May 30 th – 31 st, 2007 Chateau Laurier Ottawa
Securing Your Network – End to End Connectivity Pat Fetty Senior Program Manager Windows Customer Advisory Team Microsoft Corporation
Initial Customer Pain Virus entering the enterprise by: Employees returning from trips Consultants/guests plugging in Employees VPN-ing in Attacking vulnerable machines in the network YearVirus WW Financial Impact (USD) 1999Melissa 1.10 Billion 2000 Love Bug 8.75 Billion 2001 Code Red 2.75 Billion 2002Klez 750 Million 2003Slammer 1.25 Billion Causing loss of productivity and financial loss Source: Virus Attack Costs are Rising –Again. Computer Economics, Inc. Sept ObjectiveNAPHow Comply to Health Policy Yes Check machine state before allowing access Remediate Vulnerabilities Yes In conjunction with SMS/WUS and 3 rd Parties Detect/ManageYes In conjunction with SMS/MOM and 3 rd parties IT Administrators looking for tools to:
The 4 Pillars of NAP Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy.” Network Restriction Restricts network access to computers based on their health. Automatic Remediation Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed. Ongoing Compliance Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.
Requesting access. Here’s my new health status. Network Access Protection Walk-through NPS Policy Server Client NetworkAccessDevice (DHCP, VPN) RemediationServers May I have access? Here’s my current health status. Should this client be restricted based on its health? Ongoing policy updates to NPS Policy Server You are given restricted access until fix-up. Can I have updates? Here you go. According to policy, the client is not up to date. Quarantine client, request it to update. Corporate Network Restricted Network Client is granted access to full intranet. System Health Servers According to policy, the client is up to date. Grant access.
NAP - Enforcement Options Enforcement Healthy Client Unhealthy Client DHCP Full IP address given, full access Restricted set of routes VPN (Microsoft and 3 rd Party) Full access Restricted VLAN 802.1X Full access Restricted VLAN IPsec Can communicate with any trusted peer Healthy peers reject connection requests from unhealthy systems Complements layer 2 protection Works with existing servers and infrastructure Flexible isolation
Threat Matrix
IPSec-based NAP Features Isolation of unhealthy clients using IPSec Secure enforcement Can not be bypassed by reconfiguring client Or by use of hubs / virtual PC technology No infrastructure upgrade Works with today’s switches and routers No need to replace/upgrade DHCP, VPN, etc. Flexible isolation Healthy systems can connect to quarantined systems but not vice versa Isolation model defined by policy
802.1X and IPsec = Customer Choice NAP supports both Integrated defense in depth at multiple layers Fast network access for healthy clients Network agnostic but network vendors able to innovate and provide value Customer choice: ability to protect network access, host access, application access in any combination, as needed, where appropriate
IPSec-based NAP Isolation BLOCKED QuarantineZone BoundaryZone ProtectedZone ALLOWED ALLOWEDALLOWED Policy Definitions Protected Zone All systems possess a Health Certificate Authentication required to connect into a system Boundary Zone All systems possess a Health Certificate Authentication requested but not required to connect into a system Quarantine Zone No Health Certificates No IPSec policies
IPSec-based NAP Walk- through Accessing the network X Remediation Server NPS HRA May I have a health certificate? Here’s my SoH. Client ok? No. Needs fix-up. You don’t get a health certificate. Go fix up. I need updates. Here you go. Yes. Issue health certificate. Here’s your health certificate. Client QuarantineZone BoundaryZone ProtectedZone
Network Access Protection Solution Take-Aways NAP means network health and trusted communications Windows platform pieces with health and enforcement plug-ins Integrated defense in depth at multiple layers Customer choice – flexible, selectable enforcement Protect network access, host access, application access in any combination as needed where appropriate Broad industry support Extensible platform architecture – network vendors able to innovate and provide value Standards-based approach means you can deploy a multi- vendor, end-to-end solution Full ecosystem of partners (50+) means your third-party investments will be preserved
Deployment preparation tasks: Health Modeling Exemption Analysis Health Policy Zoning NPS (RADIUS) Deployment Zone Enforcement Selection Rollout Planning and Change Process Control NAP is coming in Server Why should I start work now?
Network Access Protection Timeline Server 2008 Beta 3 – May 2007 NPS Enhancements XPSP2 Beta NAP Client Available Server 2008 RTM – 2H 2007Server 2008 RTM – 2H 2007 General availability
Resources & Contacts Web site and whitepapers: Information on SDK distribution: Questions or feedback:
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Appendix
Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies. Quarantine Agent (QA) = Reports client health status, coordinates between SHA and NAD. Network Access Protection Components NPS Policy Server Quarantine Server (QS) Client Quarantine Agent (QA) Health policy Updates HealthStatements NetworkAccessRequests System Health Servers Remediation Servers Health Components System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.). System Health Validators (SHV) = Certify declarations made by health agents. Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state. Enforcement Components Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs. Health Registration Authority = Issues certificates to clients that pass health checks. Platform Components System Health Servers = Define health requirements for system components on the client. QA/QS = Windows components HealthCertificate Network Access Device & Health Registration Authority Network Access Devices = Provide network access to healthy endpoints. SHA1SHA2 SHV1SHV2 QEC1QEC2