Archive

Archive for the ‘design’ Category

Network Access Protection Design Guide wins big at Society of Technical Communication (STC) awards!

February 5th, 2009 Comments off

Greg Lindsay (writer) and Allyson Adley (editor) won the Online Best of Show award for the NAP Design Guide at the Puget Sound Chapter of the Society for Technical Communication (STC) awards ceremony on January 29th.


Congratulations Greg and Allyson for the fantastic technical documentation on NAP!


 


NAP Product Team


 

Categories: design, Resources Tags:

Network Access Protection Design Guide wins big at Society of Technical Communication (STC) awards!

February 5th, 2009 No comments

Greg Lindsay (writer) and Allyson Adley (editor) won the Online Best of Show award for the NAP Design Guide at the Puget Sound Chapter of the Society for Technical Communication (STC) awards ceremony on January 29th.


Congratulations Greg and Allyson for the fantastic technical documentation on NAP!


 


NAP Product Team


 

Categories: design, Resources Tags:

Network Access Protection Design Guide wins big at Society of Technical Communication (STC) awards!

February 5th, 2009 No comments

Greg Lindsay (writer) and Allyson Adley (editor) won the Online Best of Show award for the NAP Design Guide at the Puget Sound Chapter of the Society for Technical Communication (STC) awards ceremony on January 29th.


Congratulations Greg and Allyson for the fantastic technical documentation on NAP!


 


NAP Product Team


 

Categories: design, Resources Tags:

Network Access Protection Design Guide wins big at Society of Technical Communication (STC) awards!

February 5th, 2009 No comments

Greg Lindsay (writer) and Allyson Adley (editor) won the Online Best of Show award for the NAP Design Guide at the Puget Sound Chapter of the Society for Technical Communication (STC) awards ceremony on January 29th.


Congratulations Greg and Allyson for the fantastic technical documentation on NAP!


 


NAP Product Team


 

Categories: design, Resources Tags:

What is NAP traffic?

January 6th, 2009 No comments

Here is a question posed by a member of the NAP community:


·         What new traffic will there be on the network when I deploy NAP?


A NAP deployment can have the following additional sets of network traffic:


·         Traffic between the NAP client and the NAP enforcement point. The nature of this traffic depends on the NAP enforcement method.


o       For IPsec enforcement, the NAP client communicates to the HRA using HTTP or HTTPS to indicate its identity and health state and to receive the system health evaluation results and the health certificate.


o       For 802.1X enforcement, the NAP health evaluation is done over PEAP-TLV, resulting in a small amount of additional EAPOL traffic to send the health state and health evaluation results between the NAP client and the switch or wireless access point.


o       For VPN enforcement, the NAP health evaluation is done over PEAP-TLV, resulting in small amount of additional PPP traffic to send the health state and health evaluation results between the NAP client and the VPN server.


o       For DHCP enforcement, the NAP health evaluation is done using the same DHCP messages that are already being used for DHCP address allocation, resulting in larger payloads for some DCHP messages, but not additional messages.


o       For TS Gateway enforcement, the NAP health evaluation is done over the Remote Procedure Call (RPC) over HTTP protocol that is used for connections to a TS Gateway server, resulting in a small amount of additional traffic to send the health state from the TS Gateway client and the TS Gateway server.


·         Traffic between the NAP enforcement point and the NAP health policy server. This is RADIUS traffic, consisting of one or multiple exchanges of RADIUS request and response messages. RADIUS traffic is UDP-based and adds minimal additional traffic on your network.


·         Traffic between the NAP enforcement point and other servers. The most obvious example is the traffic between the Health Registration Authority (HRA) and an Active Directory domain controller and a certification authority (CA) to authenticate the NAP client and obtain a health certificate.


·         Traffic between the NAP health policy server and health requirement servers. This traffic depends on the SHVs running on the NAP health policy server. The Windows Security Health Validator (WSHV) does not require communication with health requirement servers.


 

Joe Davies
Senior Program Manager

Categories: design, Troubleshooting Tags:

What is NAP traffic?

January 6th, 2009 No comments

Here is a question posed by a member of the NAP community:


·         What new traffic will there be on the network when I deploy NAP?


A NAP deployment can have the following additional sets of network traffic:


·         Traffic between the NAP client and the NAP enforcement point. The nature of this traffic depends on the NAP enforcement method.


o       For IPsec enforcement, the NAP client communicates to the HRA using HTTP or HTTPS to indicate its identity and health state and to receive the system health evaluation results and the health certificate.


o       For 802.1X enforcement, the NAP health evaluation is done over PEAP-TLV, resulting in a small amount of additional EAPOL traffic to send the health state and health evaluation results between the NAP client and the switch or wireless access point.


o       For VPN enforcement, the NAP health evaluation is done over PEAP-TLV, resulting in small amount of additional PPP traffic to send the health state and health evaluation results between the NAP client and the VPN server.


o       For DHCP enforcement, the NAP health evaluation is done using the same DHCP messages that are already being used for DHCP address allocation, resulting in larger payloads for some DCHP messages, but not additional messages.


o       For TS Gateway enforcement, the NAP health evaluation is done over the Remote Procedure Call (RPC) over HTTP protocol that is used for connections to a TS Gateway server, resulting in a small amount of additional traffic to send the health state from the TS Gateway client and the TS Gateway server.


·         Traffic between the NAP enforcement point and the NAP health policy server. This is RADIUS traffic, consisting of one or multiple exchanges of RADIUS request and response messages. RADIUS traffic is UDP-based and adds minimal additional traffic on your network.


·         Traffic between the NAP enforcement point and other servers. The most obvious example is the traffic between the Health Registration Authority (HRA) and an Active Directory domain controller and a certification authority (CA) to authenticate the NAP client and obtain a health certificate.


·         Traffic between the NAP health policy server and health requirement servers. This traffic depends on the SHVs running on the NAP health policy server. The Windows Security Health Validator (WSHV) does not require communication with health requirement servers.


 

Joe Davies
Senior Program Manager

Categories: design, Troubleshooting Tags:

What is NAP traffic?

January 6th, 2009 Comments off

Here is a question posed by a member of the NAP community:


·         What new traffic will there be on the network when I deploy NAP?


A NAP deployment can have the following additional sets of network traffic:


·         Traffic between the NAP client and the NAP enforcement point. The nature of this traffic depends on the NAP enforcement method.


o       For IPsec enforcement, the NAP client communicates to the HRA using HTTP or HTTPS to indicate its identity and health state and to receive the system health evaluation results and the health certificate.


o       For 802.1X enforcement, the NAP health evaluation is done over PEAP-TLV, resulting in a small amount of additional EAPOL traffic to send the health state and health evaluation results between the NAP client and the switch or wireless access point.


o       For VPN enforcement, the NAP health evaluation is done over PEAP-TLV, resulting in small amount of additional PPP traffic to send the health state and health evaluation results between the NAP client and the VPN server.


o       For DHCP enforcement, the NAP health evaluation is done using the same DHCP messages that are already being used for DHCP address allocation, resulting in larger payloads for some DCHP messages, but not additional messages.


o       For TS Gateway enforcement, the NAP health evaluation is done over the Remote Procedure Call (RPC) over HTTP protocol that is used for connections to a TS Gateway server, resulting in a small amount of additional traffic to send the health state from the TS Gateway client and the TS Gateway server.


·         Traffic between the NAP enforcement point and the NAP health policy server. This is RADIUS traffic, consisting of one or multiple exchanges of RADIUS request and response messages. RADIUS traffic is UDP-based and adds minimal additional traffic on your network.


·         Traffic between the NAP enforcement point and other servers. The most obvious example is the traffic between the Health Registration Authority (HRA) and an Active Directory domain controller and a certification authority (CA) to authenticate the NAP client and obtain a health certificate.


·         Traffic between the NAP health policy server and health requirement servers. This traffic depends on the SHVs running on the NAP health policy server. The Windows Security Health Validator (WSHV) does not require communication with health requirement servers.


 

Joe Davies
Senior Program Manager

Categories: design, Troubleshooting Tags:

What is NAP traffic?

January 6th, 2009 No comments

Here is a question posed by a member of the NAP community:


·         What new traffic will there be on the network when I deploy NAP?


A NAP deployment can have the following additional sets of network traffic:


·         Traffic between the NAP client and the NAP enforcement point. The nature of this traffic depends on the NAP enforcement method.


o       For IPsec enforcement, the NAP client communicates to the HRA using HTTP or HTTPS to indicate its identity and health state and to receive the system health evaluation results and the health certificate.


o       For 802.1X enforcement, the NAP health evaluation is done over PEAP-TLV, resulting in a small amount of additional EAPOL traffic to send the health state and health evaluation results between the NAP client and the switch or wireless access point.


o       For VPN enforcement, the NAP health evaluation is done over PEAP-TLV, resulting in small amount of additional PPP traffic to send the health state and health evaluation results between the NAP client and the VPN server.


o       For DHCP enforcement, the NAP health evaluation is done using the same DHCP messages that are already being used for DHCP address allocation, resulting in larger payloads for some DCHP messages, but not additional messages.


o       For TS Gateway enforcement, the NAP health evaluation is done over the Remote Procedure Call (RPC) over HTTP protocol that is used for connections to a TS Gateway server, resulting in a small amount of additional traffic to send the health state from the TS Gateway client and the TS Gateway server.


·         Traffic between the NAP enforcement point and the NAP health policy server. This is RADIUS traffic, consisting of one or multiple exchanges of RADIUS request and response messages. RADIUS traffic is UDP-based and adds minimal additional traffic on your network.


·         Traffic between the NAP enforcement point and other servers. The most obvious example is the traffic between the Health Registration Authority (HRA) and an Active Directory domain controller and a certification authority (CA) to authenticate the NAP client and obtain a health certificate.


·         Traffic between the NAP health policy server and health requirement servers. This traffic depends on the SHVs running on the NAP health policy server. The Windows Security Health Validator (WSHV) does not require communication with health requirement servers.


 

Joe Davies
Senior Program Manager

Categories: design, Troubleshooting Tags:

The no enforcement design for NAP

December 23rd, 2008 No comments

Although NAP can be used to enforce restricted access for noncompliant NAP clients and non-NAP-capable clients, NAP can also be used to provide you with information about the overall level of health compliance on your network and correct system health problems automatically without notifying the user or restricting their access. This latter configuration of a NAP deployment is known as the no enforcement design and consists of deploying NAP in reporting mode with autoremediation enabled.


The value of the no enforcement design was echoed to me by attendees at a recent McAfee regional security event, where I helped present an overview of NAP and McAfee Network Access Control 3.0 integration to IT staff and security architects (this is the same presentation that I gave at McAfee’s FOCUS 08 event). Some attendees said that they were very interested in the no enforcement design of NAP because they did not want their users notified of noncompliance (via the NAP notification message) and definitely did not want their users’ access to be restricted. They would rather determine and fix any system health issues in the background without disturbing their users. One of the benefits of the no enforcement design is that you do not have to set up a restricted network with remediation servers.


To configure a no enforcement design, use the Configure NAP wizard in the Network Policy Server snap-in for the appropriate NAP enforcement method. On the Define NAP Health Policy page, select the Enable Auto-Remediation of Client Computers check box and specify that NAP ineligible computers are allowed full access. After the Configure NAP wizard is complete, modify the network policy for noncompliant NAP clients by selecting Allow Full Network Access for the NAP Enforcement settings.


Note  For the 802.1X enforcement method, specify the same VLAN or ACL settings for both full access and restricted access on the Configure Virtual LANs (VLANs) page of the Configure NAP wizard.


For more information, see the No Enforcement Design topic in Greg Lindsay’s excellent NAP Design Guide.


 

Joe Davies

Categories: Deployments, design Tags:

The no enforcement design for NAP

December 23rd, 2008 Comments off

Although NAP can be used to enforce restricted access for noncompliant NAP clients and non-NAP-capable clients, NAP can also be used to provide you with information about the overall level of health compliance on your network and correct system health problems automatically without notifying the user or restricting their access. This latter configuration of a NAP deployment is known as the no enforcement design and consists of deploying NAP in reporting mode with autoremediation enabled.


The value of the no enforcement design was echoed to me by attendees at a recent McAfee regional security event, where I helped present an overview of NAP and McAfee Network Access Control 3.0 integration to IT staff and security architects (this is the same presentation that I gave at McAfee’s FOCUS 08 event). Some attendees said that they were very interested in the no enforcement design of NAP because they did not want their users notified of noncompliance (via the NAP notification message) and definitely did not want their users’ access to be restricted. They would rather determine and fix any system health issues in the background without disturbing their users. One of the benefits of the no enforcement design is that you do not have to set up a restricted network with remediation servers.


To configure a no enforcement design, use the Configure NAP wizard in the Network Policy Server snap-in for the appropriate NAP enforcement method. On the Define NAP Health Policy page, select the Enable Auto-Remediation of Client Computers check box and specify that NAP ineligible computers are allowed full access. After the Configure NAP wizard is complete, modify the network policy for noncompliant NAP clients by selecting Allow Full Network Access for the NAP Enforcement settings.


Note  For the 802.1X enforcement method, specify the same VLAN or ACL settings for both full access and restricted access on the Configure Virtual LANs (VLANs) page of the Configure NAP wizard.


For more information, see the No Enforcement Design topic in Greg Lindsay’s excellent NAP Design Guide.


 

Joe Davies

Categories: Deployments, design Tags:

The no enforcement design for NAP

December 23rd, 2008 No comments

Although NAP can be used to enforce restricted access for noncompliant NAP clients and non-NAP-capable clients, NAP can also be used to provide you with information about the overall level of health compliance on your network and correct system health problems automatically without notifying the user or restricting their access. This latter configuration of a NAP deployment is known as the no enforcement design and consists of deploying NAP in reporting mode with autoremediation enabled.


The value of the no enforcement design was echoed to me by attendees at a recent McAfee regional security event, where I helped present an overview of NAP and McAfee Network Access Control 3.0 integration to IT staff and security architects (this is the same presentation that I gave at McAfee’s FOCUS 08 event). Some attendees said that they were very interested in the no enforcement design of NAP because they did not want their users notified of noncompliance (via the NAP notification message) and definitely did not want their users’ access to be restricted. They would rather determine and fix any system health issues in the background without disturbing their users. One of the benefits of the no enforcement design is that you do not have to set up a restricted network with remediation servers.


To configure a no enforcement design, use the Configure NAP wizard in the Network Policy Server snap-in for the appropriate NAP enforcement method. On the Define NAP Health Policy page, select the Enable Auto-Remediation of Client Computers check box and specify that NAP ineligible computers are allowed full access. After the Configure NAP wizard is complete, modify the network policy for noncompliant NAP clients by selecting Allow Full Network Access for the NAP Enforcement settings.


Note  For the 802.1X enforcement method, specify the same VLAN or ACL settings for both full access and restricted access on the Configure Virtual LANs (VLANs) page of the Configure NAP wizard.


For more information, see the No Enforcement Design topic in Greg Lindsay’s excellent NAP Design Guide.


 

Joe Davies

Categories: Deployments, design Tags:

The no enforcement design for NAP

December 23rd, 2008 No comments

Although NAP can be used to enforce restricted access for noncompliant NAP clients and non-NAP-capable clients, NAP can also be used to provide you with information about the overall level of health compliance on your network and correct system health problems automatically without notifying the user or restricting their access. This latter configuration of a NAP deployment is known as the no enforcement design and consists of deploying NAP in reporting mode with autoremediation enabled.


The value of the no enforcement design was echoed to me by attendees at a recent McAfee regional security event, where I helped present an overview of NAP and McAfee Network Access Control 3.0 integration to IT staff and security architects (this is the same presentation that I gave at McAfee’s FOCUS 08 event). Some attendees said that they were very interested in the no enforcement design of NAP because they did not want their users notified of noncompliance (via the NAP notification message) and definitely did not want their users’ access to be restricted. They would rather determine and fix any system health issues in the background without disturbing their users. One of the benefits of the no enforcement design is that you do not have to set up a restricted network with remediation servers.


To configure a no enforcement design, use the Configure NAP wizard in the Network Policy Server snap-in for the appropriate NAP enforcement method. On the Define NAP Health Policy page, select the Enable Auto-Remediation of Client Computers check box and specify that NAP ineligible computers are allowed full access. After the Configure NAP wizard is complete, modify the network policy for noncompliant NAP clients by selecting Allow Full Network Access for the NAP Enforcement settings.


Note  For the 802.1X enforcement method, specify the same VLAN or ACL settings for both full access and restricted access on the Configure Virtual LANs (VLANs) page of the Configure NAP wizard.


For more information, see the No Enforcement Design topic in Greg Lindsay’s excellent NAP Design Guide.


 

Joe Davies

Categories: Deployments, design Tags: