Enabling Secure Always-On Connectivity [Name] Microsoft Corporation.

Slides:



Advertisements
Similar presentations
Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.
Advertisements

Ray Ozzie Chief Software Architect. Applications and Solutions Cloud Infrastructure Services Live Platform Services Global Foundation Services Services.
Identity & Security. Today's IT Security challenges Rising Internal Attacks 75% of companies report insiders responsible for breaches Growing headcount.
The System Center Family Microsoft. Mobile Device Manager 2008.
Scott Roberts Lead Program Manager Microsoft Session Code: WSV320.
1. 2 Branch Office Network Performance Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Microsoft Windows 7 Security Ronen Gottlib, CISSP Information Security Lead Microsoft.
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
Module 3 Windows Server 2008 Branch Office Scenario.
Connect with life Gopikrishna Kannan Program Manager | Microsoft Corporation
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
At their deskAt their desk In a branchIn a branch On the roadOn the road Protect data & PCsProtect data & PCs Built on Windows Vista foundation Easy.
Security and Policy Enforcement Mark Gibson Dave Northey
Urs P. Küderli Principal Security Architect Microsoft.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Ashwin Palekar Principal Group Program Manager Microsoft Corporation Session Code: WSV208 Scott Roberts Senior Program Manager Lead Network Security Microsoft.
Working remote: what to consider, technology evolution.
Windows 7 Training Microsoft Confidential. Windows ® 7 Compatibility Version Checking.
WSV404 DirectAccess Server (Server 2008 R2) DirectAccess Client (Windows 7) Internet Native IPv6 6to4 Teredo IP-HTTPS Tunnel over IPv4 UDP, HTTPS,
Khaja Ahmed Architect Windows Networking Microsoft Corporation.
Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation
Identity and Access Management Business Ready Security Solutions.
Gavin Carius Architect Microsoft Services SVR311.
Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Asif Jinnah Microsoft IT – United Kingdom. Security Challenges in an ever changing landscape Evolution of Security Controls: Microsoft’s Secure Anywhere.
John “JG” Chirapurath Director, Identity & Security BG Microsoft SIA-205 Business Ready Security.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
Identity Solution in Baltic Theory and Practice Viktors Kozlovs Infrastructure Consultant Microsoft Latvia.
Live Migration Failover Clustering with Cluster Shared Volumes (CSV) Support for new Processor features Improved Performance Lower Power Costs Enhanced.
Sudarshan Yadav Sr. Program Manager, Microsoft
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

V-Alliance Solution Overview Years of Business Success.
LegendCorp What is System Center Virtual Machine Manager (SCVMM)? SCVMM at a glance Features and Benefits Components / Topology /
Enabling Secure Always-On Connectivity [Name] Microsoft Corporation.
Providing seamless, secure access to enterprise resources from anywhere.
Dawie Human Infrastructure Architect Inobits Consulting Session Code: WSV320.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks.
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

Asif Jinnah Field Desktop Services Enabling a Flexible Workforce, an insider’s view.
Enabling Secure Always-On Connectivity Gustav Kaleta Partner Technology Advisor Microsoft Corporation.
Provided Under NDA - Secure Access to Corporate Resources.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks.
Microsoft Virtual Academy. Microsoft Virtual Academy First HalfSecond Half (01) Introduction to Microsoft Virtualization(05) Hyper-V Management (02) Hyper-V.
Deployment Planning Services
Optimize your network for the cloud
Introduction to Windows Azure AppFabric
Deployment Planning Services
Modernizing your Remote Access
Threat Management Gateway
Next-Generation Desktop Strategy Windows Optimised Desktop
Microsoft Virtual Academy
Microsoft Virtual Academy
Access and Information Protection Product Overview October 2013
TechEd /7/ :16 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered.
TechEd /9/2018 1:09 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Enabling the hybrid cloud with remote access appliances
System Center Marketing
TechEd /6/ :24 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Day 2, Session 2 Connecting System Center to the Public Cloud
SCCM in hybrid world Predrag Jelesijević Microsoft 7/6/ :17 AM
Microsoft Virtual Academy
TechEd /18/ :51 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered.
DirectAccess with Unified Access Gateway (UAG)
Presentation transcript:

Enabling Secure Always-On Connectivity [Name] Microsoft Corporation

Microsoft Confidential MOBILE & DISTRIBUTED WORKFORCE CENTRAL OFFICE BRANCH OFFICES REMOTE WORK

Microsoft Confidential “I+4A” Trusted Hardware SecureFoundation Core Security Components Identity Claims Authentication Authorization Access Control Mechanisms Audit Trusted People TrustedStack Trusted Data Trusted Software Integrated Protection SDL and SD3 SD3 SDL and SD3 SD3 Defense in Depth ThreatMitigationThreatMitigation

Microsoft Confidential Supporting IT Professionals Addressing User Needs Secure & Flexible Infrastructure DirectAccess VPN Reconnect & Mobile Broadband Reduce Costs BranchCache™ & SMB Enhancements URL based QoS Support for Green IT Work Anywhere Infrastructure DirectAccess VPN Reconnect Mobile Broadband Fast Access BranchCache™ SMB Enhancements

Microsoft Confidential Comprehensive anywhere access solution available in Windows 7 and Windows Server 2008 R2 Provides seamless, always-on, secure connectivity to on-premise and remote users alike Eliminates the need to connect explicitly to corpnet while remote Facilitates secure, end-to-end communication and collaboration Leverages a policy-based network access approach Enables IT to easily service/secure/update/provision mobile machines whether they are inside or outside the network

Microsoft Confidential RODC Secure Boundary Dedicated Resources Compliant Client Healthy Resources NPS/NAP Servers VPN Gateway Always-on connectivity across different networks X Lab, Client ISA FW, TSG 802.1x Non-compliant Client Device Internet Corporate Network A focus on driving access decisions based on “policy and a trusted identity,” rather than the limitations of network topology. Always on Always healthy Always secure Compliant Windows 7 Client Business Partner Downlevel or Mobile Client Cust FW Customer Site Compliant Windows 7 Client Requires users to connect (lost productivity) Client must be made healthy prior to network access (Lost productivity plus IT time and expense) Non-compliant Client Device

Microsoft Confidential DirectAccess Server Compliant Client IPsec/IPv6 Data Center and Business Critical Resources NAP / NPS Servers Internet Intranet User Enterprise Network Intranet User IPsec/IPv6 Assume the underlying network is always insecure Redefine CORPNET edge to insulate the datacenter and business critical resources Tunnel over IPv4 UDP, HTTPS, etc. Security policies based on identity, not location

DirectAccess Server DirectAccess Client Native IPv6 6to46to4 TeredoTeredo IP-HTTPSIP-HTTPS Tunnel over IPv4 UDP, HTTPS, etc. Internet

Enterprise Network DirectAccess Server Line of Business Applications No IPsec IPsec Integrity Only (Auth) IPsec Integrity + Encryption

Microsoft Confidential Always-on access to corpnet while roaming No explicit user action required – it just works Same user experience on premise and off Simplified remote management of mobile resources as if they were on the LAN Lower total cost of ownership (TCO) with an “always managed” infrastructure Unified secure access across all scenarios and networks Integrated administration of all connectivity mechanisms Healthy, trustable host regardless of network Fine grain per app/server policy control Richer policy control near assets Ability to extend regulatory compliance to roaming assets Incremental deployment path toward IPv6

Microsoft Confidential Microsoft Windows 7 clients Microsoft Windows 7 DirectAccess Server Application servers Windows Server 2008 (for native IPv6 support) Exception: When Windows Firewall Authentication policy is used, application servers must be Windows Server 2008 R2 DC/DNS servers Windows Server 2008 Exception: When two-factor authentication is required for end-to-end authentication a Windows 7 DC-based Active Directory NAT-PT server if IPv4 access is desired

Microsoft Confidential Trusted, compliant, healthy machine Windows 7 client Corporate Network Applications & Data DC & DNS (Win 2008) Internet Optional NATPT DirectAc cess Server (Win7) IPsec ESP tunnel using machine cert (DC/DNS access) IPsec ESP tunnel using machine cert and user credentials (App server access)

Microsoft Confidential Client tries to access.corpnet.com Looks in provisioned list for DNS server(s) associated with.corpnet Connects with DNS server (using IPsec. IPv6 is thru DAS What Happens At Client Client tries to connect to target IPv6 route again thru DAS. IPsec is required. What happens at DAS/DNS DAS lets thru AuthIP packets from client to DNS After negotiation, DAS lets ESP packets thru between client and DNS. DNS returns target address information to client. DNS registers clients current address information

Microsoft Confidential Client Server Receives configuration while directly connected to corpnet (provisioning) via Group Policy NAP used to check configuration and health when remotely connected DirectAccess wizard to set up DirectAccess Server(s) Policies controlled via Group Policy

Microsoft Confidential Facing Corpnet Gateway for native IPv6 IPv6 over IPv4 Service for Enterprise SATAP Relay IPsec Gateway (Tunnel Mode Endpoint) Forwarding Gateway for native IPv6 IPv6 over IPv4 services 6to4 relay Teredo Relay (optionally also Teredo Server) Facing Internet Firewall/Proxy Travel IP-TLS relay Internal IPsec Dos Protection

Microsoft Confidential Be ready to monitor IPv6 traffic Choose an Access Model: Full Intranet Access vs. Selected Server Access? Assess deployment scale

Microsoft Confidential Configure DirectAccess Server Requires Windows Server 2008 R2 Use DirectAccess server MMC Author DirectAccess policies for clients, application servers, DC/DNS and IPsec gateway Windows 7 Enterprise & Ultimate SKU Client Machines Done using DirectAccess configuration wizard Customize policies as needed

Microsoft Confidential Trusted, compliant, healthy machine Windows 7 client Corporate Network Applications & Data DC & DNS (Win 2008) NAP (includes Server & Domain Isolation [SDI]) Forefront Client Security Windows Firewall BitLocker + Trusted Platform Module (TPM) IAG SP2

Microsoft Confidential Evolution, not revolution Upgrade your network to an IPv6 end state Requires Windows 7 on the client Transition to Windows Server 2008 simplifies the solution Little or no change to applications – upgrade the server platform 30 Microsoft LOB applications today on Windows Server 2008 running end-to-end IPsec/IPv6 Additional 40 planned to upgrade in next two months Allows you to take concrete steps toward satisfying any IPv6 mandate Seamless integration with your current access and security solutions Seamless transition to DirectAccess over time Integrates with Forefront solutions

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.