4. Client
System Health Agent (SHA)
Quarantine Agent (QA)
Enforcement Client (EC)
Services
Remediation Server
Network Access Device and Server
System Health Server
Network Policy Server (NPS)
Quarantine Server (RADIUS)
System Health Validator (SHV)
Client SHV
NPS
Remediation
Network Access Device or Server
(RADIUS)
(SHV)
5. According to
policy, the client is
not up to date.
Quarantine client,
request it to
update.
Should this client be
restricted based
on its health?
Requesting access.
Here’s my new
health status.
MS NPSClient
802.1x
Switch
Remediation
Servers
May I have access?
Here’s my current
health status.
Ongoing policy
updates to Network
Policy Server
You are given
restricted access
until fix-up.
Can I have
updates?
Here you go.
Restricted Network
Client is granted access to
full intranet.
System Health
Servers
According to
policy, the client is
up to date.
Grant access.
6.
7. •Nap client available for XP sp2
•Cisco Network Admission Control (NAC)
•Avenda Linux NAP Agent
8.
9. Features
Authentication Methods PEAPv0 (EAP-MSCHAPv2)
PEAPv0 (EAP-TLS)
Health Check Firewall Status - Check for firewall status, with auto-remediation
Service Status - Check for different services. Auto-remediate by starting or stopping services.
Firewall Ports - Check status of open or blocked TCP/UDP ports
Anti-Virus Status - Check if anti-virus software is up-to-date
Supported Platforms;
Redhat Enterprise Linux 4 and above
CentOS 5 and above
Fedora Core 6 and above
Avenda Linux NAP SHV for Microsoft NPS Features
Health Check Firewall Status - Check for firewall status and open/blocked ports.
Auto Remediation - Turn on firewall; block or open ports.
Service Status - Check status of different services running on the system.
Auto Remediation - Start or stop services.
Anti-Virus Status - Check if anti-virus is running.
Auto Remediation - Start anti-virus.
10. Features
Authentication Methods PEAPv0 (EAP-MSCHAPv2)
PEAPv0 (EAP-TLS)
Health Check Firewall Status - Check for firewall status, with auto-remediation
Service Status - Check for different services. Auto-remediate by starting or stopping services.
Firewall Ports - Check status of open or blocked TCP/UDP ports
Anti-Virus Status - Check if anti-virus software is up-to-date
Supported Platforms;
Redhat Enterprise Linux 4 and above
CentOS 5 and above
Fedora Core 6 and above
Avenda Linux NAP SHV for Microsoft NPS Features
Health Check Firewall Status - Check for firewall status and open/blocked ports.
Auto Remediation - Turn on firewall; block or open ports.
Service Status - Check status of different services running on the system.
Auto Remediation - Start or stop services.
Anti-Virus Status - Check if anti-virus is running.
Auto Remediation - Start anti-virus.
Notes de l'éditeur
This scenario will examine how Network Access Protection works with DHCP/VPN.
[BUILD1] Health policy is set by the IT administrator. It is asynchronously plumbed by the system health servers to the IAS policy server. The IAS policy server keeps a health cache at any given time.
[BUILD2] The client requests network access, and forwards its statement of health (SoH).
[BUILD3] The Network Access Device sends this information to the IAS policy server.
[BUILD4] IAS compares it to what’s in cache and if the SoH doesn’t meet health policy, the IAS policy server notifies the Network Access Device to restrict the client – it could be put in a VLAN or separate subnet. The IAS policy server also informs the NAD what the client needs to become healthy.
[BUILD5] The NAP system information passed to the client by the NAP systems tells it how to access the fix-up servers.
[BUILD6] The client contacts the remediation server and requests update.
[BUILD7] The Remediation Server provides the client with the necessary updates so it will pass the required system health policies.
[BUILD8] The client returns to the Network Access Device with an updated SoH.
[BUILD9] The Network Access Device sends this information to the IAS policy server.
[BUILD10] This time it matches policy so the client gains full access to network resources. The SoH is re-used to continue to access network resources until the policy is updated.
Enforcement works virtually the same whether you are using DHCP, VPN, 802.1X, or IPsec: healthy clients are given full access and unhealthy clients are restricted.
Administrators can configure Dynamic Host Configuration Protocol (DHCP) Enforcement, virtual private network (VPN) Enforcement, IEEE 802.1X Enforcement, Internet Protocol security (IPsec) Enforcement, or all four, depending on their network needs.
Network Access Protection provides an infrastructure and an API set for extending Network Access Protection functionality. Vendors and software developers can use the API set to build their own network policy validation, ongoing network policy compliance, and network isolation components that are compatible with Network Access Protection. Network Access Protection allows for customer choice by providing options beyond just DHCP and VPN enforcement. Some extra benefits of IPsec-based enforcement include the ability to isolate unhealthy clients. In addition, secure enforcement cannot be bypassed by a reconfiguring client or by use of hubs and virtual PC technology. With IPsec, infrastructure upgrade aren’t necessary, because it works with today’s switches and routers. IPsec also offers flexible isolation: healthy systems can connect to quarantined systems but not vice versa, and the isolation model defined by policy
Microsoft recommends that organizations use the enforcement mechanisms in combination. Each customer is different and will need to assess many factors, such as risk, business models, health policies and management, access scenarios, infrastructure investments, and upgrade schedule, among other things. NAP empowers the customer to make a selection based on the unique circumstances of a customer’s environment without compromising on the need for a strong, multi-layered network security and access policy management solution.