Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

Slides:



Advertisements
Similar presentations
Planning and Administering Windows Server® 2008 Servers
Advertisements

Internet Information Services 7.0 and Internet Information Services 7.5 Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Windows® Deployment Services
Windows Server ® 2008 File Services Infrastructure Planning and Design Published: June 2010 Updated: November 2011.
Windows Server ® 2008 and Windows Server ® 2008 R2 Active Directory ® Domain Services Infrastructure Planning and Design Published: February 2008 Updated:
Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.
DirectAccess Infrastructure Planning and Design Published: October 2009 Updated: November 2011.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Microsoft ® Forefront ® Unified Access Gateway Infrastructure Planning and Design Published: December 2009 Updated: July 2010.
Malware Response Infrastructure Planning and Design Published: February 2011 Updated: November 2011.
Windows Server ® 2008 Active Directory ® Domain Services Infrastructure Planning and Design Series Published: February 2008 Updated: July 2009.
Windows Server ® Virtualization Infrastructure Planning and Design Published: November 2007 Updated: July 2010.
Understand Virtualized Clients Windows Operating System Fundamentals LESSON 2.4.
Agenda Introduction Network Access Protection platform architecture
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.
Clinic Security and Policy Enforcement in Windows Server 2008.
Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.
Windows ® Deployment Services Infrastructure Planning and Design Published: February 2008 Updated: January 2012.
Windows Server ® Virtualization Infrastructure Planning and Design Published: November 2007 Updated: January 2012.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: November 2011.
Microsoft ® SQL Server ® 2008 and SQL Server 2008 R2 Infrastructure Planning and Design Published: February 2009 Updated: January 2012.
Microsoft ® System Center Operations Manager Infrastructure Planning and Design Published: November 2012.
Active Directory ® Certificate Services Infrastructure Planning and Design Published: June 2010 Updated: November 2011.
1. Windows Vista Enterprise And Mid-Market User Scenarios 2. Customer Profiling And Segmentation Tools 3. Windows Vista Business Value And Infrastructure.
Selecting the Right Network Access Protection Architecture
Microsoft ® System Center Operations Manager 2007 Infrastructure Planning and Design Published: June 2008 Updated: July 2010.
Hands-On Microsoft Windows Server 2008
Windows ® User State Virtualization Infrastructure Planning and Design Published: August 2010.
Selecting the Right Virtualization Technology Infrastructure Planning and Design Series.
Internet Information Services 7.0 Infrastructure Planning and Design Series.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Selecting the Right Virtualization Technology Infrastructure Planning and Design Published: November 2007 Updated: November 2011.
Module 14: Configuring Server Security Compliance
Windows Server ® 2008 File Services Infrastructure Planning and Design Published: October 2008 Updated: July 2009.
Microsoft ® System Center Service Manager Infrastructure Planning and Design Published: December 2010 Updated: April 2012.
Microsoft ® System Center Service Manager 2010 Infrastructure Planning and Design Published: December 2010.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 11: Remote Access Fundamentals
Module 8: Configuring Network Access Protection
Microsoft ® Exchange Server 2010 with Service Pack 1 Infrastructure Planning and Design Published: December 2010 Updated: July 2011.
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Microsoft ® System Center Data Protection Manager 2007 with Service Pack 1 Infrastructure Planning and Design Published: January 2009 Updated: July 2010.
Windows Server ® 2008 R2 Remote Desktop Services Infrastructure Planning and Design Published: November 2009.
Microsoft ® Enterprise Desktop Virtualization Infrastructure Planning and Design Published: March 2009 Updated: November 2011.
Windows Server ® 2008 R2 Remote Desktop Services Infrastructure Planning and Design Published: July 2008 Updated: February 2011.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Windows Server ® 2008 and Windows Server 2008 R2 Print Services Infrastructure Planning and Design Published: June 2010 Updated: November 2011.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Configuring Network Access Protection
Microsoft ® System Center Virtual Machine Manager 2008 R2 Infrastructure Planning and Design Series Published: June 2008 Updated: September 2009.
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
Microsoft ® Forefront ™ Identity Manager 2010 Infrastructure Planning and Design Published: June 2010.
Dynamic Datacenter Infrastructure Planning and Design Published: April 2010 Updated: July 2010.
Module 6: Network Policies and Access Protection.
Module 5: Network Policies and Access Protection
Asif Jinnah Field Desktop Services Enabling a Flexible Workforce, an insider’s view.
Microsoft® System Center Virtual Machine Manager 2008
Implementing Network Access Protection
MCSA VCE
Infrastructure Planning and Design
Security and identity (Network Access Protection, Parental Controls)
Presentation transcript:

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011

What Is IPD? Guidance that clarifies and streamlines the planning and design process for Microsoft ® infrastructure technologies IPD: Defines decision flow Describes decisions to be made Relates decisions and options for the business Frames additional questions for business understanding IPD guides are available at

Getting Started Selecting the Right NAP Architecture

Purpose and Overview Purpose To provide design guidance for a NAP infrastructure Overview Selecting the Right NAP architecture Selecting the Right NAP infrastructure design process

What Is NAP? Network Access Protection is a policy- based solution that: Validates whether computers meet health policies Can limit access for noncompliant computers Automatically remediates noncompliant computers Continuously updates compliant computers to maintain health state Offers administrators a wide range of choice and deployment flexibility to better secure their Windows ® networks

NAP Decision Flow MAP w/ CAL Tracker

Example NAP Architecture ITA

Why Implement NAP? Controlled access for guests, vendors, partners Improved resilience to malware as network health increases More robust update infrastructure Managed compliance

Key Messages for NAP The NAP client can be Windows Server ® 2008, Windows Vista ®, Windows XP SP3, or third party (Linux + Macintosh) NAP is built into Windows that is enabled via GP/script NAP requires a minimum of one Windows Server 2008 machine to get started

NAP Enforcement Options Enforcement optionsCapabilities IPsec – implemented at host layer Restricts client device communication to a limited number of servers until compliance is demonstrated 802.1X – implemented at network layer Client devices access is restricted by network infrastructure devices. Client access is restricted until device has demonstrated compliance VPN – Microsoft VPNVPN server restricts client devices access by using IP filters until client device has demonstrated compliance DHCP – implemented at network layer DHCP client is restricted by providing a 32-bit netmask and removing the default gateway

Step 1: Determine Client Connectivity Task 1: Select the Scope of NAP Clients Type of network connectivity dictates appropriate enforcement methods. Client devices connect two ways: Locallyvia wired or wireless Remotelysuch as VPN

Step 2: Determine VPN Platform Option 1: Microsoft VPN If IT selects RRAS to provide remote access, VPN server must run Windows Server 2008 Low level of complexity and cost to implement Option 2: Third-Party VPN If IT selects a third-party VPN, IPsec can be used to restrict client device access High level of complexity and medium cost to implement

Step 3: Determine the Enforcement Layer Option 1: Enforce Restrictions at the Host Using IPsec provides robust security High level of complexity and medium cost to implement Option 2: Enforce Restrictions on the Network Depending on specific network-based enforcement method, security level less robust than IPsec Medium level of complexity and high cost to implement

Step 4: Select Between 802.1X and DHCP Option 1: 802.1X Enforcement Can be more complex and expensive Switches and wireless access points must support the 802.1X authentication protocol – meaning possible hardware upgrades Robust choice that offers a high degree of protection. Until a client device has demonstrated that it meets the organizations compliance requirements, the network switches and wireless access points will restrict its access to the network. These restrictions will be difficult to bypass, even by a determined malicious user Option 2: DHCP Enforcement Simplest and least-expensive enforcement option. Until a computer has been proven to meet the organizations health policies, the DHCP server assigns it an IPv4 address configuration that restricts its access to a portion of the network Requires Windows Server Many organizations begin their testing and pilot deployments of NAP using DHCP enforcement because it can be deployed quickly One significant drawback: DHCP is easily bypassed by users who have administrative privileges on their computers. This means it is trivial for a malicious user and relatively easy for a technically savvy one

NAP Restrictions – Host vs. Network Enforcement Use the table below to select between: IPsec – host-based 802.1X – network-based DHCP – network-based MethodSecurity LevelComplexityCost IPsecHigh Medium XHighMediumHigh DHCPLow

Additional Considerations Determining system compliance requirements Combining NAP technologies Dependencies

Summary and Conclusion This guide has focused on summarizing the critical design decisions, activities, and tasks required to enable a successful design of Network Access Protection Provide feedback to

Find More Information Download the full document and other IPD guides: Contact the IPD team: Access the Microsoft Solution Accelerators website:

Questions?

Addenda Benefits of using the Selecting the Right NAP Architecture guide IPD in Microsoft Operations Framework 4.0 Selecting the Right NAP Architecture in Microsoft Infrastructure Optimization

Benefits of Using the Selecting the Right NAP Architecture Guide Benefits for Business Stakeholders/Decision Makers Most cost-effective design solution for implementation Alignment between the business and IT from the beginning of the design process to the end Benefits for Infrastructure Stakeholders/Decision Makers Authoritative guidance Business validation questions ensuring solution meets requirements of business and infrastructure stakeholders High-integrity design criteria that includes product limitations Fault-tolerant infrastructure Proportionate system and network availability to meet business requirements Infrastructure that is sized appropriately for business requirements

Benefits of Using the Selecting the Right NAP Architecture Guide (Continued) Benefits for consultants or partners Rapid readiness for consulting engagements Planning and design template to standardize design and peer reviews A leave-behind for pre- and post-sales visits to customer sites General classroom instruction/preparation Benefits for the entire organization Using the guide should result in a design that will be sized, configured, and appropriately placed to deliver a solution for achieving stated business requirements

IPD in Microsoft Operations Framework 4.0 Use MOF with IPD guides to ensure that people and process considerations are addressed when changes to an organizations IT services are being planned

Selecting the Right NAP Architecture in Microsoft Infrastructure Optimization