsoft®® Windows Server Windows Server® ® "Longhorn" and Microsoft Windows Vista"Longhorn" and Microsoft Windows Vista™™
Separate client for Microsoft WindowsSeparate client for Microsoft Windows®® XP with XP with Service Pack 2Service Pack 2
Application programming interfaces (APIs)Application programming interfaces (APIs)Allows for integration with third-party vendorsAllows for integration with third-party vendors
5
Network infrastructure for Network infrastructure for Network Access ProtectionNetwork Access Protection
Health policy validation Health policy validation Determines whether the computers are compliant with Determines whether the computers are compliant with health policy requirementshealth policy requirements
Network access limitationNetwork access limitationLimits access for noncompliant computersLimits access for noncompliant computers
Automatic remediation Automatic remediation Provides necessary updates to allow a noncompliant Provides necessary updates to allow a noncompliant computer to become compliantcomputer to become compliant
Ongoing compliance Ongoing compliance Automatically updates compliant computers so that they Automatically updates compliant computers so that they adhere to ongoing changes in health policy adhere to ongoing changes in health policy requirementsrequirements
6
Network Access Protection Network Access Protection enforcement methodsenforcement methods
Internet Protocol security (IPsec)-protected Internet Protocol security (IPsec)-protected communicationscommunications
IEEE 802.1X-authenticated network IEEE 802.1X-authenticated network connectionsconnections
Remote access virtual private network Remote access virtual private network (VPN) connections(VPN) connections
Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) configuration(DHCP) configuration
7
Network Access Protection Network Access Protection platform architectureplatform architecture
Components of the Network Access Components of the Network Access Protection platformProtection platform
Interactions between Network Access Interactions between Network Access Protection componentsProtection components
8NAP client with limited access
DHCP server
Remediation servers
VPN server
Network Policy Server (NPS)
Active Directory
Intranet
Restricted network
Perimeter network
Health certificate server (HCS)
IEEE 802.1X devices
Internet
Policyservers
Components of the Network Components of the Network Access Protection platformAccess Protection platform
9
NAP client
DHCP server
Remediation server
NPS
DHCP messages
Remote Authentication Dial-in User Service (RADIUS) messages
Systemhealth
updates
HCSHypertext Transfer Protocol over Secure
Sockets Layer (SSL) (HTTPS) messages
Network Access Protection Network Access Protection component interactioncomponent interaction
10
NAP client NPS
System health requirement
queries
VPN serverProtected Extensible Authentication
Protocol (PEAP) messages over the
Point-to-Point Protocol (PPP)
IEEE 802.1X devices
PEAP messages over EAP over LAN (EAPOL)
Policy server
Network Access Protection Network Access Protection component interactioncomponent interaction (2)(2)
RADIUS messages
11
Network Access Protection client Network Access Protection client architecture componentsarchitecture components
System Health Agent (SHA)System Health Agent (SHA)
NAP AgentNAP Agent
NAP Enforcement Client (EC)NAP Enforcement Client (EC)IPsec NAP ECIPsec NAP EC
EAPHost NAP ECEAPHost NAP EC
VPN NAP ECVPN NAP EC
DHCP NAP ECDHCP NAP EC
12
SHA_2SHA_1 SHA_3
SHA API
NAP Agent
NAP EC_BNAP EC_A NAP EC_C
NAP server A
NAPclient
. . .
. . .
NAP server B NAP server C
Remediation server 1
Remediation server 2
NAP EC API
Network Access Protection client Network Access Protection client architecturearchitecture
13
Network Access Protection server Network Access Protection server architecture componentsarchitecture components
System Health Validator (SHV)System Health Validator (SHV)
NAP Administration ServerNAP Administration Server
NPSNPS
NAP Enforcement Server (ES)NAP Enforcement Server (ES)IPsec NAP ESIPsec NAP ES
VPN NAP ESVPN NAP ES
DHCP NAP ESDHCP NAP ES
14
Network Access Protection Server Network Access Protection Server architecturearchitecture
SHV_2SHV_1
Policy server 1
SHV_3
SHV API
NAP Administration Server
NAP ES_BNAP ES_A NAP ES_C
NAP server
. . .
. . .
Policy server 2
NAP client
NPS
RADIUS
NPS
15
SHA2SHA1
Remediation Server 1
SHA API
NAP Agent
NAP EC_BNAP EC_A
NAPclient
Remediation Server 2
SHV1SHV2
SHV API
NAP Administration Server
NAP server
SHV3
NAP ES_ANAP ES_B
NPS
RADIUS
Provided by NAP platform
Provided by third parties
NPS
NAP EC API
Policy Server 1
Policy Server 2
Matched componentsMatched components
16
NAP EC API
SHA2SHA1
SHA API
NAP Agent
NAP EC_A
NAPclient
SHV1SHV2
SHV API
NAP Administration Server
NAP server
NAP ES_A
NPS
Statement of Health (SoH)
List of SoHs
NPS
Component communication: Component communication: client to serverclient to server
17
NAP EC API
SHA2SHA1
SHA API
NAP Agent
NAP EC_A
NAPclient
SoH Response (SoHR)
List of SoHRs
SHV1SHV2
SHV API
NAP Administration Server
NAP server
NAP ES_A
NPS
NPS
Component communication: Component communication: server to clientserver to client
18
How Network Access How Network Access Protection worksProtection works
IPsec enforcementIPsec enforcement
IEEE 802.1X enforcementIEEE 802.1X enforcement
Remote access VPN enforcementRemote access VPN enforcement
DHCP enforcementDHCP enforcement
19
IPsec enforcementIPsec enforcementFor noncompliant computers, prevents For noncompliant computers, prevents communication with compliant computerscommunication with compliant computers
Compliant computers obtain a health Compliant computers obtain a health certificate as proof of their health certificate as proof of their health compliancecompliance
Health certificate is used for peer Health certificate is used for peer authentication when negotiating IPsec-authentication when negotiating IPsec-protected communicationsprotected communications
20
Secure network
Boundary network
Restricted network
Client
Health certificate server
NPS servers
Policy servers
Remediation servers
IPsec enforcement logical networksIPsec enforcement logical networks
21
Secure network
Boundary network
Restricted networkUnuathenticated initiated communication
IPsec-authenticated initiated communication
Allowed communication with IPsec Allowed communication with IPsec enforcementenforcement
22
IPsec enforcement startupIPsec enforcement startup
1.1. Client starts up on the restricted network.Client starts up on the restricted network.
2.2. Client creates an HTTPS secure Client creates an HTTPS secure communication channel with the HCS.communication channel with the HCS.
3.3. Client sends its credentials and its list of Client sends its credentials and its list of SoHs to the HCSSoHs to the HCS..
4.4. HCS forwards the client identity and HCS forwards the client identity and health status information to the NPS for health status information to the NPS for validation using RADIUS Access-Request validation using RADIUS Access-Request message.message.
5.5. NAP Administration Server on the NPS NAP Administration Server on the NPS passes the SoHs to their SHVs.passes the SoHs to their SHVs.
23
IPsec enforcement startupIPsec enforcement startup (2)(2)
6.6. SHVs evaluate the SoHs and respond with SHVs evaluate the SoHs and respond with SoHRs.SoHRs.
7.7. NPS evaluates the SoHRs against policy NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network settings and makes a limited/unlimited network access decision.access decision.
8.8. NPS sends a RADIUS Access-Accept message NPS sends a RADIUS Access-Accept message that contains the System SoHR (SSoHR) and that contains the System SoHR (SSoHR) and the list of SoHRs to the HCS.the list of SoHRs to the HCS.
9.9. HCS sends the SSoHR and list of SoHRs to the HCS sends the SSoHR and list of SoHRs to the client. client.
10.10. If compliant, HCS obtains a health certificate for If compliant, HCS obtains a health certificate for the client. Client is on the secure network.the client. Client is on the secure network.
24
Noncompliant IPsec NAP Noncompliant IPsec NAP clientclient1.1. NAP Agent passes the SoHRs to their NAP Agent passes the SoHRs to their
SHAs.SHAs.2.2. SHAs perform remediation and pass SHAs perform remediation and pass
updated SoHs to the NAP Agent.updated SoHs to the NAP Agent.3.3. Client creates a new HTTPS channel with Client creates a new HTTPS channel with
the HCS.the HCS.4.4. Client sends its credentials and its Client sends its credentials and its
updated list of SoHs to the HCSupdated list of SoHs to the HCS..5.5. HCS validates the credentials and the HCS validates the credentials and the
new list of SoHs with the NPS and obtains new list of SoHs with the NPS and obtains a health certificate for the client.a health certificate for the client.
25
802.1X enforcement802.1X enforcementFor noncompliant computers, prevents For noncompliant computers, prevents unlimited access to a network through an unlimited access to a network through an 802.1X-authenticated connection802.1X-authenticated connection
Network Access Protection-capable Network Access Protection-capable 802.1X clients can use either their list of 802.1X clients can use either their list of SoHs or a health certificate as proof of SoHs or a health certificate as proof of their health compliancetheir health compliance
26
802.1X enforcement using a 802.1X enforcement using a list of SoHslist of SoHs
1.1. Client or 802.1X access point starts Client or 802.1X access point starts 802.1X authentication using EAPOL.802.1X authentication using EAPOL.
2.2. Client and the NPS create secure channel Client and the NPS create secure channel with PEAP.with PEAP.
3.3. Client sends the list of SoHs to the NPS Client sends the list of SoHs to the NPS with a PEAP-Type-Length-Value (TLV) with a PEAP-Type-Length-Value (TLV) message.message.
4.4. Client performs 802.1X authentication Client performs 802.1X authentication with a negotiated PEAP method.with a negotiated PEAP method.
5.5. NAP Administration Server on the NPS NAP Administration Server on the NPS passes the SoHs to their SHVs.passes the SoHs to their SHVs.
27
802.1X enforcement using a 802.1X enforcement using a list of SoHslist of SoHs (2)(2)
6.6. SHVs evaluate their SoHs and respond with SHVs evaluate their SoHs and respond with SoHRs.SoHRs.
7.7. NPS evaluates the SoHRs against policy NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network settings and makes a limited/unlimited network access decision.access decision.
8.8. NPS sends a PEAP-TLV message containing NPS sends a PEAP-TLV message containing the SSoHR and the list of SoHRs to the client.the SSoHR and the list of SoHRs to the client.
9.9. NPS sends a RADIUS Access-Accept message NPS sends a RADIUS Access-Accept message to the 802.1X access point indicating either to the 802.1X access point indicating either limited or unlimited access.limited or unlimited access.
10.10. Client and 802.1X access point complete the Client and 802.1X access point complete the 802.1X connection.802.1X connection.
28
Noncompliant 802.1X client Noncompliant 802.1X client using a list of SoHsusing a list of SoHs
1.1. NAP Agent passes the SoHRs to their NAP Agent passes the SoHRs to their SHAs.SHAs.
2.2. SHAs perform remediation and pass an SHAs perform remediation and pass an updated SoH to the NAP Agent.updated SoH to the NAP Agent.
3.3. Client restarts 802.1X authentication to Client restarts 802.1X authentication to obtain an unlimited access connection.obtain an unlimited access connection.
29
802.1X enforcement using a 802.1X enforcement using a health certificatehealth certificate
1.1. Client or 802.1X access point starts Client or 802.1X access point starts 802.1X authentication using EAPOL.802.1X authentication using EAPOL.
2.2. Client and the NPS create a secure Client and the NPS create a secure channel with PEAP.channel with PEAP.
3.3. Client performs 802.1X authentication Client performs 802.1X authentication with a negotiated PEAP method.with a negotiated PEAP method.
4.4. Client sends the health certificate to the Client sends the health certificate to the NPS using a PEAP-TLV message.NPS using a PEAP-TLV message.
30
802.1X enforcement using a 802.1X enforcement using a health certificate health certificate (2)(2)
5.5. NPS validates the health certificate and NPS validates the health certificate and makes a limited/unlimited network access makes a limited/unlimited network access decision.decision.
6.6. NPS sends a PEAP-TLV message NPS sends a PEAP-TLV message containing the SSoHR to the client.containing the SSoHR to the client.
7.7. NPS sends a RADIUS Access-Accept NPS sends a RADIUS Access-Accept message to the 802.1X access point message to the 802.1X access point indicating either limited or unlimited indicating either limited or unlimited access.access.
8.8. Client and 802.1X access point complete Client and 802.1X access point complete the 802.1X connection.the 802.1X connection.
31
Noncompliant 802.1X client Noncompliant 802.1X client using a health certificateusing a health certificate
1.1. Client creates an HTTPS channel with the Client creates an HTTPS channel with the HCS.HCS.
2.2. Client sends its credentials and its current Client sends its credentials and its current list of SoHs to the HCSlist of SoHs to the HCS..
3.3. HCS validates the credentials and list of HCS validates the credentials and list of SoHs with the NPS and obtains a health SoHs with the NPS and obtains a health certificate for the client.certificate for the client.
4.4. Client restarts 802.1X authentication Client restarts 802.1X authentication to to obtain an unlimited access connection.obtain an unlimited access connection.
32
VPN enforcementVPN enforcementFor noncompliant computers, prevents For noncompliant computers, prevents unlimited access to a network through a unlimited access to a network through a remote access VPN connectionremote access VPN connection
Network Access Protection-capable VPN Network Access Protection-capable VPN clients use their list of SoHs as proof of clients use their list of SoHs as proof of their health compliancetheir health compliance
33
VPN enforcement VPN enforcement (2)(2)
1.1. VPN client initiates a remote access VPN VPN client initiates a remote access VPN connection.connection.
2.2. Client and the NPS create a secure Client and the NPS create a secure channel with PEAP.channel with PEAP.
3.3. Client sends its list of SoHs to the NPS Client sends its list of SoHs to the NPS with a PEAP-TLV message.with a PEAP-TLV message.
4.4. Client performs authentication for VPN Client performs authentication for VPN connection with a negotiated PEAP connection with a negotiated PEAP method.method.
5.5. NAP Administration Server on the NPS NAP Administration Server on the NPS passes the SoHs to their SHVs.passes the SoHs to their SHVs.
34
VPN enforcementVPN enforcement (3)(3)
6.6. SHVs evaluate their SoHs and respond with SHVs evaluate their SoHs and respond with SoHRs.SoHRs.
7.7. NPS evaluates the SoHRs against policy NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network settings and makes a limited/unlimited network access decision.access decision.
8.8. NPS sends a PEAP-TLV message containing NPS sends a PEAP-TLV message containing the SSoHR and the list of SoHRs to the client.the SSoHR and the list of SoHRs to the client.
9.9. NPS sends RADIUS Access-Accept message to NPS sends RADIUS Access-Accept message to the VPN server indicating either limited or the VPN server indicating either limited or unlimited access.unlimited access.
10.10. Client and VPN server complete the VPN Client and VPN server complete the VPN connection.connection.
35
Noncompliant VPN NAP clientNoncompliant VPN NAP client
1.1. NAP Agent passes SoHRs to their SHAs.NAP Agent passes SoHRs to their SHAs.
2.2. SHAs perform remediation and pass an SHAs perform remediation and pass an updated SoH to the NAP Agent.updated SoH to the NAP Agent.
3.3. Client sends the updated list of SoHs to Client sends the updated list of SoHs to the NPS by using a PEAP-TLV message the NPS by using a PEAP-TLV message to obtain an unlimited access connection.to obtain an unlimited access connection.
36
DHCP enforcementDHCP enforcementFor noncompliant computers, prevents For noncompliant computers, prevents unlimited access to a network through a unlimited access to a network through a limited DHCP address configurationlimited DHCP address configuration
Network Access Protection-capable DHCP Network Access Protection-capable DHCP clients use their list of SoHs as proof of clients use their list of SoHs as proof of their health compliancetheir health compliance
37
DHCP enforcement DHCP enforcement (2)(2)
1.1. DHCP client DHCP client sends its list of SoHs to its sends its list of SoHs to its DHCP server using the DHCPDiscover DHCP server using the DHCPDiscover message.message.
2.2. DHCP server passes the list of SoHs to DHCP server passes the list of SoHs to the NPS in a RADIUS Access-Request the NPS in a RADIUS Access-Request message.message.
3.3. NAP Administration Server on the NPS NAP Administration Server on the NPS passes the SoHs to their SHVs.passes the SoHs to their SHVs.
4.4. SHVs evaluate their SoHs and respond SHVs evaluate their SoHs and respond with SoHRs.with SoHRs.
38
DHCP enforcementDHCP enforcement (3)(3)
5.5. NPS evaluates the SoHRs against policy NPS evaluates the SoHRs against policy settings and makes a limited/unlimited settings and makes a limited/unlimited network access decision.network access decision.
6.6. NPS sends a RADIUS Access-Accept NPS sends a RADIUS Access-Accept message containing the SSoHR and list of message containing the SSoHR and list of SoHRs to DHCP server.SoHRs to DHCP server.
7.7. Client and DHCP server complete the Client and DHCP server complete the DHCP configuration.DHCP configuration.
39
Noncompliant DHCP NAP Noncompliant DHCP NAP clientclient1.1. NAP Agent passes the SoHRs to their NAP Agent passes the SoHRs to their
SHAs.SHAs.
2.2. SHAs perform remediation and pass their SHAs perform remediation and pass their updated SoHs to the NAP Agent.updated SoHs to the NAP Agent.
3.3. Client sends a DHCPRequest message Client sends a DHCPRequest message containing the updated list of SoHs to the containing the updated list of SoHs to the DHCP server.DHCP server.
4.4. DHCP validates the health state with NPS DHCP validates the health state with NPS and assigns the client an unlimited access and assigns the client an unlimited access address configuration.address configuration.
40
Network Access Protection Network Access Protection resourcesresources
Network Access Protection Web siteNetwork Access Protection Web sitehttp://www.microsoft.com/naphttp://www.microsoft.com/nap
““Network Access Protection Platform Network Access Protection Platform Architecture” white paperArchitecture” white paper
http://www.microsoft.com/http://www.microsoft.com/technet/itsolutionstechnet/itsolutions/network/nap//network/nap/naparch.mspxnaparch.mspx
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Thank you for joining us for today’s event.Thank you for joining us for today’s event.
For information about all upcoming Support WebCasts, and access to the For information about all upcoming Support WebCasts, and access to the archived content (streaming media files, PowerPoint® slides, and archived content (streaming media files, PowerPoint® slides, and transcripts), visit the Support WebCast site at transcripts), visit the Support WebCast site at http://support.microsoft.com/WebCasts/
We sincerely appreciate your feedback. Please submit any comments or We sincerely appreciate your feedback. Please submit any comments or suggestions about the Support WebCasts on the “Contact Us” page of the suggestions about the Support WebCasts on the “Contact Us” page of the Support Web site at Support Web site at http://support.microsoft.com/servicedesks/webcasts/feedback.asp.