410 likes | 737 Views
Network Access Protection Platform Architecture Mark Gibson Senior Consultant Microsoft Corporation. Agenda. Introduction Network Access Protection platform architecture Network Access Protection Client architecture Network Access Protection Server architecture
E N D
Network Access Protection Platform ArchitectureMark GibsonSenior ConsultantMicrosoft Corporation
Agenda • Introduction • Network Access Protection platform architecture • Network Access Protection Client architecture • Network Access Protection Server architecture • How Network Access Protection works
Introduction • What is Network Access Protection (NAP)? • Network infrastructure for Network Access Protection • Network Access Protection enforcement methods
What is Network Access Protection? • Platform that enforces compliance with health requirements for network access or communication • Operating system components • Built into Microsoft® Windows Server® 2008 and Microsoft Windows Vista™ • Separate client for Microsoft Windows® XP with Service Pack 2 • Application programming interfaces (APIs) • Allows for integration with third-party vendors
Network infrastructure for Network Access Protection • Health policy validation • Determines whether the computers are compliant with health policy requirements • Network access limitation • Limits access for noncompliant computers • Automatic remediation • Provides necessary updates to allow a noncompliant computer to become compliant • Ongoing compliance • Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements
Network Access Protection enforcement methods • Internet Protocol security (IPsec)-protected communications • IEEE 802.1X-authenticated network connections • Remote access virtual private network (VPN) connections • Dynamic Host Configuration Protocol (DHCP) configuration
Network Access Protection platform architecture • Components of the Network Access Protection platform • Interactions between Network Access Protection components
Components of the Network Access Protection platform VPN server Active Directory Policy servers IEEE 802.1X devices Internet Health certificate server (HCS) Network Policy Server (NPS) DHCP server Perimeter network Intranet Remediation servers Restricted network NAP client with limited access
Network Access Protection component interaction Remediation server System health updates Hypertext Transfer Protocol over Secure Sockets Layer (SSL) (HTTPS) messages HCS DHCP messages NPS NAP client DHCP server Remote Authentication Dial-in User Service (RADIUS) messages
Network Access Protection component interaction(2) Policy server System health requirement queries Protected Extensible Authentication Protocol (PEAP) messages over the Point-to-Point Protocol (PPP) VPN server NPS NAP client PEAP messages over EAP over LAN (EAPOL) IEEE 802.1X devices RADIUS messages
Network Access Protection client architecture components • System Health Agent (SHA) • NAP Agent • NAP Enforcement Client (EC) • IPsec NAP EC • EAPHost NAP EC • VPN NAP EC • DHCP NAP EC
Network Access Protection client architecture Remediation server 1 Remediation server 2 . . . SHA_1 SHA_2 SHA_3 SHA API NAP Agent NAP client NAP EC API NAP EC_A NAP EC_B NAP EC_C . . . NAP server A NAP server B NAP server C
Network Access Protection server architecture components • System Health Validator (SHV) • NAP Administration Server • NPS • NAP Enforcement Server (ES) • IPsec NAP ES • VPN NAP ES • DHCP NAP ES
Network Access Protection Server architecture Policy server 1 Policy server 2 . . . SHV_1 SHV_2 SHV_3 SHV API NAP Administration Server NPS NPS RADIUS NAP ES_A NAP ES_B NAP ES_C . . . NAP server NAP client
Matched components Provided by NAP platform Remediation Server 1 Policy Server 1 Provided by third parties Remediation Server 2 Policy Server 2 SHV2 SHV1 SHV3 SHA1 SHA2 SHV API NAP Administration Server SHA API NPS NAP Agent NPS NAP EC API NAP client RADIUS NAP EC_A NAP EC_B NAP ES_B NAP ES_A NAP server
Component communication: client to server SHV2 SHV1 SHA1 SHA2 SHV API NPS NAP Administration Server SHA API NPS NAP Agent NAP client NAP EC API NAP ES_A NAP EC_A NAP server Statement of Health (SoH) List of SoHs
Component communication: server to client SHV2 SHV1 SHA1 SHA2 SHV API NPS NAP Administration Server SHA API NPS NAP Agent NAP client NAP EC API NAP ES_A NAP EC_A NAP server SoH Response (SoHR) List of SoHRs
How Network Access Protection works • DHCP enforcement • Remote access VPN enforcement • IEEE 802.1X enforcement • IPsec enforcement
DHCP enforcement • For noncompliant computers, prevents unlimited access to a network through a limited DHCP address configuration • Network Access Protection-capable DHCP clients use their list of SoHs as proof of their health compliance
DHCP enforcement (2) • DHCP client sends its list of SoHs to its DHCP server using the DHCPDiscover message. • DHCP server passes the list of SoHs to the NPS in a RADIUS Access-Request message. • NAP Administration Server on the NPS passes the SoHs to their SHVs. • SHVs evaluate their SoHs and respond with SoHRs.
DHCP enforcement(3) • NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. • NPS sends a RADIUS Access-Accept message containing the SSoHR and list of SoHRs to DHCP server. • Client and DHCP server complete the DHCP configuration.
Noncompliant DHCP NAP client • NAP Agent passes the SoHRs to their SHAs. • SHAs perform remediation and pass their updated SoHs to the NAP Agent. • Client sends a DHCPRequest message containing the updated list of SoHs to the DHCP server. • DHCP validates the health state with NPS and assigns the client an unlimited access address configuration.
VPN enforcement • For noncompliant computers, prevents unlimited access to a network through a remote access VPN connection • Network Access Protection-capable VPN clients use their list of SoHs as proof of their health compliance
VPN enforcement (2) • VPN client initiates a remote access VPN connection. • Client and the NPS create a secure channel with PEAP. • Client sends its list of SoHs to the NPS with a PEAP-TLV message. • Client performs authentication for VPN connection with a negotiated PEAP method. • NAP Administration Server on the NPS passes the SoHs to their SHVs.
VPN enforcement(3) • SHVs evaluate their SoHs and respond with SoHRs. • NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. • NPS sends a PEAP-TLV message containing the SSoHR and the list of SoHRs to the client. • NPS sends RADIUS Access-Accept message to the VPN server indicating either limited or unlimited access. • Client and VPN server complete the VPN connection.
Noncompliant VPN NAP client • NAP Agent passes SoHRs to their SHAs. • SHAs perform remediation and pass an updated SoH to the NAP Agent. • Client sends the updated list of SoHs to the NPS by using a PEAP-TLV message to obtain an unlimited access connection.
802.1X enforcement • For noncompliant computers, prevents unlimited access to a network through an 802.1X-authenticated connection • Network Access Protection-capable 802.1X clients can use either their list of SoHs or a health certificate as proof of their health compliance
802.1X enforcement using a list of SoHs • Client or 802.1X access point starts 802.1X authentication using EAPOL. • Client and the NPS create secure channel with PEAP. • Client sends the list of SoHs to the NPS with a PEAP-Type-Length-Value (TLV) message. • Client performs 802.1X authentication with a negotiated PEAP method. • NAP Administration Server on the NPS passes the SoHs to their SHVs.
802.1X enforcement using a list of SoHs(2) • SHVs evaluate their SoHs and respond with SoHRs. • NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. • NPS sends a PEAP-TLV message containing the SSoHR and the list of SoHRs to the client. • NPS sends a RADIUS Access-Accept message to the 802.1X access point indicating either limited or unlimited access. • Client and 802.1X access point complete the 802.1X connection.
Noncompliant 802.1X client using a list of SoHs • NAP Agent passes the SoHRs to their SHAs. • SHAs perform remediation and pass an updated SoH to the NAP Agent. • Client restarts 802.1X authentication to obtain an unlimited access connection.
802.1X enforcement using a health certificate • Client or 802.1X access point starts 802.1X authentication using EAPOL. • Client and the NPS create a secure channel with PEAP. • Client performs 802.1X authentication with a negotiated PEAP method. • Client sends the health certificate to the NPS using a PEAP-TLV message.
802.1X enforcement using a health certificate (2) • NPS validates the health certificate and makes a limited/unlimited network access decision. • NPS sends a PEAP-TLV message containing the SSoHR to the client. • NPS sends a RADIUS Access-Accept message to the 802.1X access point indicating either limited or unlimited access. • Client and 802.1X access point complete the 802.1X connection.
Noncompliant 802.1X client using a health certificate • Client creates an HTTPS channel with the HCS. • Client sends its credentials and its current list of SoHs to the HCS. • HCS validates the credentials and list of SoHs with the NPS and obtains a health certificate for the client. • Client restarts 802.1X authentication to obtain an unlimited access connection.
IPsec enforcement • For noncompliant computers, prevents communication with compliant computers • Compliant computers obtain a health certificate as proof of their health compliance • Health certificate is used for peer authentication when negotiating IPsec-protected communications
IPsec enforcement logical networks Client Health certificate server Policy servers NPS servers Secure network Remediation servers Boundary network Restricted network
Allowed communication with IPsec enforcement Secure network Boundary network Unuathenticated initiated communication Restricted network IPsec-authenticated initiated communication
IPsec enforcement startup • Client starts up on the restricted network. • Client creates an HTTPS secure communication channel with the HCS. • Client sends its credentials and its list of SoHs to the HCS. • HCS forwards the client identity and health status information to the NPS for validation using RADIUS Access-Request message. • NAP Administration Server on the NPS passes the SoHs to their SHVs.
IPsec enforcement startup(2) • SHVs evaluate the SoHs and respond with SoHRs. • NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision. • NPS sends a RADIUS Access-Accept message that contains the System SoHR (SSoHR) and the list of SoHRs to the HCS. • HCS sends the SSoHR and list of SoHRs to the client. • If compliant, HCS obtains a health certificate for the client. Client is on the secure network.
Noncompliant IPsec NAP client • NAP Agent passes the SoHRs to their SHAs. • SHAs perform remediation and pass updated SoHs to the NAP Agent. • Client creates a new HTTPS channel with the HCS. • Client sends its credentials and its updated list of SoHs to the HCS. • HCS validates the credentials and the new list of SoHs with the NPS and obtains a health certificate for the client.
Network Access Protection resources • Network Access Protection Web site • http://www.microsoft.com/nap • “Network Access Protection Platform Architecture” white paper • http://www.microsoft.com/technet/itsolutions/network/nap/naparch.mspx