View
71
Download
3
Category
Preview:
DESCRIPTION
NAC-NAP Interoperability. Michal Remper Systems Engineer mremper@cisco.com. Directory Server. Posture Validation Server(s). Audit Server. Patch Server. Reporting Server. ACS. Who we are ? 4 years NAC experiences …. Decision & Remediation. Subject (Managed or Unmanaged host). - PowerPoint PPT Presentation
Citation preview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialCisco-MS 1
NAC-NAP Interoperability
Michal Remper
Systems Engineer
mremper@cisco.com
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Who we are ? 4 years NAC experiences …
Enforcement
ACS
PatchServer
DirectoryServer
Subject(Managed or Unmanaged
host)
Decision &Remediation
LAN
Remote
WAN
Posture ValidationServer(s)
ReportingServer
AuditServer
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
How we see Microsoft?
Microsoft owns 97.46% of global desktop operating system market (over 90% in Enterprise)
Microsoft is a strategic component of business operations for nearly all of our customers
Any NAC solution must fully support a Microsoft environment
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
… NAC and NAP have different goals …
What is the difference between NAC & NAP ?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
NAC ensures that all users and devices coming into the network comply with an endpoint security policy.
NAP seeks to guarantee that users and devices connecting to a specific MS server meet an endpoint security policy.
Cisco and Microsoft have publicly stated that the two companies will work to integrate these two approaches.
What is the difference between NAC & NAP ?
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
History
Announcement originally made in October 2004.
Since then…
Unveiled at The Security Standard show in Sept 06 including press announcement and live demo
Joint Beta program began in Dec 06 with two customers…no, one is not Cisco IT
Network Access ProtectionNetwork Admission Control
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
What we declare together ….
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Status Today
Joint testing between Cisco and Microsoft including bug fixes is ongoing and includes weekly status calls for tracking
Documentation has been developed which includes presentations, deployment and troubleshooting guides
Beta 1 is wrapping up with Beta 2 slotted for June start.
Beta 1: Inband Posture
Beta 2: Wireless, SSO, Extended States, MAB
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Why Did We Create a Joint Solution?
Customer Driven
–Cisco and Microsoft interoperability help customers achieve their strategic initiatives
–Don’t have to choose between NAC-only or NAP-only solution.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
NAC Admission Flow
Cisco Secure
ACS
Policy Vendor Server (PVS)
Host Attempting
Network Access
Network Access Devices (NADs)
Policy Server Decision
Points & Audit
RADIUS
Cisco Trust Agent (CTA)
Audit Server (AS)
Credentials22
Notification 88
Authorization66
Identity4a4a
Compliant?55
Enforcement77
33
Credentials
Directory Server
LDAP, OTP
Key: Optional Mandatory
HCAP
Posture4b4b
Audit4c4c
GAME: HTTPS
Status99
Traffic triggers challenge11
EAP
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
DHCPIPSECVPN
802.1xHealth Certificates
802.1xEoU
What is Available in the Joint Solution?
Network Access Protection
Network Admission Control
802.1xEoU
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
NAC-NAP Architecture
Partner Policy Server
EAPFAST802.1x or UDP HCAPRADIUS
MSNPS
CiscoACS
SwitchesRouters
Client
EAP-FAST
EAPoUDP
Microsoft Components Cisco ComponentsMS Partner Component
s
We have referred to this as the In-Band (HCAP) Scenario
Access methods include 802.1x and EoU
Authentication is performed on ACS. Posture checking is performed on NPS.
HCAP v2 is the secure transport method for credentials and policy information between ACS and NPS
NAP Agent (QA)
802.1x
EAP Host QEC
Partner System Health Agents (SHAs)
Microsoft Components
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
NAC-NAP Benefits
Interoperability and customer choice: Customers can choose components, infrastructure and technology while implementing a single, coordinated solution
Investment protection: Enables customer reuse and investment protection of their NAC and/or NAP deployments.
Single agent included in Windows Vista: The NAP Agent component as part will be used for both NAP and NAC.
Agent deployment and update support: Microsoft will distribute Cisco EAP modules through Windows Update / Windows Server Update Services
Cross-platform support: To support client operating systems other than Windows, Microsoft will make available the APIs that support both NAP and Cisco NAC and Cisco will continue to support and develop its NAC client (the Cisco Trust Agent) for non-Windows environments.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Solution Details
ACS support for NAC-NAP is in the 4.2 release. This is currently set for Dec 07
MS Longhorn is required for NAP and NAC-NAP. This will be released at the end of Dec 07.
NAP-only agent is available for XP. Cisco has no plans to support the NAC-NAP solution
for anything prior to Vista There is no CTA for Vista. The NAP agent handles both
NAC and NAP information for Vista
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
OS Support
Vista XPNAC-NAP
NAP only
NAC Framework
NAC Appliance
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
NAC NAP Architecture Comparison
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Vista Client Architecture
Statement of Health (SoH) aka posture credentials – Encapsulation of endpoint posture sent from an endpoint SHA to its SHV. The SoH is a response to a request for health state.
System Health Agents (SHA) aka posture pluggin – SHAs are responsible for reporting on the health state of the client. Each configured SHA reports health state to the NAP Agent. A SHA will also accept statement of health response data and will optionally remediate the client.
NAP Agent aka CTA – QA is responsible for collating the statement of health information from the SHAs into a single system statement of health. QA also accepts the System statement of health response, parses it into individual statements of health to be passed to the SHAs.
EAP Host – A plug in architecture for Network Authentication components. There will be a partner program where Microsoft will certify components and distribute them through Windows Update.
ClientClient
Partner System Health Agents (SHAs)
NAP Agent (QA)
EAP Host QEC EAP-FAST
EAPoUDP802.1x
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
Microsoft Server and Partner Components
NPS Server (Longhorn)
Replaces IAS
Place to define NAP enforcement and remediation policies. (RADIUS access policies for NAP-only)
Implements HCAP v2 for ACS communication
Support for SHV API and installation of SHVs
MS Partner Program
Very similar to the way the Cisco NAC program is setup
Partners develop interoperability through the SHA and SHV APIs
Network Policy Server
Quarantine Server (QS)
Client
Quarantine Agent (QA) Health policyHealth policy
UpdatesUpdatesPolicy ServersPolicy Servers
Remediation Remediation Servers Servers
SHA1
SHA2
SHV1
SHV2
QEC1
QEC2
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
What About Cisco Components
Any Cisco device that works with NAC will work with NAC-NAP !!!
Currently ACS 4.2 will support NAC-NAP. Will support a heterogeneous environment of NAC & NAC-NAP
CiscoACS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
Access Methods for NAC-NAP
EAP-FAST – The transport method for SoH. The method will be deployable via group policy and downloadable via Windows Server Update Services
EAPoUDP – Layer 3 method similar to the NAC-only deployment. In the NAC- NAP solution EoU relies on EAP-FAST. EoU will also be deployable via group policy and downloadable via WSUS
802.1x – The Windows Vista 802.1x supplicant will be NAC-NAP enabled and will fully support both wired and wireless access
EAPFAST
CiscoACS
SwitchesRouters
ClientPartner System
Health Agents (SHAs)
NAP Agent (QA)
EAP-FAST
EAPoUDP802.1x
RADIUS
802.1x or EoU
EAP Host QEC
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
Client Statement of Health ProcessHealth Validation Events
Health State Change – An SHA may notify the NAP Agent if it’s health state change. For example, the Windows firewall is turned off
Network State Change – A QEC may notify the NAP Agent that there is a network state change. For example, a wireless client roams to a new network
Probation Timer – The probation time expires
SoH Creation Process1. Health validation event
occurs2. NAP Agent requests SoH data
from all bound SHAs3. SHAs respond with SoH data4. NAP Agent collects all SHA
data and adds system SoH data to create a system SSoH.
5. NAP Agent forward SoH to the all configured QECs
Partner System Health Agents (SHAs)
EAP Host QEC HC QEC
NAP Agent (QA)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Key Takeaways
Main points to keep in mind:
This solution will be available around the end of CY07 when ACS 4.2 and Longhorn Server ships.
NAC-NAP only supported on Vista and Longhorn
Customer can still do NAC only or NAP only
Currently POCs are not available for customers outside of the beta
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
Q and A
Recommended