Scribd
Upload
163 views

Network Access Protection (NAP)

Network Access Protection (NAP) aims to detect and remediate unhealthy clients on a network. It uses a System Health Agent (SHA) on clients to report health status to a System Health Validator (SHV) that enforces compliance. Enforcement can occur through IPSec health checks, 802.1x authentication on switches/APs, or DHCP compliance. NAP components include the SHA, SHV, remediation servers, and RADIUS or Active Directory servers.

Uploaded by

Rixwan Ahmed Khan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
163 views

Network Access Protection (NAP)

Network Access Protection (NAP) aims to detect and remediate unhealthy clients on a network. It uses a System Health Agent (SHA) on clients to report health status to a System Health Validator (SHV) that enforces compliance. Enforcement can occur through IPSec health checks, 802.1x authentication on switches/APs, or DHCP compliance. NAP components include the SHA, SHV, remediation servers, and RADIUS or Active Directory servers.

Uploaded by

Rixwan Ahmed Khan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 15

NETWORK ACCESS PROTECTION

Need for NAP NAP Component Enforcement Types

NEED FOR NAP: A single vulnerable host poses threat to entire network Especially laptop, guests or home Need to detect + Remediate unhealthy clients Little or No user action Restricted network until resolve Full network IP Healthy

NAP COMPONENTS: System Health Agent (SHA) NAP Client (security center) Report health stat Vista, XP-SP3 System Health Validator (SHV) NAP on W2K8

Possibly Combined With Radius Remediation Servers Antivirus updates WSUS RADIUS (Remote Access Dial-In User Server) AAA (Authentication, Authorization, Accounting) CA (Certificate Authority) Must be W2K8 Vender SHA/SHV Pair

ENFORCMENT TYPES: IPSec Health Check Health Cert Can be IP Address or Port-Specific W2K8 CA required 802.1x Switch/ AP Constant Monitoring ACL VLAN VPN W2K8 Packet Filter DHCP Compliant clients: Full access IP configuration Non-Compliant: Single Host Routes

CONFIGURING NAP:

Administrative templates Windows Components Security Center 'Turn On security center

Windows 7 Client > run > ipconfig /all 'show no default gateway' Windows 7 Client > run > route print 'no default route' Windows 7 Client > run > ping 192.168.1.39 Windows 7 Client > run > netsh nap client show state

Windows 7 Client > run > ipconfig /release Windows 7 Client > run > ipconfig /renew Windows 7 Client > run > route printr 'default gateway show if its healthy client' Windows 7 Client > web > google.com 'if its healthy client'

You might also like