Getting Ready for Network Getting Ready for Network Access ProtectionAccess ProtectionGetting Ready for Network Getting Ready for Network Access ProtectionAccess Protection
Jeff AlexanderJeff AlexanderTechnology AdvisorTechnology AdvisorMicrosoftMicrosoft
Agenda
Network Access Protection in contextNetwork Access Protection architecture How Network Access Protection worksNetwork Access Protection solution summary
Integrating the EdgeIntegrating the EdgePolicy, not topology, defines the edgePolicy, not topology, defines the edge
The Four Pillars of Network Access ProtectionThe Four Pillars of Network Access Protection
Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy
Network RestrictionRestricts network access to computers based on their health
RemediationProvides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed
Ongoing ComplianceChanges to the company’s security policy or to the computers’ health may dynamically result in network restrictions
Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.
Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC.Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC.
Network Access Protection Network Access Protection ComponentsComponents
NetworkNetworkPolicy Policy ServerServer
Quarantine Server (QS)Quarantine Server (QS)
ClientClient
Quarantine Agent (QA)Quarantine Agent (QA)
Health policyHealth policyUpdatesUpdates
HealthHealthStatementsStatements
NetworkNetworkAccessAccess
RequestsRequests
System Health Servers System Health Servers Remediation Servers Remediation Servers
Health ComponentsHealth ComponentsSystem Health Agents (SHA) = Declare health (patch state, virus signature, system System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.).configuration, etc.).System Health Validators (SHV) = Certify declarations made by health agents.System Health Validators (SHV) = Certify declarations made by health agents.
Remediation Servers = Install necessary patches, configurations, Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state.applications. Bring clients to healthy state.
Enforcement ComponentsEnforcement ComponentsQuarantine Enforcement Clients (QEC) = Negotiate access with network access Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs.device(s); DHCP, VPN, 1X, IPSec QECs.
Health Registration Authority = Issues certificates to clients that pass health checks.Health Registration Authority = Issues certificates to clients that pass health checks.
Platform ComponentsPlatform Components
System Health Servers = Define health requirements for system components on the client.System Health Servers = Define health requirements for system components on the client.
HealthHealthCertificateCertificate
Network Access Device &Network Access Device &Health Registration Authority Health Registration Authority
Network Access Devices = Provide network access to healthy endpoints.Network Access Devices = Provide network access to healthy endpoints.
SHASHA11
SHASHA22
SHVSHV11
SHVSHV22
QECQEC11
QECQEC22
Network Access Protection Network Access Protection PartnersPartners
NetworkingNetworking
Anti-VirusAnti-Virus
Endpoint SecurityEndpoint Security
Update/ManagementUpdate/Management
Ecosystem PartnersEcosystem Partners
Microsoft IntegrationMicrosoft Integration
Systems IntegratorsSystems Integrators
As of November 2005
IPsec-based NAP Walk-IPsec-based NAP Walk-throughthrough
Accessing the networkX
Remediation Server
Policy Server
HRA
May I have a health certificate? Here’s my SoH. Client ok?
No. Needs fix-up.
You don’t get a health certificate.Go fix up.I need updates.
Here you go.
Yes. Issue health certificate.
Here’s your health certificate.
Host
QuarantineQuarantineZoneZone
BoundaryBoundaryZoneZone
ProtectedProtectedZoneZone
Exchange
Network Access ProtectionNetwork Access Protection
NAP - Enforcement OptionsNAP - Enforcement Options
802.1X and IPsec = Customer ChoiceNAP supports both
Each has advantages and weaknesses
Integrated defense in depth at multiple layers
Fast network access for healthy clients
Standard 802.1X authentication; extensions to PEAP and 802.1X not required
Network agnostic but network vendors able to innovate and provide value
Customer choice: ability to protect network access, host access, application access in any combination, as needed, where appropriate
Deploy in combination according to needs, risks, existing infrastructure and upgrade schedule
Customers can take advantage of the time Customers can take advantage of the time they have to prepare their networks for the they have to prepare their networks for the new modelnew model
Deployment preparation tasks:Deployment preparation tasks:Health Modeling Health Modeling
Exemption Analysis Exemption Analysis
Health Policy Zoning Health Policy Zoning
Secure Network Infrastructure AnalysisSecure Network Infrastructure Analysis
IAS (RADIUS) DeploymentIAS (RADIUS) Deployment
Zone Enforcement SelectionZone Enforcement Selection
Rollout Planning and Change Process ControlRollout Planning and Change Process Control
Success Matrices and MeasuresSuccess Matrices and Measures
NAP is coming in Longhorn. Why should I start work now?
Health ModelingHealth ModelingWhat do I consider healthy for my What do I consider healthy for my network?network?
Do I have a written and approved health policy?Do I have a written and approved health policy?More than a technical discussion – different areas and More than a technical discussion – different areas and divisions will have different policies.divisions will have different policies.
What are the corporate basics? What are the niche policies?What are the corporate basics? What are the niche policies?
Basics: Anti-virus, Patch Control, Personal Firewall, etc.Basics: Anti-virus, Patch Control, Personal Firewall, etc.
Niche: Specialized OS Config, Application Sets, PKI Niche: Specialized OS Config, Application Sets, PKI allotments, etc.allotments, etc.
Allot the time and resource to assess your corporate risk Allot the time and resource to assess your corporate risk areas areas
Health control should be a top-down mandate for the Health control should be a top-down mandate for the enterpriseenterprise
Allot the time to work with divisions and their architectsAllot the time to work with divisions and their architects
Exemption AnalysisWho gets a “pass”?
Basic Exemptions will be supplied by default (OS Level and type)Exemptions need to manageable
Work up an exemption documentation process - eventually you will want to know where the holes are!
Mitigation plans for the exemptionsCan we isolate them through other means?
IP Segmentation
VLAN Control
Extranet/Guest Access
Secure Network Infrastructure Secure Network Infrastructure AnalysisAnalysisEnforcement First Enforcement First –– Health Second Health SecondNAP cannot protect the network from NAP cannot protect the network from
malicious users and systemsmalicious users and systems
NAP is designed as the health overlay to the NAP is designed as the health overlay to the network security systemsnetwork security systems
NAP is dependant on its enforcement NAP is dependant on its enforcement mechanismsmechanisms
IPsec, VPN, 802.1x and DHCP need to be IPsec, VPN, 802.1x and DHCP need to be designed and deployed as security solutions designed and deployed as security solutions in their own right prior to overlaying health in their own right prior to overlaying health control.control.
Zone Enforcement SelectionWired/Wireless LAN Zones
LAN ZonesLAN ZonesIPsec, 802.1x and DHCP are the choices for enforcementIPsec, 802.1x and DHCP are the choices for enforcement
make a planning matrix for managed vs. unmanaged clientsmake a planning matrix for managed vs. unmanaged clients
wired vs. wireless clients wired vs. wireless clients
apply the appropriate enforcement solutionsapply the appropriate enforcement solutions
ZoneZone Enforcement Enforcement MethodMethod
Policy RevPolicy Rev Wired/Wired/WirelessWireless
ManagedManaged
Zone AZone A IPsecIPsec 1.2.51.2.5 WiredWired 100%100%
Zone BZone B 802.1x802.1x 2.5.72.5.7 BothBoth 100%100%
Zone CZone C DHCPDHCP 1.2.51.2.5 BothBoth 65%65%
Assess and track risk related to vulnerability
If risk is high or critical, update
policy and notify clients
Develop scanning criteria to detect security
complianceScan the
network for compliance to security policy
Enforce compliance after
grace period
Measure and report results of
compliance monitoring
6
5
2
3
1
4
Vulnerability identified
Zacme Maintaining the Operations SuccessfullyZacme Maintaining the Operations Successfully
Success Matrices and MetricsSecurity/health is an ongoing process
The only way to improve incident response is to have success factors and metrics to analyze
Be sure to analyze core security/health operations and track your ability to mitigate ongoing health
How long does it take to “seal off” various policy zones?Do we need to adjust policy or remediation control in a given zone?What are the goals and measures that you want to attain for each health zone and the company as a whole?
NAP is the way you can proactively mitigate your security/health stanceThe technology is DEPENDENT on your processes
Solution Take-AwaysPolicy driven access control
Windows platform pieces with health and enforcement plug-insIntegrated defense in depth at multiple layers
Customer choice – flexible, selectable enforcement
Protect network access, host access, application access in any combination as needed where appropriate
Based on customer need, risk assessment, existing infrastructure, upgrade cycle
Broad industry supportExtensible platform architecture – network vendors able to innovate and provide valueStandards-based approach means a multi-vendor, end-to-end solutionFull ecosystem of partners (50+) means customer investments will be preserved
Resources & Contacts
Web site and whitepapers:
www.microsoft.com/nap
Information on SDK distribution: [email protected]
Questions or feedback: [email protected]
ResourcesTechnical Chats and Webcastshttp://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp
Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx
MSDN & TechNet http://microsoft.com/msdnhttp://microsoft.com/technet
Virtual Labshttp://www.microsoft.com/technet/traincert/virtuallab/rms.mspx
Newsgroupshttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx
Technical Community Siteshttp://www.microsoft.com/communities/default.mspx
User Groupshttp://www.microsoft.com/communities/usergroups/default.mspx
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.