network access protection & network admission control march 10, 2005 teerapol tuanpusa network...

Network Access Protection

&Network Admission

Control

Network Access Protection

&Network Admission

Control

March 10, 2005March 10, 2005

Teerapol TuanpusaTeerapol TuanpusaNetwork ConsultantNetwork ConsultantCisco Systems ThailandCisco Systems Thailand

Jirat BoomuangJirat BoomuangTechnology SpecialistTechnology SpecialistMicrosoft ThailandMicrosoft Thailand

AgendaAgenda

Security is a problem of IT industrySecurity is a problem of IT industry

Security OnionSecurity Onion

A Little History of NAP & NACA Little History of NAP & NAC

NACNAC

NAPNAP

Available Products in Thai MarketAvailable Products in Thai Market

Security OnionSecurity Onion

A Little History (NAP & NAC)A Little History (NAP & NAC)

Remember TACACS+? (Cisco)Remember TACACS+? (Cisco)

Remember PPTP? (Microsoft)Remember PPTP? (Microsoft)

Remember L2TP? (Microsoft + Cisco)Remember L2TP? (Microsoft + Cisco)

What we do together:What we do together:Information Sharing (NAP & NAC)Information Sharing (NAP & NAC)

Interoperability between two Interoperability between two architecturesarchitectures

Driving industry standardsDriving industry standards

Network Admission ControlNetwork Admission Control

Guest Speaker:Guest Speaker: Khun Teerapol Khun Teerapol TuanpusaTuanpusa

Cisco Systems Cisco Systems ThailandThailand

NAC PresentationNAC Presentation

Network Access ProtectionNetwork Access Protection

Our Security StrategyOur Security StrategyIsolation and Isolation and

ResiliencyResiliency A platform more resilient to A platform more resilient to security threatssecurity threats

Advanced Advanced UpdatingUpdating Streamline the security update Streamline the security update

processprocessAuthentication, Authentication, Authorization Authorization

and Access and Access ControlControl

Enable secure business scenariosEnable secure business scenarios

Engineering Engineering ExcellenceExcellence Raise the bar of software securityRaise the bar of software security

Guidance, Guidance, Tools and Tools and ResponseResponse

Accelerate adoption of best Accelerate adoption of best practicespractices

Windows Trustworthy Network VisionWindows Trustworthy Network Vision

Secure transparent networkSecure transparent network

Network topology is not a trust Network topology is not a trust topologytopology

All communications are safe and All communications are safe and securesecureIPsec Policy Windows Firewall

Mako Anti-Malware

Anti-Virus

Windows UpdateXP SP2

SMS

How do you ENFORCE the health of the client?How do you ENFORCE the health of the client?

Core FunctionalityCore Functionality

The Network Access Protection system provides The Network Access Protection system provides three distinct functionalities: three distinct functionalities:

1.1. Network Policy Validation – is your system Network Policy Validation – is your system healthy?healthy?

2.2. Network Isolation – if you’re not healthy, Network Isolation – if you’re not healthy, you’re out!you’re out!

3.3. Network Policy ComplianceNetwork Policy Compliance - - if you’re not if you’re not healthy, healthy, we’ll help you get there.we’ll help you get there.

Classic VPN Quarantine (WS03) Classic VPN Quarantine (WS03)

InternetInternet CorpnetCorpnet

ClientClient RRASRRAS IASIASQuarantineQuarantine

•Issues •Reskit tool – We put it into SP1!•Spoofable – not secure•Hard to implement – manual scripting

•Implementation - Windows Server 2003 VPN Only•Remote Access Solution Only•No 3rd party VPN support

Solution: New Quarantine Platform for ALL connection states

How does it look today?How does it look today?

How does it look today?How does it look today?

How does it look today?How does it look today?

Quarantine ArchitectureQuarantine Architecture

PolicyServer

Enforcers: VPN

Quarantine Coordination

What’s my health Status?

RADIUS/VPN

Policy Validation

State of Health

API API

Man

ag

emen

t R

epo

rtin

g

= SW by Network Quarantine= SW by Policy Groups

PolicyServerPolicyServer

PolicyServer

PolicyServerPolicyClient

Quarantine Coordination

??

Can I have access?Can I have access?

??SoH PleaseSoH Please

I don’t have an SoHI don’t have an SoH

XX QuarantinedQuarantined

I need Help!I need Help!

Policy?

Reports

Current Policy

Updates

Health State Updated!Health State Updated! SoHSoH

All ClearAll Clear

Is this Valid?Is this Valid?ValidValid

Access GrantedAccess Granted

Network Access Point

What is Quarantine Platform?What is Quarantine Platform?

From Home

Returning Laptops

ConsultantsGuests

`

UnhealthyDesktops

Health CheckupHealth Checkup

IT checks “health” of client - IT checks “health” of client -

patch level, AV, other patch level, AV, other

scriptable checks scriptable checks

Network Access ControlNetwork Access Control

Access/No Access usingAccess/No Access using

R2: DHCP, VPNR2: DHCP, VPN

Longhorn: IPSecLonghorn: IPSec

Health MaintenanceHealth Maintenance

Quarantined clients are Quarantined clients are

given access to fix-up given access to fix-up

servicesservicesCan’t protect against Can’t protect against malicious usersmalicious users

ComponentsComponents

Policy Coordination Client

Policy Client (i.e. Anti-virus)

Enforcement Technologies(DHCP, VPN)

RADIUS ServerPolicy Servers (Anti-virus; Patch/SystemManagement, etc.)

Update Servers (Anti-virus; Patch/SystemManagement, etc.)

Client

RADIUS Client

RADIUS Server

Policy Coordination Server

DHCP or VPN ClientDHCP or

VPN Server

Policy Server(i.e. Anti-virus)

Policy Client (i.e. Patch)

Update Server (i.e. Anti-virus)

Update Server (i.e. Patch)

Hard

ware

Soft

ware

Policy Compliance Technologies

Policy Validation Technologies

Network Communications & Isolation Technologies

Policy Server(i.e. Patch)

Infrastructure UpdatesWhat is going to be touched?Infrastructure UpdatesWhat is going to be touched?

Company Network

DHCP Servers

Isolation Network

RADIUS Server

VPN/Dial-upServers

Policy Servers (Anti-virus; Patch/SystemManagement, etc.)

= Requires server upgrade or deployment

Local access machines

Remote access machines

Update Servers (Anti-virus; Patch/SystemManagement, etc.)

* DHCP and VPN are referred to as Enforcement Servers. Enforcement technology can be IPsec.

RoadmapRoadmap

XXXX

X

Via 3rd PartyX

X (via CM)

Microsoft SMSMicrosoft WUSScripts3rd Party Software

Agents

XXX

X

X

Microsoft SMSMicrosoft WUS3rd Party Systems

Management

XX

XBasic ReportingEnhanced ReportingReporting

XX

X (via CM)X

X (via CM)XPXPSP2Longhorn

Clients

XXX

XXX (via CM)

DHCPVPNIPsec

Network Enforcement

Longhorn20052003Feature

XXXX

X

Via 3rd PartyX

X (via CM)

Microsoft SMSMicrosoft WUSScripts3rd Party Software

Agents

XXX

X

X

Microsoft SMSMicrosoft WUS3rd Party Systems

Management

XX

XBasic ReportingEnhanced ReportingReporting

XX

X (via CM)X

X (via CM)XPXPSP2Longhorn

Clients

XXX

XXX (via CM)

DHCPVPNIPsec

Network Enforcement

Longhorn20052003Feature

Network Access ProtectionKey Take-AwaysNetwork Access ProtectionKey Take-Aways

Focused on Network HealthFocused on Network HealthNot just “quarantine” but on returning clients to a Not just “quarantine” but on returning clients to a healthy statehealthy stateVPN Quarantine available today on Windows Server VPN Quarantine available today on Windows Server 20032003Version2 (DHCP/VPN) shipping in R2Version2 (DHCP/VPN) shipping in R2Version3 (IPsec) shipping in LonghornVersion3 (IPsec) shipping in Longhorn

Extensible ArchitectureExtensible ArchitectureExtendable to 3Extendable to 3rdrd party ISV party ISVScripting allows additional “custom” checksScripting allows additional “custom” checks

Selectable Network EnforcementSelectable Network EnforcementDHCP, VPN, IPsecDHCP, VPN, IPsecStandard network methodsStandard network methodsRich Ecosystem of NAP aware applicationsRich Ecosystem of NAP aware applications

Can’t wait for Longhorn?Can’t wait for Longhorn?

Try these productsTry these productsSoftware Update Services (SUS)Software Update Services (SUS)

http://www.microsoft.com/http://www.microsoft.com/windowsserversystem/sus/default.mspx windowsserversystem/sus/default.mspx

MS Baseline Security Analyzer MS Baseline Security Analyzer (MBSA)(MBSA)

http://www.microsoft.com/technet/http://www.microsoft.com/technet/security/tools/mbsahome.mspx security/tools/mbsahome.mspx

ISA Server 2004ISA Server 2004httphttp://://wwwwww..microsoftmicrosoft..comcom//isaserverisaserver//

Windows Server 2003’s CMAKWindows Server 2003’s CMAKhttp://www.microsoft.com/http://www.microsoft.com/windowsserver2003/default.mspx windowsserver2003/default.mspx

Network Access Protection Info Network Access Protection Info External Website:

http://www.microsoft.com/nap

External Questions and Feedbackntprotect@microsoft.com

GeneralGeneral

http://www.microsoft.com/securityhttp://www.microsoft.com/security

Security Guidance CenterSecurity Guidance Center

http://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance

ToolsToolshttp://www.microsoft.com/technet/Security/http://www.microsoft.com/technet/Security/toolstools

External Website:http://www.microsoft.com/nap

External Questions and Feedbackntprotect@microsoft.com

GeneralGeneral

http://www.microsoft.com/securityhttp://www.microsoft.com/security

Security Guidance CenterSecurity Guidance Center

http://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance

ToolsToolshttp://www.microsoft.com/technet/Security/http://www.microsoft.com/technet/Security/toolstools

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.