Network Access Protection Design Guide

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista

Network Access Protection (NAP) is one of the most anticipated features of the Windows Server® 2008 operating system. NAP is a new platform that allows network administrators to define specific levels of network access based on a client’s identity, the groups to which the client belongs, and the degree to which the client complies with corporate governance policy. If a client is not compliant, NAP provides a mechanism for automatically bringing the client into compliance (a process known as remediation) and then dynamically increasing its level of network access. NAP is supported by Windows Server 2008 R2, Windows Server 2008, Windows 7, Windows Vista®, and Windows® XP with Service Pack 3 (SP3). NAP includes an application programming interface that developers and vendors can use to integrate their products and leverage this health state validation, access enforcement, and ongoing compliance evaluation. For more information about the NAP API, see Network Access Protection (http://go.microsoft.com/fwlink/?LinkId=128423).
The following are key NAP concepts:

• NAP Agent. A service included with Windows Server 2008, Windows Vista, and Windows XP with SP3 that collects and manages health information for NAP client computers.
  
• NAP client computer. A computer that has the NAP Agent service installed and running, and is providing its health status to NAP server computers.
  
• NAP-capable computer. A computer that has the NAP Agent service installed and running and is capable of providing its health status to NAP server computers. NAP-capable computers include computers running Windows Server 2008, Windows Vista, and Windows XP with SP3.
  
• Non-NAP-capable computer. A computer that cannot provide its health status to NAP server components. A computer that has NAP agent installed but not running is also considered non-NAP-capable.
  
• Compliant computer. A computer that meets the NAP health requirements that you have defined for your network. Only NAP client computers can be compliant.
  
• Noncompliant computer. A computer that does not meet the NAP health requirements that you have defined for your network. Only NAP client computers can be noncompliant.
  
• Health status. Information about a NAP client computer that NAP uses to allow or restrict access to a network. Health is defined by a client computer's configuration state. Some common measurements of health include the operational status of Windows Firewall, the update status of antivirus signatures, and the installation status of security updates. A NAP client computer provides health status by sending a message called a statement of health (SoH).
  
• NAP health policy server. A NAP health policy server is a computer running Windows Server 2008 with the Network Policy Server (NPS) role service installed and configured for NAP. The NAP health policy server uses NPS policies and settings to evaluate the health of NAP client computers when they request access to the network, or when their health state changes. Based on the results of this evaluation, the NAP health policy server instructs whether NAP client computers will be granted full or restricted access to the network.
  

For more information, see Appendix B: Reviewing Key NAP Concepts.

About this guide

This guide is intended for use by an infrastructure specialist or system architect. The guide provides recommendations to help you plan a new NAP deployment based on the requirements of your organization and the particular design that you want to create. It highlights your main decision points as you plan your NAP deployment. Before you read this guide, you should have a good understanding of your organizational requirements and the way NAP works.
This guide describes a set of deployment goals that are based on the primary NAP enforcement methods. It helps you determine the most appropriate enforcement method and corresponding design for your environment. You can use these deployment goals to create a comprehensive NAP design that meets the needs of your environment.
The following NAP enforcement methods are described in this guide:

• NAP with IPsec enforcement
  
• NAP with 802.1X enforcement
  
• NAP with VPN enforcement
  
• NAP with DHCP enforcement
  
• NAP-NAC enforcement
  

Note
The TS Gateway enforcement method is not discussed in this guide. For more information, see TS Gateway Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=167919).

For each enforcement method, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your NAP deployment. After you read this guide and finish gathering, documenting, and mapping your organization's requirements, you will have the information you need to begin deploying NAP using the guidance in the Network Access Protection Deployment Guide.

Terminology used in this guide

For a list of NAP-related terms, see NAP Terminology.

NAP Enforcement for 802.1X

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Network Access Protection (NAP) enforcement for 802.1X port-based network access control is deployed by using a server running Network Policy Server (NPS) and an Extensible Authentication Protocol (EAP) host enforcement client component. With 802.1X port-based enforcement, the NPS server instructs an 802.1X authenticating switch or an 802.1X-compliant wireless access point to place noncompliant 802.1X clients on a remediation network. The NPS server limits network access by the client to the remediation network by applying IP filters or a virtual LAN identifier to the connection. 802.1X enforcement provides strong network restriction for all computers accessing the network by using 802.1X-capable network access servers.

Requirements for 802.1X wired

To deploy NAP with 802.1X wired, you must configure the following:

• In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually by using the NPS console, or you can use the New Network Access Protection wizard.
  
• Install and configure 802.1X authenticating switches.
  
• Enable the NAP EAP enforcement client and the NAP service on NAP-capable client computers.
  
• Configure the Windows Security Health Validator (WSHV) or install and configure other system health agents (SHAs) and system health validators (SHVs), depending on your NAP deployment.
  
• If you are using Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) or EAP-TLS with smart cards or certificates, deploy a public key infrastructure (PKI) with Active Directory® Certificate Services (AD CS).
  
• If you are using Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), issue server certificates with either AD CS or purchase server certificates from another trusted root certification authority (CA).
  

Requirements for 802.1X wireless

To deploy NAP with 802.1X wireless, you must configure the following:

• In NPS, configure connection request policy, network policy, and NAP health policy. You can configure these policies individually by using the NPS console, or you can use the New Network Access Protection wizard.
  
• Install and configure 802.1X wireless access points.
  
• Enable the NAP EAP enforcement client and the NAP service on NAP-capable client computers.
  
• Configure the WSHV or install and configure other SHAs and SHVs, depending on your NAP deployment.

Software (Package) Management in Solaris

Files involved:
/var/sadm/install/contents    - Contains the list of installed packages

Commands:

1. To install all packages available in the cdrom :
# pkgadd –d /cdrom/cdrom       

2. To install a specific package from the /mnt directory :
# pkgadd –d /mnt SUNWaudio   

3. To copy a package from the /mnt directory to spool :
# pkgadd –d /mnt –s SUNWaudio   

4. To list the contents of spool directory :
# pkginfo –d spooldir       

5. To find out the package “abc” in the installed package list :
# pkginfo | grep abc       

6. To list detailed info on an installed package :
# pkginfo –l SUNWcar       

7. To check the consistency of a package :
# pkgchk –v SUNWaudio       

8.To find out which package a file belongs to :
# pkgchk -l -p /usr/bin/ls       

9. To uninstall a package :
# pkgrm SUNWaudio       

10.Removes a package from a spool directory :
# pkgrm –s spooldir SUNWcar 

Device Management in Solaris

Associated Directories:

/dev - Contains logical device files
/devices - Contains physical device files

Commands :

1. To clean up the files for non-existent devices :
# devfsadm -C

2. To clean up the files for non-existent tape drive devices with detailed output :
# devfsadm -C -c tape -v

3. To scan for new devices :
# devfsadm

4. To scan for new disk drive :
# devfsadm -c disk

5. How to do a reconfigure reboot for connecting a new device :

Option 1:
# touch /reconfigure
# sync;sync;sync
# shutdown -y -i 0
# connect the new devce
# Boot the server

Option 2:
# shutdown -i -i 0
# Connect the new device
# "boot -r" from OK prompt

Option 3:
# reboot -- -r 

Network Configuration in Solaris

Configuration Files :

File containing the domain name:
/etc/defaultdomain

File containing the IP address of default router:
/etc/defaultrouter

File containing the name resolution order:
/etc/nsswitch.conf

File containing the ip address on hme0 interface :
/etc/hostname.hme0

To set DNS server and search order :
/etc/resolv.conf

To set hostname :
/etc/nodename

File containing the IP Address to hostname mapping :
/etc/inet/hosts

File containing network services and their corresponding port numbers :
/etc/inet/services

File containing the subnet mask:
/etc/inet/netmask

Create the below file to prevent the startup of in.routed daemon :
/etc/notrouter

Internet Super Daemon Configuration File:
/etc/inet/inetd.conf

Commands :

1.. To show link status of a network adapter :
 
a. To show link status on ce1
# kstat ce:1 | grep link

        link_asmpause             0
        link_duplex                  2 
        link_pause                   0
        link_speed                  100
        link_T4                        0
        link_up                        1

where link_duplex = 0 means link down
                                1 means half duplex
                                2 means full duplex

where link_speed=0 means link down
                             10 means 10MBPS
                             100 means 100MBPS
                             1000 means 1GBPS

For ce and bge interface, you should use kstat command to return NIC settings.
All other interfaces should use ndd  to determine NIC settings.

b. To how link status of hme0

# ndd -set /dev/hme instance 0
# ndd -get /dev/hme link_mode
# ndd -get /dev/hme link_speed

2. To set duplex and link speed of a network interface :

a. To set 100 full dupled on hme1 interface

# ndd -set /dev/hme instance 1
# ndd -set /dev/hme adv_100hdx_cap 0
# ndd -set /dev/hme adv_100fdx_cap 1
# ndd -set /dev/hme adv_autoneg_cap 0
# ndd -set /dev/hme link_speed 100

Then add the below lines to /etc/system

 set hme:hme_adv_autoneg_cap=0
 set hme:hme_adv_100hdx_cap=0
 set hme:hme_adv_100fdx_cap=1
 set hme:hme_link_speed=100

For ce interface,
Use the below command to set the current values and add these to a startup script.

DONT ADD THIS TO /etc/system as it would not work. !!!!

ndd -set /dev/ce instance 0
ndd -set /dev/ce adv_1000fdx_cap 0
ndd -set /dev/ce adv_1000hdx_cap 0
ndd -set /dev/ce adv_100fdx_cap 1
ndd -set /dev/ce adv_100hdx_cap 0
ndd -set /dev/ce adv_10fdx_cap 0
ndd -set /dev/ce adv_10hdx_cap 0
ndd -set /dev/ce adv_autoneg_cap 0

3. To set default router :

# route add default 192.168.1.1
Also add this into /etc/detaultrouter to make this permanent.

4. To remove the current default route :

# route delete default 192.168.1.1
Also remove it from /etc/defaultrouter to make this change permanent.

5.How to change the hostname?

a. Change the hostname in the file /etc/nodename to make this change permanent.
b. Use uname command to change the current value
# uname -S newname
c. Change the name in /etc/hosts
d. Chagne the name in DNS records
e. Change the hostname in /etc/hostname.networkinterface
f. Change the name in the files /etc/net/ticlts/hosts, /etc/net/ticots/hosts, /etc/net/ticotsord/hosts if applicable.
g. Change the name in /etc/inet/ipnodes (For solaris 10 only).
h. Please reboot the system to avoid any issues.

6. To disable a network interface :
# ifconfig hme1 unplumb

7. To enable it :
# ifconfig hme1 plumb

8. To down id :
# ifconfig hme1 down

9. To display network interface table :
# ifconfig -a
# netstat -i
# netstat -in

10. To set IP address on qfe0 network interface :
# ifconfig qfe0 191.133.23.10 netmask 255.255.255.0 up

Also set the ip label in /etc/hostname.qfe0, add hostname, IP mapping in /etc/hosts and add the netmasks into /etc/netmasks

11. To set IP alias on qfe0 :
ifconfig qfe0:1 191.133.23.10 netmask 255.255.255.0 up

Also set the ip label in /etc/hostname.qfe0:1, add hostname, IP mapping in /etc/hosts and add the netmasks into /etc/netmasks

12. To add static route to a network :

# route add -net 140.110.43.0 140.110.3.1

Also add this command to a startup script (normally located under /etc/rc2.d). 

Installation and Licensing - VxVM and VxFS

Veritas Infrastructure Packages :
VRTXvlic    License Utilities
VRTScpi        Common product/platform installer
VRTSperl    Perl used by installation technology
VRTSjre        Java Runtime Environment Redistribution

VxVM Packages :   
VRTSvxvm    VxVM Binaries
VRTSalloc    VxVM Intelligent Storage Provisioning
VRTSvmdoc    VxVM Documentation
VRTSvmman    VxVM Manual Pages (Not for HP)

VEA Packages :
VRTSob        VEA Service
VRTSobgui    VEA GUI
VRTSbuob    VEA Service Localized Package for Solaris
VRTSvmpro    Disk Management services provider
VRTSfspro    Filesystem service provider
VRTSddlpr    Device Discover Layer servics provider
VRTSap        Veritas Action Provider
VRTStep        Veritas Tast Exec Provider

VxFS Packages :
VRTSvxfs    VxFS software and manuals
VRTSfsdoc    VxFS Documentation
VRTSfsman    VxFS Manual Pages

How to install the product ?

You can use any of the below scripts to install VxVM and VxFS products,

installer    - Installs multiple VERITAS products
installvm  - Installs VxVM
installfs    - Installs VxFS
installsf   - Installs Storage Foundation (VxVM and VxFS)

You can also use the below OS specific installation commands to install the packages but finally run "vxinstall" to do initial configuration.

Solaris   : pkgadd
HP-UX : swinstall
AIX      : installp
Linux    : rpm


Commands :
1. To add a license Key :
# vxlicinst

2. To view installed the license key :
# vxlicrep

3. Where are the license keys are stored :
/etc/vx//licenses/lic

4. Where are the VxVM commands located :
/etc/vx/bin
/usr/sbin
/usr/lib/vxvm/bin 

NFS in Solaris

Configuration Files (along with a sampel content):

/etc/dfs/dfstab
       share -F nfs -o rw /data
       share -F nfs -o ro=-client1:.max.com /export/share/man

/etc/default/fs        -  Lists the default file system type for local file systems
/etc/dfs/fstypes      -  Lists the default file system types for remote file systems
/etc/default/nfs       -  Lists the lockd and nfsd configuration details

/etc/default/nfslogd - Lists the nfslogd configuration details
/etc/mnttab            -  Lists the file systems currently mounted
/etc/rmtab              - Lists the filesystems (shares) currently mounted by the clients

Daemons :

automountd - Used by Autofs
lockd          - Used for file locking purposes
mountd       - Handles mount requests from the clients
nfsd            - Main NFS server daemon which handled the client requets
nfslogd       - Handles operational logging

Commands:

1. To share all the filesystems as defined in /etc/dfs/dfstab file
# shareall

2. To view the currently shared filesystems :
# share

3. To start the NFS server services :
# svcadm enable network/nfs/server

4. To mount a share as read only in a nfs client :

# mount -F nfs -o ro server10:/oracle /data/oracle

5. To start auto fs :
# svcadm enable system/filesystem/autofs

6. To check if NFS server service is running on the server :
# svcs network/nfs/server

7. To check nfs services on a server from a client machine :
# rpcinfo -s nfsserver| egrep 'nfs|mountd'

8. To list the file systems shared by a server from a client machine :
# showmount -e servername
# dfshares servername

9. To list the shares currently mounted by the clients :
# dfmounts