1 network access protection platform architecture mark gibson senior consultant microsoft...

1

Network Access Protection Network Access Protection Platform ArchitecturePlatform Architecture

Mark GibsonMark GibsonSenior ConsultantSenior ConsultantMicrosoft CorporationMicrosoft Corporation

2

AgendaAgenda

IntroductionIntroduction

Network Access Protection platform Network Access Protection platform architecturearchitecture

Network Access Protection Client Network Access Protection Client architecturearchitecture

Network Access Protection Server Network Access Protection Server architecturearchitecture

How Network Access Protection works How Network Access Protection works

3

IntroductionIntroduction

What is Network Access Protection (NAP)?What is Network Access Protection (NAP)?

Network infrastructure for Network Access Network infrastructure for Network Access ProtectionProtection

Network Access Protection enforcement Network Access Protection enforcement methodsmethods

4

What is Network Access What is Network Access Protection?Protection?

Platform that enforces compliance with Platform that enforces compliance with health requirements for network access or health requirements for network access or communicationcommunication

Operating system componentsOperating system componentsBuilt into MicrosoftBuilt into Microsoft®® Windows Server Windows Server® ® 2008 2008 and Microsoft Windows Vistaand Microsoft Windows Vista™™

Separate client for Microsoft WindowsSeparate client for Microsoft Windows®® XP with XP with Service Pack 2Service Pack 2

Application programming interfaces (APIs)Application programming interfaces (APIs)Allows for integration with third-party vendorsAllows for integration with third-party vendors

5

Network infrastructure for Network infrastructure for Network Access ProtectionNetwork Access Protection

Health policy validation Health policy validation Determines whether the computers are compliant with Determines whether the computers are compliant with health policy requirementshealth policy requirements

Network access limitationNetwork access limitationLimits access for noncompliant computersLimits access for noncompliant computers

Automatic remediation Automatic remediation Provides necessary updates to allow a noncompliant Provides necessary updates to allow a noncompliant computer to become compliantcomputer to become compliant

Ongoing compliance Ongoing compliance Automatically updates compliant computers so that they Automatically updates compliant computers so that they adhere to ongoing changes in health policy adhere to ongoing changes in health policy requirementsrequirements

6

Network Access Protection Network Access Protection enforcement methodsenforcement methods

Internet Protocol security (IPsec)-protected Internet Protocol security (IPsec)-protected communicationscommunications

IEEE 802.1X-authenticated network IEEE 802.1X-authenticated network connectionsconnections

Remote access virtual private network Remote access virtual private network (VPN) connections(VPN) connections

Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) configuration(DHCP) configuration

7

Network Access Protection Network Access Protection platform architectureplatform architecture

Components of the Network Access Components of the Network Access Protection platformProtection platform

Interactions between Network Access Interactions between Network Access Protection componentsProtection components

8NAP client with limited access

DHCP server

Remediation servers

VPN server

Network Policy Server (NPS)

Active Directory

Intranet

Restricted network

Perimeter network

Health certificate server (HCS)

IEEE 802.1X devices

Internet

Policyservers

Components of the Network Components of the Network Access Protection platformAccess Protection platform

9

NAP client

DHCP server

Remediation server

NPS

DHCP messages

Remote Authentication Dial-in User Service (RADIUS) messages

Systemhealth

updates

HCSHypertext Transfer Protocol over Secure

Sockets Layer (SSL) (HTTPS) messages

Network Access Protection Network Access Protection component interactioncomponent interaction

10

NAP client NPS

System health requirement

queries

VPN serverProtected Extensible Authentication

Protocol (PEAP) messages over the

Point-to-Point Protocol (PPP)

IEEE 802.1X devices

PEAP messages over EAP over LAN (EAPOL)

Policy server

Network Access Protection Network Access Protection component interactioncomponent interaction (2)(2)

RADIUS messages

11

Network Access Protection client Network Access Protection client architecture componentsarchitecture components

System Health Agent (SHA)System Health Agent (SHA)

NAP AgentNAP Agent

NAP Enforcement Client (EC)NAP Enforcement Client (EC)IPsec NAP ECIPsec NAP EC

EAPHost NAP ECEAPHost NAP EC

VPN NAP ECVPN NAP EC

DHCP NAP ECDHCP NAP EC

12

SHA_2SHA_1 SHA_3

SHA API

NAP Agent

NAP EC_BNAP EC_A NAP EC_C

NAP server A

NAPclient

. . .

. . .

NAP server B NAP server C

Remediation server 1

Remediation server 2

NAP EC API

Network Access Protection client Network Access Protection client architecturearchitecture

13

Network Access Protection server Network Access Protection server architecture componentsarchitecture components

System Health Validator (SHV)System Health Validator (SHV)

NAP Administration ServerNAP Administration Server

NPSNPS

NAP Enforcement Server (ES)NAP Enforcement Server (ES)IPsec NAP ESIPsec NAP ES

VPN NAP ESVPN NAP ES

DHCP NAP ESDHCP NAP ES

14

Network Access Protection Server Network Access Protection Server architecturearchitecture

SHV_2SHV_1

Policy server 1

SHV_3

SHV API

NAP Administration Server

NAP ES_BNAP ES_A NAP ES_C

NAP server

. . .

. . .

Policy server 2

NAP client

NPS

RADIUS

NPS

15

SHA2SHA1

Remediation Server 1

SHA API

NAP Agent

NAP EC_BNAP EC_A

NAPclient

Remediation Server 2

SHV1SHV2

SHV API


NAP server

SHV3

NAP ES_ANAP ES_B

NPS

RADIUS

Provided by NAP platform

Provided by third parties

NPS

NAP EC API

Policy Server 1

Policy Server 2

Matched componentsMatched components

16

NAP EC API

SHA2SHA1

SHA API

NAP Agent

NAP EC_A

NAPclient

SHV1SHV2

SHV API


NAP server

NAP ES_A

NPS

Statement of Health (SoH)

List of SoHs

NPS

Component communication: Component communication: client to serverclient to server

17

NAP EC API

SHA2SHA1

SHA API

NAP Agent

NAP EC_A

NAPclient

SoH Response (SoHR)

List of SoHRs

SHV1SHV2

SHV API


NAP server

NAP ES_A

NPS

NPS

Component communication: Component communication: server to clientserver to client

18

How Network Access How Network Access Protection worksProtection works

DHCP enforcementDHCP enforcement

Remote access VPN enforcementRemote access VPN enforcement

IEEE 802.1X enforcementIEEE 802.1X enforcement

IPsec enforcementIPsec enforcement

19

DHCP enforcementDHCP enforcementFor noncompliant computers, prevents For noncompliant computers, prevents unlimited access to a network through a unlimited access to a network through a limited DHCP address configurationlimited DHCP address configuration

Network Access Protection-capable DHCP Network Access Protection-capable DHCP clients use their list of SoHs as proof of clients use their list of SoHs as proof of their health compliancetheir health compliance

20

DHCP enforcement DHCP enforcement (2)(2)

1.1. DHCP client DHCP client sends its list of SoHs to its sends its list of SoHs to its DHCP server using the DHCPDiscover DHCP server using the DHCPDiscover message.message.

2.2. DHCP server passes the list of SoHs to DHCP server passes the list of SoHs to the NPS in a RADIUS Access-Request the NPS in a RADIUS Access-Request message.message.

3.3. NAP Administration Server on the NPS NAP Administration Server on the NPS passes the SoHs to their SHVs.passes the SoHs to their SHVs.

4.4. SHVs evaluate their SoHs and respond SHVs evaluate their SoHs and respond with SoHRs.with SoHRs.

21

DHCP enforcementDHCP enforcement (3)(3)

5.5. NPS evaluates the SoHRs against policy NPS evaluates the SoHRs against policy settings and makes a limited/unlimited settings and makes a limited/unlimited network access decision.network access decision.

6.6. NPS sends a RADIUS Access-Accept NPS sends a RADIUS Access-Accept message containing the SSoHR and list of message containing the SSoHR and list of SoHRs to DHCP server.SoHRs to DHCP server.

7.7. Client and DHCP server complete the Client and DHCP server complete the DHCP configuration.DHCP configuration.

22

Noncompliant DHCP NAP Noncompliant DHCP NAP clientclient1.1. NAP Agent passes the SoHRs to their NAP Agent passes the SoHRs to their

SHAs.SHAs.

2.2. SHAs perform remediation and pass their SHAs perform remediation and pass their updated SoHs to the NAP Agent.updated SoHs to the NAP Agent.

3.3. Client sends a DHCPRequest message Client sends a DHCPRequest message containing the updated list of SoHs to the containing the updated list of SoHs to the DHCP server.DHCP server.

4.4. DHCP validates the health state with NPS DHCP validates the health state with NPS and assigns the client an unlimited access and assigns the client an unlimited access address configuration.address configuration.

23

VPN enforcementVPN enforcementFor noncompliant computers, prevents For noncompliant computers, prevents unlimited access to a network through a unlimited access to a network through a remote access VPN connectionremote access VPN connection

Network Access Protection-capable VPN Network Access Protection-capable VPN clients use their list of SoHs as proof of clients use their list of SoHs as proof of their health compliancetheir health compliance

24

VPN enforcement VPN enforcement (2)(2)

1.1. VPN client initiates a remote access VPN VPN client initiates a remote access VPN connection.connection.

2.2. Client and the NPS create a secure Client and the NPS create a secure channel with PEAP.channel with PEAP.

3.3. Client sends its list of SoHs to the NPS Client sends its list of SoHs to the NPS with a PEAP-TLV message.with a PEAP-TLV message.

4.4. Client performs authentication for VPN Client performs authentication for VPN connection with a negotiated PEAP connection with a negotiated PEAP method.method.


25

VPN enforcementVPN enforcement (3)(3)

6.6. SHVs evaluate their SoHs and respond with SHVs evaluate their SoHs and respond with SoHRs.SoHRs.

7.7. NPS evaluates the SoHRs against policy NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network settings and makes a limited/unlimited network access decision.access decision.

8.8. NPS sends a PEAP-TLV message containing NPS sends a PEAP-TLV message containing the SSoHR and the list of SoHRs to the client.the SSoHR and the list of SoHRs to the client.

9.9. NPS sends RADIUS Access-Accept message to NPS sends RADIUS Access-Accept message to the VPN server indicating either limited or the VPN server indicating either limited or unlimited access.unlimited access.

10.10. Client and VPN server complete the VPN Client and VPN server complete the VPN connection.connection.

26

Noncompliant VPN NAP clientNoncompliant VPN NAP client

1.1. NAP Agent passes SoHRs to their SHAs.NAP Agent passes SoHRs to their SHAs.

2.2. SHAs perform remediation and pass an SHAs perform remediation and pass an updated SoH to the NAP Agent.updated SoH to the NAP Agent.

3.3. Client sends the updated list of SoHs to Client sends the updated list of SoHs to the NPS by using a PEAP-TLV message the NPS by using a PEAP-TLV message to obtain an unlimited access connection.to obtain an unlimited access connection.

27

802.1X enforcement802.1X enforcementFor noncompliant computers, prevents For noncompliant computers, prevents unlimited access to a network through an unlimited access to a network through an 802.1X-authenticated connection802.1X-authenticated connection

Network Access Protection-capable Network Access Protection-capable 802.1X clients can use either their list of 802.1X clients can use either their list of SoHs or a health certificate as proof of SoHs or a health certificate as proof of their health compliancetheir health compliance

28

802.1X enforcement using a 802.1X enforcement using a list of SoHslist of SoHs

1.1. Client or 802.1X access point starts Client or 802.1X access point starts 802.1X authentication using EAPOL.802.1X authentication using EAPOL.

2.2. Client and the NPS create secure channel Client and the NPS create secure channel with PEAP.with PEAP.

3.3. Client sends the list of SoHs to the NPS Client sends the list of SoHs to the NPS with a PEAP-Type-Length-Value (TLV) with a PEAP-Type-Length-Value (TLV) message.message.

4.4. Client performs 802.1X authentication Client performs 802.1X authentication with a negotiated PEAP method.with a negotiated PEAP method.


29

802.1X enforcement using a 802.1X enforcement using a list of SoHslist of SoHs (2)(2)

6.6. SHVs evaluate their SoHs and respond with SHVs evaluate their SoHs and respond with SoHRs.SoHRs.


8.8. NPS sends a PEAP-TLV message containing NPS sends a PEAP-TLV message containing the SSoHR and the list of SoHRs to the client.the SSoHR and the list of SoHRs to the client.

9.9. NPS sends a RADIUS Access-Accept message NPS sends a RADIUS Access-Accept message to the 802.1X access point indicating either to the 802.1X access point indicating either limited or unlimited access.limited or unlimited access.

10.10. Client and 802.1X access point complete the Client and 802.1X access point complete the 802.1X connection.802.1X connection.

30

Noncompliant 802.1X client Noncompliant 802.1X client using a list of SoHsusing a list of SoHs

1.1. NAP Agent passes the SoHRs to their NAP Agent passes the SoHRs to their SHAs.SHAs.

2.2. SHAs perform remediation and pass an SHAs perform remediation and pass an updated SoH to the NAP Agent.updated SoH to the NAP Agent.

3.3. Client restarts 802.1X authentication to Client restarts 802.1X authentication to obtain an unlimited access connection.obtain an unlimited access connection.

31

802.1X enforcement using a 802.1X enforcement using a health certificatehealth certificate

1.1. Client or 802.1X access point starts Client or 802.1X access point starts 802.1X authentication using EAPOL.802.1X authentication using EAPOL.

2.2. Client and the NPS create a secure Client and the NPS create a secure channel with PEAP.channel with PEAP.

3.3. Client performs 802.1X authentication Client performs 802.1X authentication with a negotiated PEAP method.with a negotiated PEAP method.

4.4. Client sends the health certificate to the Client sends the health certificate to the NPS using a PEAP-TLV message.NPS using a PEAP-TLV message.

32

802.1X enforcement using a 802.1X enforcement using a health certificate health certificate (2)(2)

5.5. NPS validates the health certificate and NPS validates the health certificate and makes a limited/unlimited network access makes a limited/unlimited network access decision.decision.

6.6. NPS sends a PEAP-TLV message NPS sends a PEAP-TLV message containing the SSoHR to the client.containing the SSoHR to the client.

7.7. NPS sends a RADIUS Access-Accept NPS sends a RADIUS Access-Accept message to the 802.1X access point message to the 802.1X access point indicating either limited or unlimited indicating either limited or unlimited access.access.

8.8. Client and 802.1X access point complete Client and 802.1X access point complete the 802.1X connection.the 802.1X connection.

33

Noncompliant 802.1X client Noncompliant 802.1X client using a health certificateusing a health certificate

1.1. Client creates an HTTPS channel with the Client creates an HTTPS channel with the HCS.HCS.

2.2. Client sends its credentials and its current Client sends its credentials and its current list of SoHs to the HCSlist of SoHs to the HCS..

3.3. HCS validates the credentials and list of HCS validates the credentials and list of SoHs with the NPS and obtains a health SoHs with the NPS and obtains a health certificate for the client.certificate for the client.

4.4. Client restarts 802.1X authentication Client restarts 802.1X authentication to to obtain an unlimited access connection.obtain an unlimited access connection.

34

IPsec enforcementIPsec enforcementFor noncompliant computers, prevents For noncompliant computers, prevents communication with compliant computerscommunication with compliant computers

Compliant computers obtain a health Compliant computers obtain a health certificate as proof of their health certificate as proof of their health compliancecompliance

Health certificate is used for peer Health certificate is used for peer authentication when negotiating IPsec-authentication when negotiating IPsec-protected communicationsprotected communications

35

Secure network

Boundary network

Restricted network

Client

Health certificate server

NPS servers

Policy servers

Remediation servers

IPsec enforcement logical networksIPsec enforcement logical networks

36

Secure network

Boundary network

Restricted networkUnuathenticated initiated communication

IPsec-authenticated initiated communication

Allowed communication with IPsec Allowed communication with IPsec enforcementenforcement

37

IPsec enforcement startupIPsec enforcement startup

1.1. Client starts up on the restricted network.Client starts up on the restricted network.

2.2. Client creates an HTTPS secure Client creates an HTTPS secure communication channel with the HCS.communication channel with the HCS.

3.3. Client sends its credentials and its list of Client sends its credentials and its list of SoHs to the HCSSoHs to the HCS..

4.4. HCS forwards the client identity and HCS forwards the client identity and health status information to the NPS for health status information to the NPS for validation using RADIUS Access-Request validation using RADIUS Access-Request message.message.


38

IPsec enforcement startupIPsec enforcement startup (2)(2)

6.6. SHVs evaluate the SoHs and respond with SHVs evaluate the SoHs and respond with SoHRs.SoHRs.


8.8. NPS sends a RADIUS Access-Accept message NPS sends a RADIUS Access-Accept message that contains the System SoHR (SSoHR) and that contains the System SoHR (SSoHR) and the list of SoHRs to the HCS.the list of SoHRs to the HCS.

9.9. HCS sends the SSoHR and list of SoHRs to the HCS sends the SSoHR and list of SoHRs to the client. client.

10.10. If compliant, HCS obtains a health certificate for If compliant, HCS obtains a health certificate for the client. Client is on the secure network.the client. Client is on the secure network.

39

Noncompliant IPsec NAP Noncompliant IPsec NAP clientclient1.1. NAP Agent passes the SoHRs to their NAP Agent passes the SoHRs to their

SHAs.SHAs.2.2. SHAs perform remediation and pass SHAs perform remediation and pass

updated SoHs to the NAP Agent.updated SoHs to the NAP Agent.3.3. Client creates a new HTTPS channel with Client creates a new HTTPS channel with

the HCS.the HCS.4.4. Client sends its credentials and its Client sends its credentials and its

updated list of SoHs to the HCSupdated list of SoHs to the HCS..5.5. HCS validates the credentials and the HCS validates the credentials and the

new list of SoHs with the NPS and obtains new list of SoHs with the NPS and obtains a health certificate for the client.a health certificate for the client.

40

Network Access Protection Network Access Protection resourcesresources

Network Access Protection Web siteNetwork Access Protection Web sitehttp://www.microsoft.com/nap

““Network Access Protection Platform Network Access Protection Platform Architecture” white paperArchitecture” white paper

http://www.microsoft.com/technet/itsolutions/network/nap/naparch.mspx

http://www.microsoft.com/nap


http://www.microsoft.com/technet/itsolutions%0B/network/nap/naparch.mspx


1 network access protection platform architecture mark gibson senior consultant microsoft...

Documents

network access protection

network infrastructure

c nap server

sha api nap agent nap

microsoft windows server

health requirements

bnap ec

anap ec