Customer Insight: CSO's Perspective – What Edge? Microsoft Research EdgeNet, June 2006 Mark Ashida General Manager Windows Enterprise Networking
The Evolution of Our Thinking Industry Trends Consolidation of functionality vs. appliances Mobility driving more devices, roaming users, policies Trust boundaries are vague - hard to define & control Network Access Protection (NAP) Defined initial requirements with customers Early & consistent review with Microsoft IT dept Refined functionality with feedback from pilot programs Technology Adoption Program (TAP), Vista Beta Customers
What Edge? VLANs, IPsec, internal firewalls, NAC appliances Jericho Forum Logical L3+ vs. L2 Internet Logical CorpNet Restricted Zone Non-domain joined, Non- IPSec Devices Seamless Network Gateways Provisioning Servers New PC X Employee, Partner, Guest PC IPSec Security Internet DHCP, DNS, AAA
Thinking Evolution Network Access Protection Abstraction HealthState QuarantineAgent Enforcement 802.1x, IPsec NetworkInfrastructure RADIUS Policy store
Thinking Evolution Network Access Protection Abstraction HealthState QuarantineAgent Enforcement 802.1x, IPsec NetworkInfrastructure RADIUS Policy store Assets Control Plane Enforcement/Network
Thinking Evolution HealthState QuarantineAgent Enforcement 802.1x, IPsec RADIUS Policy store Control Plane MOMPakMOMPakMOMPak UIDiag MOM NetworkInfrastructure Assets Enforcement/Network Reporting SingleDashboard
Thinking Evolution Clients NetworkInfrastructure RADIUS Policy store Network State Database (in MOM) NAPConfigurationHelpDeskSecurityPerformanceProvisioning DHCP WINS DNS VM/TPM
What CSOs want. Want it soon – they want PAC not NAC Fined grained admission per resource based upon Fined grained based upon rich information such as: Identity (permanent and temporary) Machine state (health) Application Entry point Time of day, etc. Interoperability with current infrastructure/desktops Multi-vendor solution Federated trust would be nice Manageability
What CSOs dont want Dont make it uneconomical for us to deploy Help desk Management Multiple solutions Dont break Provisioning/Logon/SSO Is 802.1x the right enforcement method? Practical deployment issues – beaconing, provisioning, multimac on single port, VMs,
Unashamed Vista/LHS Plug Network Diagnostics – why cant you connect and repair NAP Agent – why you cant connect/Help desk MOM Desktop NAP Agent – events/alarms from desktop, expanding to all networking elements on desktop (QoS, etc.) IPsec – giving you virtual logical groups anywhere in the world (240k desktops at MS) with much reduced deployment costs Adaptive NEW IP Stack – much better throughput, up to 80+Mbs on a 100Mbs port vs. 20 previously IP Offload – 10Ge announced now IPv6 – on by default