May 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton OttawaMay 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton Ottawa

Network Access Network Access ProtectionProtectionNetwork Access Network Access ProtectionProtection

Gene FerioliGene FerioliProgram ManagerProgram ManagerCustomer Advisory TeamCustomer Advisory TeamMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

Network Access Protection in contextNetwork Access Protection in context

Network Access Protection Network Access Protection architecture architecture

How Network Access Protection How Network Access Protection worksworks

Network Access Protection solution Network Access Protection solution summarysummary

The Four Pillars of Network The Four Pillars of Network Access ProtectionAccess ProtectionThe Four Pillars of Network The Four Pillars of Network Access ProtectionAccess Protection

Policy ValidationPolicy Validation Determines whether the computers are compliant with Determines whether the computers are compliant with the company’s security policy. Compliant computers the company’s security policy. Compliant computers are deemed “healthyare deemed “healthy

Network RestrictionNetwork RestrictionRestricts network access to computers based on their Restricts network access to computers based on their healthhealth

RemediationRemediationProvides necessary updates to allow the computer to Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions “get healthy.” Once healthy, the network restrictions are removedare removed

Ongoing ComplianceOngoing ComplianceChanges to the company’s security policy or to the Changes to the company’s security policy or to the computers’ health may dynamically result in network computers’ health may dynamically result in network restrictionsrestrictions

Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.

Quarantine Agent (QA) = Reports client health status, coordinates between SHA and NAD.Quarantine Agent (QA) = Reports client health status, coordinates between SHA and NAD.

Network Access Protection Network Access Protection ComponentsComponents

NetworkNetworkPolicy Policy ServerServer

Quarantine Server (QS)Quarantine Server (QS)

ClientClient

Quarantine Agent (QA)Quarantine Agent (QA)

Health policyHealth policyUpdatesUpdates

HealthHealthStatementsStatements

NetworkNetworkAccessAccess

RequestsRequests

System Health Servers System Health Servers Remediation Servers Remediation Servers

Health ComponentsHealth ComponentsSystem Health Agents (SHA) = Declare health (patch state, virus signature, system System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.).configuration, etc.).System Health Validators (SHV) = Certify declarations made by health agents.System Health Validators (SHV) = Certify declarations made by health agents.

Remediation Servers = Install necessary patches, configurations, Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state.applications. Bring clients to healthy state.

Enforcement ComponentsEnforcement ComponentsQuarantine Enforcement Clients (QEC) = Negotiate access with network access Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs.device(s); DHCP, VPN, 1X, IPSec QECs.

Health Registration Authority = Issues certificates to clients that pass health checks.Health Registration Authority = Issues certificates to clients that pass health checks.

Platform Platform ComponentsComponents

System Health Servers = Define health requirements for system components on the client.System Health Servers = Define health requirements for system components on the client.

HealthHealthCertificateCertificate

Network Access Device &Network Access Device &Health Registration AuthorityHealth Registration Authority

Network Access Devices = Provide network access to healthy endpoints.Network Access Devices = Provide network access to healthy endpoints.

SHASHA11

SHASHA22

SHVSHV11

SHVSHV22

QECQEC11

QECQEC22

Network Access Protection Network Access Protection PartnersPartners

NetworkingNetworking

Anti-VirusAnti-Virus

Endpoint SecurityEndpoint Security

Update/ManagementUpdate/Management

Ecosystem PartnersEcosystem Partners

Microsoft IntegrationMicrosoft Integration

Systems IntegratorsSystems Integrators

As of November 2005

IPsec-based NAP Walk-IPsec-based NAP Walk-throughthrough

Accessing the networkX

Remediation Server

Policy Server

HRA

May I have a health certificate? Here’s my SoH. Client ok?

No. Needs fix-up.You don’t get a health certificate.Go fix up. I need updates.

Here you go.

Yes. Issue health certificate.

Here’s your health certificate.

Host

QuarantineQuarantineZoneZone

BoundaryBoundaryZoneZone

ProtectedProtectedZoneZone

Exchange

NAP - Enforcement OptionsNAP - Enforcement Options

EnforcemenEnforcementt Healthy ClientHealthy Client Unhealthy ClientUnhealthy Client

DHCPDHCP Full IP address Full IP address given, full accessgiven, full access Restricted set of routesRestricted set of routes

VPN (Microsoft VPN (Microsoft and 3and 3rdrd Party) Party) Full accessFull access Restricted VLANRestricted VLAN

802.1X802.1X Full accessFull access Restricted VLANRestricted VLAN

IPsecIPsec

Can communicate Can communicate with any trusted with any trusted peerpeer

Healthy peers reject Healthy peers reject connection requests connection requests from unhealthy from unhealthy systemssystems

Complements layer 2 protectionComplements layer 2 protectionWorks with existing servers and Works with existing servers and

infrastructureinfrastructureFlexible isolationFlexible isolation

802.1X and IPsec = Customer 802.1X and IPsec = Customer ChoiceChoiceNAP supports bothNAP supports both

Each has advantages and weaknessesEach has advantages and weaknessesIntegrated defense in depth at multiple layers Integrated defense in depth at multiple layers Fast network access for healthy clientsFast network access for healthy clientsStandard 802.1X authentication; extensions to Standard 802.1X authentication; extensions to PEAP and 802.1X not requiredPEAP and 802.1X not requiredNetwork agnostic but network vendors able to Network agnostic but network vendors able to innovate and provide valueinnovate and provide valueCustomer choice: ability to protect network Customer choice: ability to protect network access, host access, application access in any access, host access, application access in any combination, as needed, where appropriatecombination, as needed, where appropriateDeploy in combination according to needs, risks, Deploy in combination according to needs, risks, existing infrastructure and upgrade scheduleexisting infrastructure and upgrade schedule

Customers can take advantage of the time they Customers can take advantage of the time they have to prepare their networks for the new modelhave to prepare their networks for the new model

Deployment preparation tasks:Deployment preparation tasks:Health Modeling Health Modeling

Exemption Analysis Exemption Analysis

Health Policy Zoning Health Policy Zoning

Secure Network Infrastructure AnalysisSecure Network Infrastructure Analysis

IAS (RADIUS) DeploymentIAS (RADIUS) Deployment

Zone Enforcement SelectionZone Enforcement Selection

Rollout Planning and Change Process ControlRollout Planning and Change Process Control

Success Matrices and MeasuresSuccess Matrices and Measures

NAP is coming in NAP is coming in Longhorn. Why should I Longhorn. Why should I start work now?start work now?

Solution Take-AwaysSolution Take-AwaysPolicy driven access controlPolicy driven access control

Windows platform pieces with health and enforcement plug-insWindows platform pieces with health and enforcement plug-insIntegrated defense in depth at multiple layersIntegrated defense in depth at multiple layers

Customer choice – flexible, selectable Customer choice – flexible, selectable enforcementenforcement

Protect network access, host access, application access in any Protect network access, host access, application access in any combination as needed where appropriate combination as needed where appropriate

Based on customer need, risk assessment, existing infrastructure, Based on customer need, risk assessment, existing infrastructure, upgrade cycleupgrade cycle

Broad industry supportBroad industry supportExtensible platform architecture – network vendors able to Extensible platform architecture – network vendors able to innovate and provide valueinnovate and provide valueStandards-based approach means a multi-vendor, end-to-end Standards-based approach means a multi-vendor, end-to-end solutionsolutionFull ecosystem of partners (75+) means customer investments will Full ecosystem of partners (75+) means customer investments will be preservedbe preserved

Resources & ContactsResources & ContactsWeb site and whitepapers: Web site and whitepapers:

www.microsoft.com/napwww.microsoft.com/nap

Information on SDK distribution: Information on SDK distribution: napsdk@microsoft.com napsdk@microsoft.com

Questions or feedback: Questions or feedback: asknap@microsoft.com asknap@microsoft.com

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Health ModelingHealth ModelingWhat do I consider healthy for my network?What do I consider healthy for my network?

Do I have a written and approved health Do I have a written and approved health policy?policy?

More than a technical discussion – different More than a technical discussion – different areas and divisions will have different policies.areas and divisions will have different policies.

What are the corporate basics? What are the niche What are the corporate basics? What are the niche policies?policies?

Basics: Anti-virus, Patch Control, Personal Firewall, etc.Basics: Anti-virus, Patch Control, Personal Firewall, etc.

Niche: Specialized OS Config, Application Sets, PKI Niche: Specialized OS Config, Application Sets, PKI allotments, etc.allotments, etc.

Allot the time and resource to assess your Allot the time and resource to assess your corporate risk areas corporate risk areas

Health control should be a top-down mandate Health control should be a top-down mandate for the enterprisefor the enterprise

Allot the time to work with divisions and their Allot the time to work with divisions and their architectsarchitects

Exemption AnalysisExemption AnalysisWho gets a “pass”?Who gets a “pass”?

Basic Exemptions will be supplied by Basic Exemptions will be supplied by default (OS Level and type)default (OS Level and type)

Exemptions need to manageableExemptions need to manageableWork up an exemption documentation Work up an exemption documentation process - eventually you will want to process - eventually you will want to know where the holes are!know where the holes are!

Mitigation plans for the exemptionsMitigation plans for the exemptionsCan we isolate them through other means?Can we isolate them through other means?

IP SegmentationIP Segmentation

VLAN ControlVLAN Control

Extranet/Guest AccessExtranet/Guest Access

VPNVPN

IAS/RADIUS ServerIAS/RADIUS Server

Zacme IAS (RADIUS) Zacme IAS (RADIUS) Deployment Deployment

DHCP/IPSecDHCP/IPSec

LAN Access – Logic BasedLAN Access – Logic Based

IAS/RADIUS IAS/RADIUS ProxyProxy

Dial-up/ADSLDial-up/ADSL

CorporateCorporateNetworkNetwork

RADIUSRADIUS

RADIUSRADIUS

Active DirectoryActive Directory

Single sign on to network resourcesSingle sign on to network resources Single client for all access methodsSingle client for all access methods Detailed monitoring and logging toolsDetailed monitoring and logging tools RADIUS proxy & load balanceRADIUS proxy & load balance NAP health policy controlNAP health policy control

Remote AccessRemote Access

802.1x Wireless/Wired802.1x Wireless/Wired

LAN Access – Infrastructure BasedLAN Access – Infrastructure Based

Secure Network Infrastructure AnalysisSecure Network Infrastructure AnalysisEnforcement First – Health SecondEnforcement First – Health Second

NAP cannot protect the network from NAP cannot protect the network from malicious users and systemsmalicious users and systems

NAP is designed as the health overlay to NAP is designed as the health overlay to the network security systemsthe network security systems

NAP is dependant on its enforcement NAP is dependant on its enforcement mechanismsmechanisms

IPsec, VPN, 802.1x and DHCP need to be IPsec, VPN, 802.1x and DHCP need to be designed and deployed as security designed and deployed as security solutions in their own right prior to solutions in their own right prior to overlaying health control.overlaying health control.

Zone Enforcement Zone Enforcement SelectionSelectionWired/Wireless LAN ZonesWired/Wireless LAN ZonesLAN ZonesLAN Zones

IPsec, 802.1x and DHCP are the choices for enforcementIPsec, 802.1x and DHCP are the choices for enforcement

make a planning matrix for managed vs. unmanaged clientsmake a planning matrix for managed vs. unmanaged clients

wired vs. wireless clients wired vs. wireless clients

apply the appropriate enforcement solutionsapply the appropriate enforcement solutions

6655%%

Assess and track risk related to vulnerability

If risk is high or critical, update

policy and notify clients

Develop scanning criteria to detect security

complianceScan the

network for compliance to security policy

Enforce compliance after

grace period

Measure and report results of

compliance monitoring

6

5

2

3

1

4

Vulnerability identified

Zacme Maintaining the Operations Zacme Maintaining the Operations SuccessfullySuccessfully

Success Matrices and Success Matrices and MetricsMetricsSecurity/health is an ongoing processSecurity/health is an ongoing processThe only way to improve incident response is to The only way to improve incident response is to

have success factors and metrics to analyze have success factors and metrics to analyze Be sure to analyze core security/health operations and Be sure to analyze core security/health operations and track your ability to mitigate ongoing healthtrack your ability to mitigate ongoing health

How long does it take to “seal off” various policy zones?How long does it take to “seal off” various policy zones?Do we need to adjust policy or remediation control in a given zone?Do we need to adjust policy or remediation control in a given zone?What are the goals and measures that you want to attain for each What are the goals and measures that you want to attain for each health zone and the company as a whole?health zone and the company as a whole?

NAP is the way you can proactively mitigate your NAP is the way you can proactively mitigate your security/health stancesecurity/health stanceThe technology is DEPENDENT on your processesThe technology is DEPENDENT on your processes

Network Access Protection Walk-Network Access Protection Walk-throughthrough

Requesting access. Requesting access. Here’s my newHere’s my new

health status.health status.

NetworkNetworkPolicyPolicyServerServer

ClientClient Network Network Access Access DeviceDevice

(DHCP, Switch, (DHCP, Switch, HRA)HRA)

Remediation Remediation Servers Servers

May I have access?May I have access?Here’s my current Here’s my current health status. health status.

Should this client be Should this client be restricted basedrestricted basedon its health? on its health?

Ongoing policy Ongoing policy updates to Network updates to Network

Policy Server Policy Server

You are given You are given restricted accessrestricted accessuntil fix-up.until fix-up.

Can I have Can I have updates?updates?

Here you go.Here you go.

According to According to policy, the client is policy, the client is not up to date. not up to date. Quarantine client, Quarantine client, request it to request it to update.update.

Corporate NetworkCorporate NetworkRestricted NetworkRestricted Network

Client is granted access to full intranet. Client is granted access to full intranet.

System Health System Health Servers Servers

According to According to policy, the client policy, the client is up to date. is up to date.

Grant access.Grant access.