NAC-NAP Interoperability

Slides:



Advertisements
Similar presentations
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Advertisements

Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
May 30 th – 31 st, 2006 Sheraton Ottawa. Network Access Protection Gene Ferioli Program Manager Customer Advisory Team Microsoft Corporation.
Agenda Introduction Network Access Protection platform architecture
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
Jayson Ferron CIO Interactive Security Training WSV206.
Security and Policy Enforcement Mark Gibson Dave Northey
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Justin Rowling – Systems Engineer Protecting your network with Network Admission.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Getting Ready for Network Access Protection Jeff Alexander Technology Advisor Microsoft.
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.
Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India
© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Luc Billot Security Consulting Engineer
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Windows 2003 and 802.1x Secure Wireless Deployments.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
Clinic Security and Policy Enforcement in Windows Server 2008.
Enabling Authentication & Network Admission Control Steve Pettit.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Selecting the Right Network Access Protection Architecture
Network Access Control for Education
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 11: Remote Access Fundamentals
Module 8: Configuring Network Access Protection
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Internet Authentication Service.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Configuring Network Access Protection
Terminal Services Technical Overview Olav Tvedt TVEDT.info Microsoft Speaker Community
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Securing Your Network – End to End Connectivity Pat Fetty Senior Program Manager Windows Customer Advisory.
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Module 6: Network Policies and Access Protection.
Module 5: Network Policies and Access Protection
Asif Jinnah Field Desktop Services Enabling a Flexible Workforce, an insider’s view.
Managing Network Access Protection. Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
D-Link Wireless AP with NAP 802.1x solution
Implementing Network Access Protection
Server-to-Client Remote Access and DirectAccess
{ Security Technologies}
Network Access Control
NAP / PWG Discussion August 17, 2009.
Presentation transcript:

NAC-NAP Interoperability Michal Remper Systems Engineer mremper@cisco.com

Who we are ? 4 years NAC experiences … Decision & Remediation Subject (Managed or Unmanaged host) Enforcement ACS LAN Directory Server Posture Validation Server(s) Audit Server WAN Subject vs. Enforcement vs. Decision LAN vs WAN vs Remote Patch Server Reporting Server Remote

How we see Microsoft? Any NAC solution must fully support a Microsoft owns 97.46% of global desktop operating system market (over 90% in Enterprise) Microsoft is a strategic component of business operations for nearly all of our customers Any NAC solution must fully support a Microsoft environment

What is the difference between NAC & NAP ? … NAC and NAP have different goals …

What is the difference between NAC & NAP ? NAC ensures that all users and devices coming into the network comply with an endpoint security policy. NAP seeks to guarantee that users and devices connecting to a specific MS server meet an endpoint security policy. Cisco and Microsoft have publicly stated that the two companies will work to integrate these two approaches.

Network Admission Control Network Access Protection History Announcement originally made in October 2004. Since then… Unveiled at The Security Standard show in Sept 06 including press announcement and live demo Joint Beta program began in Dec 06 with two customers…no, one is not Cisco IT Network Admission Control Network Access Protection

What we declare together ….

Status Today Joint testing between Cisco and Microsoft including bug fixes is ongoing and includes weekly status calls for tracking Documentation has been developed which includes presentations, deployment and troubleshooting guides Beta 1 is wrapping up with Beta 2 slotted for June start. Beta 1: Inband Posture Beta 2: Wireless, SSO, Extended States, MAB

Why Did We Create a Joint Solution? Customer Driven Cisco and Microsoft interoperability help customers achieve their strategic initiatives Don’t have to choose between NAC-only or NAP-only solution.

NAC Admission Flow Key: Optional Mandatory Host Attempting Network Access Network Access Devices (NADs) Cisco Secure ACS Policy Server Decision Points & Audit Identity 4a 1 Traffic triggers challenge Directory Server LDAP, OTP 3 Credentials Credentials 2 Compliant? 5 Posture 4b Policy Vendor Server (PVS) EAP RADIUS HCAP Walk through the NAC flow Point out CTA Audit server may or may not be required Step through the flow. Anti-Virus is an example but it could be any type of posture information. Status 9 Notification 8 Enforcement 7 Authorization 6 Audit 4c Audit Server (AS) Cisco Trust Agent (CTA) GAME: HTTPS

What is Available in the Joint Solution? 802.1x EoU Network Admission Control DHCP IPSEC VPN 802.1x Health Certificates Network Access Protection 802.1x EoU

Partner System Health Agents (SHAs) 4/25/2017 10:36 PM NAC-NAP Architecture MS Partner Components Microsoft Components Cisco Components Microsoft Components Client Switches Routers Cisco ACS MS NPS Partner Policy Server Partner System Health Agents (SHAs) EAPFAST 802.1x or UDP RADIUS HCAP NAP Agent (QA) EAP Host QEC EAP-FAST 802.1x EAPoUDP We have referred to this as the In-Band (HCAP) Scenario Access methods include 802.1x and EoU Authentication is performed on ACS. Posture checking is performed on NPS. HCAP v2 is the secure transport method for credentials and policy information between ACS and NPS 12

NAC-NAP Benefits Interoperability and customer choice: Customers can choose components, infrastructure and technology while implementing a single, coordinated solution Investment protection: Enables customer reuse and investment protection of their NAC and/or NAP deployments. Single agent included in Windows Vista: The NAP Agent component as part will be used for both NAP and NAC. Agent deployment and update support: Microsoft will distribute Cisco EAP modules through Windows Update / Windows Server Update Services Cross-platform support: To support client operating systems other than Windows, Microsoft will make available the APIs that support both NAP and Cisco NAC and Cisco will continue to support and develop its NAC client (the Cisco Trust Agent) for non-Windows environments.

Solution Details ACS support for NAC-NAP is in the 4.2 release. This is currently set for Dec 07 MS Longhorn is required for NAP and NAC-NAP. This will be released at the end of Dec 07. NAP-only agent is available for XP. Cisco has no plans to support the NAC-NAP solution for anything prior to Vista There is no CTA for Vista. The NAP agent handles both NAC and NAP information for Vista

OS Support Vista XP NAC-NAP NAP only NAC Framework NAC Appliance

NAC NAP Architecture Comparison SHV = System Health Validator QA/QS = Quarantine Agent/Server QEC/QES = Quarantine Enforcement Client/Server

Vista Client Architecture 4/25/2017 10:36 PM Vista Client Architecture Statement of Health (SoH) aka posture credentials – Encapsulation of endpoint posture sent from an endpoint SHA to its SHV. The SoH is a response to a request for health state. System Health Agents (SHA) aka posture pluggin – SHAs are responsible for reporting on the health state of the client. Each configured SHA reports health state to the NAP Agent. A SHA will also accept statement of health response data and will optionally remediate the client. NAP Agent aka CTA – QA is responsible for collating the statement of health information from the SHAs into a single system statement of health. QA also accepts the System statement of health response, parses it into individual statements of health to be passed to the SHAs. EAP Host – A plug in architecture for Network Authentication components. There will be a partner program where Microsoft will certify components and distribute them through Windows Update. Client Partner System Health Agents (SHAs) NAP Agent (QA) EAP Host QEC EAP-FAST 802.1x EAPoUDP 17

Microsoft Server and Partner Components NPS Server (Longhorn) Replaces IAS Place to define NAP enforcement and remediation policies. (RADIUS access policies for NAP-only) Implements HCAP v2 for ACS communication Support for SHV API and installation of SHVs MS Partner Program Very similar to the way the Cisco NAC program is setup Partners develop interoperability through the SHA and SHV APIs SHV – System Health Value SHA – System Health Agent Client Updates Network Policy Server Policy Servers SHA 1 SHA 2 SHV 1 Health policy SHV 2 Remediation Servers Quarantine Agent (QA) QEC 1 QEC 2 Quarantine Server (QS)

What About Cisco Components Any Cisco device that works with NAC will work with NAC-NAP !!! Currently ACS 4.2 will support NAC-NAP. Will support a heterogeneous environment of NAC & NAC-NAP Cisco ACS

Access Methods for NAC-NAP 4/25/2017 10:36 PM Access Methods for NAC-NAP Client Switches Routers Cisco ACS Partner System Health Agents (SHAs) RADIUS 802.1x or EoU NAP Agent (QA) EAPFAST EAP Host QEC EAP-FAST EAPoUDP 802.1x EAP-FAST – The transport method for SoH. The method will be deployable via group policy and downloadable via Windows Server Update Services EAPoUDP – Layer 3 method similar to the NAC-only deployment. In the NAC- NAP solution EoU relies on EAP-FAST. EoU will also be deployable via group policy and downloadable via WSUS 802.1x – The Windows Vista 802.1x supplicant will be NAC-NAP enabled and will fully support both wired and wireless access 21

Client Statement of Health Process Health Validation Events Health State Change – An SHA may notify the NAP Agent if it’s health state change. For example, the Windows firewall is turned off Network State Change – A QEC may notify the NAP Agent that there is a network state change. For example, a wireless client roams to a new network Probation Timer – The probation time expires Partner System Health Agents (SHAs) SoH Creation Process Health validation event occurs NAP Agent requests SoH data from all bound SHAs SHAs respond with SoH data NAP Agent collects all SHA data and adds system SoH data to create a system SSoH. NAP Agent forward SoH to the all configured QECs NAP Agent (QA) EAP Host QEC HC QEC

Network Access Profile 4/25/2017 10:36 PM Traffic Flow Client Switches Routers MS NPS Partner Policy Server Partner System Health Agents (SHAs) Cisco ACS SoH 802.1x or UDP SoH RADIUS SoHr / Qstate / ExtState NAP Agent (QA) Network Access Profile SoHr EAP Host QEC EAP-FAST EAP-FAST 802.1x EAPoUDP Credential + SoH Qstate ExtState + SoHr Client negotiates 802.1x or EAP over UDP with the Network Access Device The ACS server initiates an EAP-Fast authentication with the client Client generates a system SSoH and sends this to the ACS along with it’s authentication credentials ACS authenticates the client ACS forwards the system SoH, User Group and Location Group to the Posture AAA (NPS) Posture AAA (NPS) validates the system SoH and evaluates it against policy Posture AAA generates a system SoHr and returns it plus a quarantine state and an extended state to ACS ACS takes the quarantine state and extended state plus the authentication data and authorizes the client ACS generates a Network Access profile and returns this to the NAD ACS returns the system SoHr to the client via EAP-FAST Client process the system SoHr and remediates as necessary 23

Key Takeaways Main points to keep in mind: This solution will be available around the end of CY07 when ACS 4.2 and Longhorn Server ships. NAC-NAP only supported on Vista and Longhorn Customer can still do NAC only or NAP only Currently POCs are not available for customers outside of the beta Key Takeaways are critical for TOI as well as retention of material. When VT members go to redeliver the content of the session to their region/team, what are the critical main points that they must redeliver? The answer to that question should be the bullets of this slide.

Q and A