Getting Ready for Network Getting Ready for Network Access ProtectionAccess ProtectionGetting Ready for Network Getting Ready for Network Access ProtectionAccess Protection

Jeff AlexanderJeff AlexanderTechnology AdvisorTechnology AdvisorMicrosoftMicrosoft

Agenda

Network Access Protection in contextNetwork Access Protection architecture How Network Access Protection worksNetwork Access Protection solution summary

Integrating the EdgeIntegrating the EdgePolicy, not topology, defines the edgePolicy, not topology, defines the edge

The Four Pillars of Network Access ProtectionThe Four Pillars of Network Access Protection

Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy

Network RestrictionRestricts network access to computers based on their health

RemediationProvides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed

Ongoing ComplianceChanges to the company’s security policy or to the computers’ health may dynamically result in network restrictions

Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.

Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC.Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC.

Network Access Protection Network Access Protection ComponentsComponents

NetworkNetworkPolicy Policy ServerServer

Quarantine Server (QS)Quarantine Server (QS)

ClientClient

Quarantine Agent (QA)Quarantine Agent (QA)

Health policyHealth policyUpdatesUpdates

HealthHealthStatementsStatements

NetworkNetworkAccessAccess

RequestsRequests

System Health Servers System Health Servers Remediation Servers Remediation Servers

Health ComponentsHealth ComponentsSystem Health Agents (SHA) = Declare health (patch state, virus signature, system System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.).configuration, etc.).System Health Validators (SHV) = Certify declarations made by health agents.System Health Validators (SHV) = Certify declarations made by health agents.

Remediation Servers = Install necessary patches, configurations, Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state.applications. Bring clients to healthy state.

Enforcement ComponentsEnforcement ComponentsQuarantine Enforcement Clients (QEC) = Negotiate access with network access Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs.device(s); DHCP, VPN, 1X, IPSec QECs.

Health Registration Authority = Issues certificates to clients that pass health checks.Health Registration Authority = Issues certificates to clients that pass health checks.

Platform ComponentsPlatform Components

System Health Servers = Define health requirements for system components on the client.System Health Servers = Define health requirements for system components on the client.

HealthHealthCertificateCertificate

Network Access Device &Network Access Device &Health Registration Authority Health Registration Authority

Network Access Devices = Provide network access to healthy endpoints.Network Access Devices = Provide network access to healthy endpoints.

SHASHA11

SHASHA22

SHVSHV11

SHVSHV22

QECQEC11

QECQEC22

Network Access Protection Network Access Protection PartnersPartners

NetworkingNetworking

Anti-VirusAnti-Virus

Endpoint SecurityEndpoint Security

Update/ManagementUpdate/Management

Ecosystem PartnersEcosystem Partners

Microsoft IntegrationMicrosoft Integration

Systems IntegratorsSystems Integrators

As of November 2005

IPsec-based NAP Walk-IPsec-based NAP Walk-throughthrough

Accessing the networkX

Remediation Server

Policy Server

HRA

May I have a health certificate? Here’s my SoH. Client ok?

No. Needs fix-up.

You don’t get a health certificate.Go fix up.I need updates.

Here you go.

Yes. Issue health certificate.

Here’s your health certificate.

Host

QuarantineQuarantineZoneZone

BoundaryBoundaryZoneZone

ProtectedProtectedZoneZone

Exchange

Network Access ProtectionNetwork Access Protection

NAP - Enforcement OptionsNAP - Enforcement Options

802.1X and IPsec = Customer ChoiceNAP supports both

Each has advantages and weaknesses

Integrated defense in depth at multiple layers

Fast network access for healthy clients

Standard 802.1X authentication; extensions to PEAP and 802.1X not required

Network agnostic but network vendors able to innovate and provide value

Customer choice: ability to protect network access, host access, application access in any combination, as needed, where appropriate

Deploy in combination according to needs, risks, existing infrastructure and upgrade schedule

Customers can take advantage of the time Customers can take advantage of the time they have to prepare their networks for the they have to prepare their networks for the new modelnew model

Deployment preparation tasks:Deployment preparation tasks:Health Modeling Health Modeling

Exemption Analysis Exemption Analysis

Health Policy Zoning Health Policy Zoning

Secure Network Infrastructure AnalysisSecure Network Infrastructure Analysis

IAS (RADIUS) DeploymentIAS (RADIUS) Deployment

Zone Enforcement SelectionZone Enforcement Selection

Rollout Planning and Change Process ControlRollout Planning and Change Process Control

Success Matrices and MeasuresSuccess Matrices and Measures

NAP is coming in Longhorn. Why should I start work now?

Health ModelingHealth ModelingWhat do I consider healthy for my What do I consider healthy for my network?network?

Do I have a written and approved health policy?Do I have a written and approved health policy?More than a technical discussion – different areas and More than a technical discussion – different areas and divisions will have different policies.divisions will have different policies.

What are the corporate basics? What are the niche policies?What are the corporate basics? What are the niche policies?

Basics: Anti-virus, Patch Control, Personal Firewall, etc.Basics: Anti-virus, Patch Control, Personal Firewall, etc.

Niche: Specialized OS Config, Application Sets, PKI Niche: Specialized OS Config, Application Sets, PKI allotments, etc.allotments, etc.

Allot the time and resource to assess your corporate risk Allot the time and resource to assess your corporate risk areas areas

Health control should be a top-down mandate for the Health control should be a top-down mandate for the enterpriseenterprise

Allot the time to work with divisions and their architectsAllot the time to work with divisions and their architects

Exemption AnalysisWho gets a “pass”?

Basic Exemptions will be supplied by default (OS Level and type)Exemptions need to manageable

Work up an exemption documentation process - eventually you will want to know where the holes are!

Mitigation plans for the exemptionsCan we isolate them through other means?

IP Segmentation

VLAN Control

Extranet/Guest Access

Secure Network Infrastructure Secure Network Infrastructure AnalysisAnalysisEnforcement First Enforcement First –– Health Second Health SecondNAP cannot protect the network from NAP cannot protect the network from

malicious users and systemsmalicious users and systems

NAP is designed as the health overlay to the NAP is designed as the health overlay to the network security systemsnetwork security systems

NAP is dependant on its enforcement NAP is dependant on its enforcement mechanismsmechanisms

IPsec, VPN, 802.1x and DHCP need to be IPsec, VPN, 802.1x and DHCP need to be designed and deployed as security solutions designed and deployed as security solutions in their own right prior to overlaying health in their own right prior to overlaying health control.control.

Zone Enforcement SelectionWired/Wireless LAN Zones

LAN ZonesLAN ZonesIPsec, 802.1x and DHCP are the choices for enforcementIPsec, 802.1x and DHCP are the choices for enforcement

make a planning matrix for managed vs. unmanaged clientsmake a planning matrix for managed vs. unmanaged clients

wired vs. wireless clients wired vs. wireless clients

apply the appropriate enforcement solutionsapply the appropriate enforcement solutions

ZoneZone Enforcement Enforcement MethodMethod

Policy RevPolicy Rev Wired/Wired/WirelessWireless

ManagedManaged

Zone AZone A IPsecIPsec 1.2.51.2.5 WiredWired 100%100%

Zone BZone B 802.1x802.1x 2.5.72.5.7 BothBoth 100%100%

Zone CZone C DHCPDHCP 1.2.51.2.5 BothBoth 65%65%

Assess and track risk related to vulnerability

If risk is high or critical, update

policy and notify clients

Develop scanning criteria to detect security

complianceScan the

network for compliance to security policy

Enforce compliance after

grace period

Measure and report results of

compliance monitoring

6

5

2

3

1

4

Vulnerability identified

Zacme Maintaining the Operations SuccessfullyZacme Maintaining the Operations Successfully

Success Matrices and MetricsSecurity/health is an ongoing process

The only way to improve incident response is to have success factors and metrics to analyze

Be sure to analyze core security/health operations and track your ability to mitigate ongoing health

How long does it take to “seal off” various policy zones?Do we need to adjust policy or remediation control in a given zone?What are the goals and measures that you want to attain for each health zone and the company as a whole?

NAP is the way you can proactively mitigate your security/health stanceThe technology is DEPENDENT on your processes

Solution Take-AwaysPolicy driven access control

Windows platform pieces with health and enforcement plug-insIntegrated defense in depth at multiple layers

Customer choice – flexible, selectable enforcement

Protect network access, host access, application access in any combination as needed where appropriate

Based on customer need, risk assessment, existing infrastructure, upgrade cycle

Broad industry supportExtensible platform architecture – network vendors able to innovate and provide valueStandards-based approach means a multi-vendor, end-to-end solutionFull ecosystem of partners (50+) means customer investments will be preserved

Resources & Contacts

Web site and whitepapers:

www.microsoft.com/nap

Information on SDK distribution: napsdk@microsoft.com

Questions or feedback: asknap@microsoft.com

ResourcesTechnical Chats and Webcastshttp://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp

Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx

MSDN & TechNet http://microsoft.com/msdnhttp://microsoft.com/technet

Virtual Labshttp://www.microsoft.com/technet/traincert/virtuallab/rms.mspx

Newsgroupshttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx

Technical Community Siteshttp://www.microsoft.com/communities/default.mspx

User Groupshttp://www.microsoft.com/communities/usergroups/default.mspx

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.