network access protection & network admission control march 10, 2005 teerapol tuanpusa network...
TRANSCRIPT
Network Access Protection
&Network Admission
Control
Network Access Protection
&Network Admission
Control
March 10, 2005March 10, 2005
Teerapol TuanpusaTeerapol TuanpusaNetwork ConsultantNetwork ConsultantCisco Systems ThailandCisco Systems Thailand
Jirat BoomuangJirat BoomuangTechnology SpecialistTechnology SpecialistMicrosoft ThailandMicrosoft Thailand
AgendaAgenda
Security is a problem of IT industrySecurity is a problem of IT industry
Security OnionSecurity Onion
A Little History of NAP & NACA Little History of NAP & NAC
NACNAC
NAPNAP
Available Products in Thai MarketAvailable Products in Thai Market
Security OnionSecurity Onion
A Little History (NAP & NAC)A Little History (NAP & NAC)
Remember TACACS+? (Cisco)Remember TACACS+? (Cisco)
Remember PPTP? (Microsoft)Remember PPTP? (Microsoft)
Remember L2TP? (Microsoft + Cisco)Remember L2TP? (Microsoft + Cisco)
What we do together:What we do together:Information Sharing (NAP & NAC)Information Sharing (NAP & NAC)
Interoperability between two Interoperability between two architecturesarchitectures
Driving industry standardsDriving industry standards
Network Admission ControlNetwork Admission Control
Guest Speaker:Guest Speaker: Khun Teerapol Khun Teerapol TuanpusaTuanpusa
Cisco Systems Cisco Systems ThailandThailand
NAC PresentationNAC Presentation
Network Access ProtectionNetwork Access Protection
Our Security StrategyOur Security StrategyIsolation and Isolation and
ResiliencyResiliency A platform more resilient to A platform more resilient to security threatssecurity threats
Advanced Advanced UpdatingUpdating Streamline the security update Streamline the security update
processprocessAuthentication, Authentication, Authorization Authorization
and Access and Access ControlControl
Enable secure business scenariosEnable secure business scenarios
Engineering Engineering ExcellenceExcellence Raise the bar of software securityRaise the bar of software security
Guidance, Guidance, Tools and Tools and ResponseResponse
Accelerate adoption of best Accelerate adoption of best practicespractices
Windows Trustworthy Network VisionWindows Trustworthy Network Vision
Secure transparent networkSecure transparent network
Network topology is not a trust Network topology is not a trust topologytopology
All communications are safe and All communications are safe and securesecureIPsec Policy Windows Firewall
Mako Anti-Malware
Anti-Virus
Windows UpdateXP SP2
SMS
How do you ENFORCE the health of the client?How do you ENFORCE the health of the client?
Core FunctionalityCore Functionality
The Network Access Protection system provides The Network Access Protection system provides three distinct functionalities: three distinct functionalities:
1.1. Network Policy Validation – is your system Network Policy Validation – is your system healthy?healthy?
2.2. Network Isolation – if you’re not healthy, Network Isolation – if you’re not healthy, you’re out!you’re out!
3.3. Network Policy ComplianceNetwork Policy Compliance - - if you’re not if you’re not healthy, healthy, we’ll help you get there.we’ll help you get there.
Classic VPN Quarantine (WS03) Classic VPN Quarantine (WS03)
InternetInternet CorpnetCorpnet
ClientClient RRASRRAS IASIASQuarantineQuarantine
•Issues •Reskit tool – We put it into SP1!•Spoofable – not secure•Hard to implement – manual scripting
•Implementation - Windows Server 2003 VPN Only•Remote Access Solution Only•No 3rd party VPN support
Solution: New Quarantine Platform for ALL connection states
How does it look today?How does it look today?
How does it look today?How does it look today?
How does it look today?How does it look today?
Quarantine ArchitectureQuarantine Architecture
PolicyServer
Enforcers: VPN
Quarantine Coordination
What’s my health Status?
RADIUS/VPN
Policy Validation
State of Health
API API
Man
ag
emen
t R
epo
rtin
g
= SW by Network Quarantine= SW by Policy Groups
PolicyServerPolicyServer
PolicyServer
PolicyServerPolicyClient
Quarantine Coordination
??
Can I have access?Can I have access?
??SoH PleaseSoH Please
I don’t have an SoHI don’t have an SoH
XX QuarantinedQuarantined
I need Help!I need Help!
Policy?
Reports
Current Policy
Updates
Health State Updated!Health State Updated! SoHSoH
All ClearAll Clear
Is this Valid?Is this Valid?ValidValid
Access GrantedAccess Granted
Network Access Point
What is Quarantine Platform?What is Quarantine Platform?
From Home
Returning Laptops
ConsultantsGuests
`
UnhealthyDesktops
Health CheckupHealth Checkup
IT checks “health” of client - IT checks “health” of client -
patch level, AV, other patch level, AV, other
scriptable checks scriptable checks
Network Access ControlNetwork Access Control
Access/No Access usingAccess/No Access using
R2: DHCP, VPNR2: DHCP, VPN
Longhorn: IPSecLonghorn: IPSec
Health MaintenanceHealth Maintenance
Quarantined clients are Quarantined clients are
given access to fix-up given access to fix-up
servicesservicesCan’t protect against Can’t protect against malicious usersmalicious users
ComponentsComponents
Policy Coordination Client
Policy Client (i.e. Anti-virus)
Enforcement Technologies(DHCP, VPN)
RADIUS ServerPolicy Servers (Anti-virus; Patch/SystemManagement, etc.)
Update Servers (Anti-virus; Patch/SystemManagement, etc.)
Client
RADIUS Client
RADIUS Server
Policy Coordination Server
DHCP or VPN ClientDHCP or
VPN Server
Policy Server(i.e. Anti-virus)
Policy Client (i.e. Patch)
Update Server (i.e. Anti-virus)
Update Server (i.e. Patch)
Hard
ware
Soft
ware
Policy Compliance Technologies
Policy Validation Technologies
Network Communications & Isolation Technologies
Policy Server(i.e. Patch)
Infrastructure UpdatesWhat is going to be touched?Infrastructure UpdatesWhat is going to be touched?
Company Network
DHCP Servers
Isolation Network
RADIUS Server
VPN/Dial-upServers
Policy Servers (Anti-virus; Patch/SystemManagement, etc.)
= Requires server upgrade or deployment
Local access machines
Remote access machines
Update Servers (Anti-virus; Patch/SystemManagement, etc.)
* DHCP and VPN are referred to as Enforcement Servers. Enforcement technology can be IPsec.
RoadmapRoadmap
XXXX
X
Via 3rd PartyX
X (via CM)
Microsoft SMSMicrosoft WUSScripts3rd Party Software
Agents
XXX
X
X
Microsoft SMSMicrosoft WUS3rd Party Systems
Management
XX
XBasic ReportingEnhanced ReportingReporting
XX
X (via CM)X
X (via CM)XPXPSP2Longhorn
Clients
XXX
XXX (via CM)
DHCPVPNIPsec
Network Enforcement
Longhorn20052003Feature
XXXX
X
Via 3rd PartyX
X (via CM)
Microsoft SMSMicrosoft WUSScripts3rd Party Software
Agents
XXX
X
X
Microsoft SMSMicrosoft WUS3rd Party Systems
Management
XX
XBasic ReportingEnhanced ReportingReporting
XX
X (via CM)X
X (via CM)XPXPSP2Longhorn
Clients
XXX
XXX (via CM)
DHCPVPNIPsec
Network Enforcement
Longhorn20052003Feature
Network Access ProtectionKey Take-AwaysNetwork Access ProtectionKey Take-Aways
Focused on Network HealthFocused on Network HealthNot just “quarantine” but on returning clients to a Not just “quarantine” but on returning clients to a healthy statehealthy stateVPN Quarantine available today on Windows Server VPN Quarantine available today on Windows Server 20032003Version2 (DHCP/VPN) shipping in R2Version2 (DHCP/VPN) shipping in R2Version3 (IPsec) shipping in LonghornVersion3 (IPsec) shipping in Longhorn
Extensible ArchitectureExtensible ArchitectureExtendable to 3Extendable to 3rdrd party ISV party ISVScripting allows additional “custom” checksScripting allows additional “custom” checks
Selectable Network EnforcementSelectable Network EnforcementDHCP, VPN, IPsecDHCP, VPN, IPsecStandard network methodsStandard network methodsRich Ecosystem of NAP aware applicationsRich Ecosystem of NAP aware applications
Can’t wait for Longhorn?Can’t wait for Longhorn?
Try these productsTry these productsSoftware Update Services (SUS)Software Update Services (SUS)
http://www.microsoft.com/http://www.microsoft.com/windowsserversystem/sus/default.mspx windowsserversystem/sus/default.mspx
MS Baseline Security Analyzer MS Baseline Security Analyzer (MBSA)(MBSA)
http://www.microsoft.com/technet/http://www.microsoft.com/technet/security/tools/mbsahome.mspx security/tools/mbsahome.mspx
ISA Server 2004ISA Server 2004httphttp://://wwwwww..microsoftmicrosoft..comcom//isaserverisaserver//
Windows Server 2003’s CMAKWindows Server 2003’s CMAKhttp://www.microsoft.com/http://www.microsoft.com/windowsserver2003/default.mspx windowsserver2003/default.mspx
Network Access Protection Info Network Access Protection Info External Website:
http://www.microsoft.com/nap
External Questions and [email protected]
GeneralGeneral
http://www.microsoft.com/securityhttp://www.microsoft.com/security
Security Guidance CenterSecurity Guidance Center
http://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
ToolsToolshttp://www.microsoft.com/technet/Security/http://www.microsoft.com/technet/Security/toolstools
External Website:http://www.microsoft.com/nap
External Questions and [email protected]
GeneralGeneral
http://www.microsoft.com/securityhttp://www.microsoft.com/security
Security Guidance CenterSecurity Guidance Center
http://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
ToolsToolshttp://www.microsoft.com/technet/Security/http://www.microsoft.com/technet/Security/toolstools
© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.