Getting Ready for Network Access Protection Jeff Alexander Technology Advisor Microsoft
Agenda Network Access Protection in context Network Access Protection architecture How Network Access Protection works Network Access Protection solution summary
Integrating the Edge Policy, not topology, defines the edge
The Four Pillars of Network Access Protection Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy Network Restriction Restricts network access to computers based on their health Remediation Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed Ongoing Compliance Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions
Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies. Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC. Network Access Protection Components NetworkPolicyServer Quarantine Server (QS) Client Quarantine Agent (QA) Health policy Updates HealthStatements NetworkAccessRequests System Health Servers Remediation Servers Health Components System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.). System Health Validators (SHV) = Certify declarations made by health agents. Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state. Enforcement Components Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs. Health Registration Authority = Issues certificates to clients that pass health checks. Platform Components System Health Servers = Define health requirements for system components on the client. HealthCertificate Network Access Device & Health Registration Authority Network Access Devices = Provide network access to healthy endpoints. SHA1SHA2 SHV1SHV2 QEC1QEC2
Network Access Protection Partners Networking Anti-Virus Endpoint Security Update/Management Ecosystem Partners Microsoft Integration Systems Integrators As of November 2005
IPsec-based NAP Walk-through Accessing the network X Remediation Server Policy Server HRA May I have a health certificate? Here’s my SoH. Client ok? No. Needs fix-up. You don’t get a health certificate. Go fix up. I need updates. Here you go. Yes. Issue health certificate. Here’s your health certificate. Host QuarantineZone BoundaryZone ProtectedZone Exchange
Network Access Protection
NAP - Enforcement Options Enforcement Healthy Client Unhealthy Client DHCP Full IP address given, full access Restricted set of routes VPN (Microsoft and 3 rd Party) Full access Restricted VLAN 802.1X Full access Restricted VLAN IPsec Can communicate with any trusted peer Healthy peers reject connection requests from unhealthy systems Complements layer 2 protection Works with existing servers and infrastructure Flexible isolation
802.1X and IPsec = Customer Choice NAP supports both Each has advantages and weaknesses Integrated defense in depth at multiple layers Fast network access for healthy clients Standard 802.1X authentication; extensions to PEAP and 802.1X not required Network agnostic but network vendors able to innovate and provide value Customer choice: ability to protect network access, host access, application access in any combination, as needed, where appropriate Deploy in combination according to needs, risks, existing infrastructure and upgrade schedule
Customers can take advantage of the time they have to prepare their networks for the new model Deployment preparation tasks: Health Modeling Exemption Analysis Health Policy Zoning Secure Network Infrastructure Analysis IAS (RADIUS) Deployment Zone Enforcement Selection Rollout Planning and Change Process Control Success Matrices and Measures NAP is coming in Longhorn. Why should I start work now?
Health Modeling What do I consider healthy for my network? Do I have a written and approved health policy? More than a technical discussion – different areas and divisions will have different policies. What are the corporate basics? What are the niche policies? Basics: Anti-virus, Patch Control, Personal Firewall, etc. Niche: Specialized OS Config, Application Sets, PKI allotments, etc. Allot the time and resource to assess your corporate risk areas Health control should be a top-down mandate for the enterprise Allot the time to work with divisions and their architects
Exemption Analysis Who gets a “pass”? Basic Exemptions will be supplied by default (OS Level and type) Exemptions need to manageable Work up an exemption documentation process - eventually you will want to know where the holes are! Mitigation plans for the exemptions Can we isolate them through other means? IP Segmentation VLAN Control Extranet/Guest Access
VPN IAS/RADIUS Server Zacme IAS (RADIUS) Deployment DHCP/IPSec LAN Access – Logic Based IAS/RADIUSProxy Dial-up/ADSL Corporate Network RADIUS RADIUS Active Directory Single sign on to network resources Single client for all access methods Detailed monitoring and logging tools RADIUS proxy & load balance NAP health policy control Remote Access 802.1x Wireless/Wired LAN Access – Infrastructure Based
Secure Network Infrastructure Analysis Enforcement First – Health Second NAP cannot protect the network from malicious users and systems NAP is designed as the health overlay to the network security systems NAP is dependant on its enforcement mechanisms IPsec, VPN, 802.1x and DHCP need to be designed and deployed as security solutions in their own right prior to overlaying health control.
Zone Enforcement Selection Wired/Wireless LAN Zones LAN Zones IPsec, 802.1x and DHCP are the choices for enforcement make a planning matrix for managed vs. unmanaged clients wired vs. wireless clients apply the appropriate enforcement solutions Zone Enforcement Method Policy Rev Wired/WirelessManaged Zone A IPsec1.2.5Wired100% Zone B 802.1x2.5.7Both100% Zone C DHCP1.2.5Both65%
Assess and track risk related to vulnerability If risk is high or critical, update policy and notify clients Develop scanning criteria to detect security compliance Scan the network for compliance to security policy Enforce compliance after grace period Measure and report results of compliance monitoring Vulnerability identified Zacme Maintaining the Operations Successfully
Success Matrices and Metrics Security/health is an ongoing process The only way to improve incident response is to have success factors and metrics to analyze Be sure to analyze core security/health operations and track your ability to mitigate ongoing health How long does it take to “seal off” various policy zones? Do we need to adjust policy or remediation control in a given zone? What are the goals and measures that you want to attain for each health zone and the company as a whole? NAP is the way you can proactively mitigate your security/health stance The technology is DEPENDENT on your processes
Solution Take-Aways Policy driven access control Windows platform pieces with health and enforcement plug-ins Integrated defense in depth at multiple layers Customer choice – flexible, selectable enforcement Protect network access, host access, application access in any combination as needed where appropriate Based on customer need, risk assessment, existing infrastructure, upgrade cycle Broad industry support Extensible platform architecture – network vendors able to innovate and provide value Standards-based approach means a multi-vendor, end-to-end solution Full ecosystem of partners (50+) means customer investments will be preserved
Resources & Contacts Web site and whitepapers: Information on SDK distribution: Questions or feedback:
Resources Technical Chats and Webcasts Microsoft Learning and Certification MSDN & TechNet Virtual Labs Newsgroups communities/newsgroups/en-us/default.aspx Technical Community Sites User Groups
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.