may 30 th – 31 st, 2006 sheraton ottawa. network access protection gene ferioli program manager...
TRANSCRIPT
May 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton OttawaMay 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton Ottawa
Network Access Network Access ProtectionProtectionNetwork Access Network Access ProtectionProtection
Gene FerioliGene FerioliProgram ManagerProgram ManagerCustomer Advisory TeamCustomer Advisory TeamMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
Network Access Protection in contextNetwork Access Protection in context
Network Access Protection Network Access Protection architecture architecture
How Network Access Protection How Network Access Protection worksworks
Network Access Protection solution Network Access Protection solution summarysummary
The Four Pillars of Network The Four Pillars of Network Access ProtectionAccess ProtectionThe Four Pillars of Network The Four Pillars of Network Access ProtectionAccess Protection
Policy ValidationPolicy Validation Determines whether the computers are compliant with Determines whether the computers are compliant with the company’s security policy. Compliant computers the company’s security policy. Compliant computers are deemed “healthyare deemed “healthy
Network RestrictionNetwork RestrictionRestricts network access to computers based on their Restricts network access to computers based on their healthhealth
RemediationRemediationProvides necessary updates to allow the computer to Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions “get healthy.” Once healthy, the network restrictions are removedare removed
Ongoing ComplianceOngoing ComplianceChanges to the company’s security policy or to the Changes to the company’s security policy or to the computers’ health may dynamically result in network computers’ health may dynamically result in network restrictionsrestrictions
Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.
Quarantine Agent (QA) = Reports client health status, coordinates between SHA and NAD.Quarantine Agent (QA) = Reports client health status, coordinates between SHA and NAD.
Network Access Protection Network Access Protection ComponentsComponents
NetworkNetworkPolicy Policy ServerServer
Quarantine Server (QS)Quarantine Server (QS)
ClientClient
Quarantine Agent (QA)Quarantine Agent (QA)
Health policyHealth policyUpdatesUpdates
HealthHealthStatementsStatements
NetworkNetworkAccessAccess
RequestsRequests
System Health Servers System Health Servers Remediation Servers Remediation Servers
Health ComponentsHealth ComponentsSystem Health Agents (SHA) = Declare health (patch state, virus signature, system System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.).configuration, etc.).System Health Validators (SHV) = Certify declarations made by health agents.System Health Validators (SHV) = Certify declarations made by health agents.
Remediation Servers = Install necessary patches, configurations, Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state.applications. Bring clients to healthy state.
Enforcement ComponentsEnforcement ComponentsQuarantine Enforcement Clients (QEC) = Negotiate access with network access Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs.device(s); DHCP, VPN, 1X, IPSec QECs.
Health Registration Authority = Issues certificates to clients that pass health checks.Health Registration Authority = Issues certificates to clients that pass health checks.
Platform Platform ComponentsComponents
System Health Servers = Define health requirements for system components on the client.System Health Servers = Define health requirements for system components on the client.
HealthHealthCertificateCertificate
Network Access Device &Network Access Device &Health Registration AuthorityHealth Registration Authority
Network Access Devices = Provide network access to healthy endpoints.Network Access Devices = Provide network access to healthy endpoints.
SHASHA11
SHASHA22
SHVSHV11
SHVSHV22
QECQEC11
QECQEC22
Network Access Protection Network Access Protection PartnersPartners
NetworkingNetworking
Anti-VirusAnti-Virus
Endpoint SecurityEndpoint Security
Update/ManagementUpdate/Management
Ecosystem PartnersEcosystem Partners
Microsoft IntegrationMicrosoft Integration
Systems IntegratorsSystems Integrators
As of November 2005
IPsec-based NAP Walk-IPsec-based NAP Walk-throughthrough
Accessing the networkX
Remediation Server
Policy Server
HRA
May I have a health certificate? Here’s my SoH. Client ok?
No. Needs fix-up.You don’t get a health certificate.Go fix up. I need updates.
Here you go.
Yes. Issue health certificate.
Here’s your health certificate.
Host
QuarantineQuarantineZoneZone
BoundaryBoundaryZoneZone
ProtectedProtectedZoneZone
Exchange
NAP - Enforcement OptionsNAP - Enforcement Options
EnforcemenEnforcementt Healthy ClientHealthy Client Unhealthy ClientUnhealthy Client
DHCPDHCP Full IP address Full IP address given, full accessgiven, full access Restricted set of routesRestricted set of routes
VPN (Microsoft VPN (Microsoft and 3and 3rdrd Party) Party) Full accessFull access Restricted VLANRestricted VLAN
802.1X802.1X Full accessFull access Restricted VLANRestricted VLAN
IPsecIPsec
Can communicate Can communicate with any trusted with any trusted peerpeer
Healthy peers reject Healthy peers reject connection requests connection requests from unhealthy from unhealthy systemssystems
Complements layer 2 protectionComplements layer 2 protectionWorks with existing servers and Works with existing servers and
infrastructureinfrastructureFlexible isolationFlexible isolation
802.1X and IPsec = Customer 802.1X and IPsec = Customer ChoiceChoiceNAP supports bothNAP supports both
Each has advantages and weaknessesEach has advantages and weaknessesIntegrated defense in depth at multiple layers Integrated defense in depth at multiple layers Fast network access for healthy clientsFast network access for healthy clientsStandard 802.1X authentication; extensions to Standard 802.1X authentication; extensions to PEAP and 802.1X not requiredPEAP and 802.1X not requiredNetwork agnostic but network vendors able to Network agnostic but network vendors able to innovate and provide valueinnovate and provide valueCustomer choice: ability to protect network Customer choice: ability to protect network access, host access, application access in any access, host access, application access in any combination, as needed, where appropriatecombination, as needed, where appropriateDeploy in combination according to needs, risks, Deploy in combination according to needs, risks, existing infrastructure and upgrade scheduleexisting infrastructure and upgrade schedule
Customers can take advantage of the time they Customers can take advantage of the time they have to prepare their networks for the new modelhave to prepare their networks for the new model
Deployment preparation tasks:Deployment preparation tasks:Health Modeling Health Modeling
Exemption Analysis Exemption Analysis
Health Policy Zoning Health Policy Zoning
Secure Network Infrastructure AnalysisSecure Network Infrastructure Analysis
IAS (RADIUS) DeploymentIAS (RADIUS) Deployment
Zone Enforcement SelectionZone Enforcement Selection
Rollout Planning and Change Process ControlRollout Planning and Change Process Control
Success Matrices and MeasuresSuccess Matrices and Measures
NAP is coming in NAP is coming in Longhorn. Why should I Longhorn. Why should I start work now?start work now?
Solution Take-AwaysSolution Take-AwaysPolicy driven access controlPolicy driven access control
Windows platform pieces with health and enforcement plug-insWindows platform pieces with health and enforcement plug-insIntegrated defense in depth at multiple layersIntegrated defense in depth at multiple layers
Customer choice – flexible, selectable Customer choice – flexible, selectable enforcementenforcement
Protect network access, host access, application access in any Protect network access, host access, application access in any combination as needed where appropriate combination as needed where appropriate
Based on customer need, risk assessment, existing infrastructure, Based on customer need, risk assessment, existing infrastructure, upgrade cycleupgrade cycle
Broad industry supportBroad industry supportExtensible platform architecture – network vendors able to Extensible platform architecture – network vendors able to innovate and provide valueinnovate and provide valueStandards-based approach means a multi-vendor, end-to-end Standards-based approach means a multi-vendor, end-to-end solutionsolutionFull ecosystem of partners (75+) means customer investments will Full ecosystem of partners (75+) means customer investments will be preservedbe preserved
Resources & ContactsResources & ContactsWeb site and whitepapers: Web site and whitepapers:
www.microsoft.com/napwww.microsoft.com/nap
Information on SDK distribution: Information on SDK distribution: [email protected] [email protected]
Questions or feedback: Questions or feedback: [email protected] [email protected]
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Health ModelingHealth ModelingWhat do I consider healthy for my network?What do I consider healthy for my network?
Do I have a written and approved health Do I have a written and approved health policy?policy?
More than a technical discussion – different More than a technical discussion – different areas and divisions will have different policies.areas and divisions will have different policies.
What are the corporate basics? What are the niche What are the corporate basics? What are the niche policies?policies?
Basics: Anti-virus, Patch Control, Personal Firewall, etc.Basics: Anti-virus, Patch Control, Personal Firewall, etc.
Niche: Specialized OS Config, Application Sets, PKI Niche: Specialized OS Config, Application Sets, PKI allotments, etc.allotments, etc.
Allot the time and resource to assess your Allot the time and resource to assess your corporate risk areas corporate risk areas
Health control should be a top-down mandate Health control should be a top-down mandate for the enterprisefor the enterprise
Allot the time to work with divisions and their Allot the time to work with divisions and their architectsarchitects
Exemption AnalysisExemption AnalysisWho gets a “pass”?Who gets a “pass”?
Basic Exemptions will be supplied by Basic Exemptions will be supplied by default (OS Level and type)default (OS Level and type)
Exemptions need to manageableExemptions need to manageableWork up an exemption documentation Work up an exemption documentation process - eventually you will want to process - eventually you will want to know where the holes are!know where the holes are!
Mitigation plans for the exemptionsMitigation plans for the exemptionsCan we isolate them through other means?Can we isolate them through other means?
IP SegmentationIP Segmentation
VLAN ControlVLAN Control
Extranet/Guest AccessExtranet/Guest Access
VPNVPN
IAS/RADIUS ServerIAS/RADIUS Server
Zacme IAS (RADIUS) Zacme IAS (RADIUS) Deployment Deployment
DHCP/IPSecDHCP/IPSec
LAN Access – Logic BasedLAN Access – Logic Based
IAS/RADIUS IAS/RADIUS ProxyProxy
Dial-up/ADSLDial-up/ADSL
CorporateCorporateNetworkNetwork
RADIUSRADIUS
RADIUSRADIUS
Active DirectoryActive Directory
Single sign on to network resourcesSingle sign on to network resources Single client for all access methodsSingle client for all access methods Detailed monitoring and logging toolsDetailed monitoring and logging tools RADIUS proxy & load balanceRADIUS proxy & load balance NAP health policy controlNAP health policy control
Remote AccessRemote Access
802.1x Wireless/Wired802.1x Wireless/Wired
LAN Access – Infrastructure BasedLAN Access – Infrastructure Based
Secure Network Infrastructure AnalysisSecure Network Infrastructure AnalysisEnforcement First – Health SecondEnforcement First – Health Second
NAP cannot protect the network from NAP cannot protect the network from malicious users and systemsmalicious users and systems
NAP is designed as the health overlay to NAP is designed as the health overlay to the network security systemsthe network security systems
NAP is dependant on its enforcement NAP is dependant on its enforcement mechanismsmechanisms
IPsec, VPN, 802.1x and DHCP need to be IPsec, VPN, 802.1x and DHCP need to be designed and deployed as security designed and deployed as security solutions in their own right prior to solutions in their own right prior to overlaying health control.overlaying health control.
Zone Enforcement Zone Enforcement SelectionSelectionWired/Wireless LAN ZonesWired/Wireless LAN ZonesLAN ZonesLAN Zones
IPsec, 802.1x and DHCP are the choices for enforcementIPsec, 802.1x and DHCP are the choices for enforcement
make a planning matrix for managed vs. unmanaged clientsmake a planning matrix for managed vs. unmanaged clients
wired vs. wireless clients wired vs. wireless clients
apply the appropriate enforcement solutionsapply the appropriate enforcement solutions
6655%%
Assess and track risk related to vulnerability
If risk is high or critical, update
policy and notify clients
Develop scanning criteria to detect security
complianceScan the
network for compliance to security policy
Enforce compliance after
grace period
Measure and report results of
compliance monitoring
6
5
2
3
1
4
Vulnerability identified
Zacme Maintaining the Operations Zacme Maintaining the Operations SuccessfullySuccessfully
Success Matrices and Success Matrices and MetricsMetricsSecurity/health is an ongoing processSecurity/health is an ongoing processThe only way to improve incident response is to The only way to improve incident response is to
have success factors and metrics to analyze have success factors and metrics to analyze Be sure to analyze core security/health operations and Be sure to analyze core security/health operations and track your ability to mitigate ongoing healthtrack your ability to mitigate ongoing health
How long does it take to “seal off” various policy zones?How long does it take to “seal off” various policy zones?Do we need to adjust policy or remediation control in a given zone?Do we need to adjust policy or remediation control in a given zone?What are the goals and measures that you want to attain for each What are the goals and measures that you want to attain for each health zone and the company as a whole?health zone and the company as a whole?
NAP is the way you can proactively mitigate your NAP is the way you can proactively mitigate your security/health stancesecurity/health stanceThe technology is DEPENDENT on your processesThe technology is DEPENDENT on your processes
Network Access Protection Walk-Network Access Protection Walk-throughthrough
Requesting access. Requesting access. Here’s my newHere’s my new
health status.health status.
NetworkNetworkPolicyPolicyServerServer
ClientClient Network Network Access Access DeviceDevice
(DHCP, Switch, (DHCP, Switch, HRA)HRA)
Remediation Remediation Servers Servers
May I have access?May I have access?Here’s my current Here’s my current health status. health status.
Should this client be Should this client be restricted basedrestricted basedon its health? on its health?
Ongoing policy Ongoing policy updates to Network updates to Network
Policy Server Policy Server
You are given You are given restricted accessrestricted accessuntil fix-up.until fix-up.
Can I have Can I have updates?updates?
Here you go.Here you go.
According to According to policy, the client is policy, the client is not up to date. not up to date. Quarantine client, Quarantine client, request it to request it to update.update.
Corporate NetworkCorporate NetworkRestricted NetworkRestricted Network
Client is granted access to full intranet. Client is granted access to full intranet.
System Health System Health Servers Servers
According to According to policy, the client policy, the client is up to date. is up to date.
Grant access.Grant access.