enterprise network protection
Download
Skip this Video
Download Presentation
Enterprise Network Protection

Loading in 2 Seconds...

play fullscreen
1 / 53

Enterprise Network Protection - PowerPoint PPT Presentation


  • 175 Views
  • Uploaded on

Enterprise Network Protection. Kunal Kodkani Senior Consultant, Microsoft Consulting Services Microsoft Corporation [email protected] Agenda. Introduction NAP Overview NAP platform architecture NAP enforcement methods Demo NAP IPSec enforcement SDI Overview.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Enterprise Network Protection' - sebille


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
enterprise network protection

Enterprise Network Protection

Kunal Kodkani

Senior Consultant, Microsoft Consulting Services

Microsoft Corporation

[email protected]

agenda
Agenda
  • Introduction
  • NAP Overview
  • NAP platform architecture
  • NAP enforcement methods
  • Demo NAP IPSec enforcement
  • SDI Overview
today s network challenges
Today’s Network Challenges

Today’s networks are highly connected

  • Multiple points of attachment: wireless, lan, wan, extranet
  • Parties with differing rights: employees, vendors, partners
  • Proliferation of devices: PCs, phones, PDAs, devices

Internet

Boundary Zone

Employees , Partners, Vendors

  • High connectivity presents new challenges
  • Need to control guest, vendor and partners access
  • Increased exposure to malware
  • Evolved security model -- from perimeter control to everywhere control

Intranet

Customers

Key strategies

Authenticate users and grant access based on role and compliance to corporate governance standards

Aggressively update out-of-compliance systems

Apply access policy throughout the network

Partners

Solution

Comprehensive, policy-based authentication and compliance throughout the network

Remote Employees

enterprise network protection4
Enterprise Network Protection
  • Allows you to control access to your network using
    • Policy-based enforcement
    • Logical network isolation using IP Security (IPSec)
    • Wireless security technologies
  • Microsoft solutions in this area
    • NAP
    • SDI
    • Securing Wireless using Certificate Services
      • http://www.microsoft.com/downloads/details.aspx?familyid=CDB639B3-010B-47E7-B234-A27CDA291DAD&displaylang=en
agenda5
Agenda
  • Introduction
  • NAP Overview
  • NAP platform architecture
  • NAP enforcement methods
  • Demo NAP IPSec enforcement
  • SDI Overview
policy based network access protection
Policy Based Network Access Protection
  • Policy Validation

Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy

  • Network Restriction

Restricts network access to computers based on their health

  • Remediation

Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed

  • Ongoing Compliance

Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions

what is network access protection
What is Network Access Protection?
  • Platform that enforces compliance with health requirements for network access or communication
  • NAP is not a security solution to keep the bad guy off your network
  • Application programming interfaces (APIs)
    • Allows for integration with third-party vendors
agenda8
Agenda
  • Introduction
  • NAP Overview
  • NAP platform architecture
  • NAP enforcement methods
  • Demo NAP IPSec enforcement
  • SDI Overview
network access protection how it works
Network Access ProtectionHow It Works

Access requested

Authentication Information including ID and health status

NPS validates against health policy

If compliant, access granted

If not compliant, restricted network access and remediation

1

Policy Serverse.g.., Patch, AV

1

Microsoft NPS

2

3

5

Not policy compliant

Remediation Serverse.g., Patch

2

RestrictedNetwork

3

Policy compliant

DHCP, VPN

Switch/Router

4

Corporate Network

4

5

nap components
NAP Components

Remediation

Servers

System Health

Servers

Network

Access

Requests

Updates

Health policy

Health

Statements

Client

NPS Policy Server(RADIUS)

(SHA)

MS SHA, SMS

(SHA)

3rd Parties

Health

Certificate

System Health Validator

NAP Agent

802.1x Switches

Policy Firewalls

SSL VPN Gateways

Certificate Servers

(EC)

(DHCP, IPsec,

802.1X, VPN)

(EC)

3rd Party EAP

VPN’s

NAP Server

nap server side architecture
NAP Server-Side Architecture

Health Requirement

Server 1

Health Requirement

Server 2

SHV_2

SHV_3

SHV_1

SHV API

NAP health policy server (NPS)

NAP Administration Server

NPS Service

RADIUS

NAP EC_A

NAP EC_B

NAP EC_C

Windows-basedNAP enforcement point

nap client side architecture
NAP Client-Side Architecture

Remediation

Server 1

Remediation

Server 2

SHA_2

SHA_3

SHA_1

SHA API

NAP Agent

NAP Client

NAP EC API

NAP EC_A

NAP EC_B

NAP EC_C

nap client server relationships
NAP Client-Server Relationships

Remediation

Server 1

Health requirement

Server 1

Provided by NAP platform

Provided by Microsoft or third parties

Remediation

Server 1

Health requirement

Server 2

SoHs

SSoHs

SHA_1

SHA_2

SHV_2

SHV_1

SHV_4

SHA API

SHV API

NAP health policy server (NPS)

NAP Agent

NAP Administrative Server

NAP Client

NPS Service

NAP EC API

RADIUS

NAP EC_A

NAP EC_B

NAP ES_B

NAP ES_A

Windows-basedNAP enforcement point

agenda14
Agenda
  • Introduction
  • NAP Overview
  • NAP platform architecture
  • NAP enforcement methods
  • Demo NAP IPSec enforcement
  • SDI Overview
ipsec enforcement
IPsec enforcement
  • For noncompliant computers, prevents communication with compliant computers
  • Compliant computers obtain a health certificate as proof of their health compliance
    • Health certificate is used for peer authentication when negotiating IPsec-protected communications
    • Health certificate carries the client authentication EKU in the certificate
    • In the IPsec configuration only NAP health certificates can be accepted for IPsec authentication
ipsec enforcement17
IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

1. Client starts up on the restricted network

ipsec enforcement18
IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

2. Client creates an HTTPS secure communication channel with the Health Registration Authority

ipsec enforcement19
IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

3. Client sends its credentials, a PKCS#10 and its list of SoHs (State of health to the Health Registration Authority (HRA) through the SSL tunnel.

ipsec enforcement20
IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

4. HCS forwards the client identity and health status information to the Network Policy Server (NPS) based on its NPS proxy configuration for validation using RADIUS Access-Request message.

ipsec enforcement21
IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

5. NAP Administration Server on the Network Policy Server passes the SoHs (Statement of Health) to their System Health Validators (SHV).

6. SHVs evaluate the SoHs and respond with SoH Responses (SoHR).

7. NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision.

ipsec enforcement22
IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

8. Network Policy Server sends a RADIUS Access-Accept message that contains the System SoHR (Statement of Health Response) and the list of SoHRs to the Health Registration Authority.

ipsec enforcement23
IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

9. The Health Registration Authority sends the System State of Health Responses (SoHRs )and the list of SoHRs through the SSL tunnel to the client.

ipsec enforcement24
IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Health Certification Authority

Quarantine Restricted Network

10 a. If compliant, the Health Registration authority sends the client’s PKCS#10 request to the Health certification authority and finally sends the health certificate through the SSL tunnel to the client.

ipsec enforcement25
IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

10 b. The NAP Agent passes the State of Health Responses to the System Health Agents that are installed on the client.

ipsec enforcement26
IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

11. System Health Agents perform remediation and pass updated Statement of Health (SoH) to the NAP Agent..

ipsec enforcement27
IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

12. Client creates a new HTTPS channel with the Health Registration Authority

ipsec enforcement28
IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

13. Client sends its credentials, a new PKCS#10 request and its updates list of State of Health’s (SoHs) to the Health Registration Authority

ipsec enforcement29
IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Health Certification Authority

Quarantine Restricted Network

14. Health Registration Authority validates the credentials and the new list of SoHs with the Network Policy Server and obtains a health certificate for the client.

agenda30
Agenda
  • Introduction
  • NAP Overview
  • NAP platform architecture
  • NAP enforcement methods
  • Demo NAP IPSec enforcement
  • SDI Overview
ipsec enforcement cons
IPsec Enforcement - Cons
  • Requires PKI to be deployed
  • Only works in a managed environment (machines must be domain joined)
  • Certificates are the only supported credential (compared to IPsec server and domain isolation)
  • Requires and additional role to be deployed on the network (HRA)
ipsec enforcement pros
IPsec Enforcement - Pros
  • Protects you in a virtual environment
  • Near real/time operation
  • Unhealthy clients are truly isolated (credential automatically revoked by the NAP agent)
  • Offers authentication AND encryption (encryption is optional, not required)
  • Works with any switch, router or AP
  • Technologies are built into Windows (client and server platforms)
802 1x enforcement
802.1X enforcement
  • For noncompliant computers, prevents unlimited access to a network through an 802.1X-authenticated connection
network layer protection with nap
Network Layer Protection with NAP

System Health

Servers

Restricted Network

Remediation

Servers

Here you go.

Can I have updates?

Ongoing policy updates to Network Policy Server

May I have access?

Here’s my current

health status.

Should this client be restricted based

on its health?

Requesting access. Here’s my new

health status.

According to policy, the client is not up to date. Quarantine client, request it to update.

According to policy, the client is up to date.

Grant access.

You are given restricted access

until fix-up.

Client

802.1x

Switch

MS NPS

Client is granted access to full intranet.

802 1x enforcement cons
802.1x Enforcement - Cons
  • Requires compatible hardware
  • Bootstrapping clients with credentials is challenging
  • Dynamic VLAN switching during the boot process can be problematic
  • Requires designing multiple VLAN’s based on health state
  • Requires Windows supplicant to be used
802 1x enforcement pros
802.1x Enforcement - Pros
  • Industry standard protocol supported by all switch and AP vendors
  • Supplicant is built into Windows
  • Supports password based or certificates as the credential
  • Can be deployed in conjunction with DHCP or IPsec enforcements
taking a phased approach to deployment
Taking a phased approach to deployment
  • Reporting Mode
    • Allows you to gather information as to what is on your network
  • Deferred Enforcement
    • Introduces NAP to your use population and allows them to police themselves
  • Full Enforcement
    • Non-complaint machines will be quarantined and auto remediated
agenda39
Agenda
  • Introduction
  • NAP Overview
  • NAP platform architecture
  • NAP enforcement methods
  • Demo NAP IPSec enforcement
  • SDI Overview
domain isolation overview
Domain Isolation Overview
  • Labs
  • Unmanaged guests
  • Malicious users

Protects trusted systems from untrusted or malicious computers

Domain Isolation

ipsec the foundation of isolation
IPsec: The Foundation of Isolation
  • IPsec authentication required for all incoming connections
    • IPsec used to authenticate remote host
    • Connection request refused if authentication fails
  • IPsec ensures data integrity for all connections
    • And optionally encryption
  • Works in the network layer
    • Regardless of the underlying physical layer (hubs, switches, wireless)
how does domain isolation work
How Does Domain Isolation Work?
  • IPsec policy determines computer behavior
    • Requires authentication for inbound connections
    • Ensures data integrity
    • Adds encryption if necessary
  • Group Policies used to distribute IPsec policy to hosts
  • Kerberos (AD) or digital certificates used for authentication
how domain isolation works

Servers with Sensitive Data

HR Workstation

Trusted Computers

Managed Computer

Managed Computer

How Domain Isolation Works

Active Directory Domain Controller

Corporate Network

Trusted File Server

X

Unmanaged/Rogue Computer

Network Printer

Untrusted

server isolation overview

Source Code Servers

Server Isolation

Developer Workstation

Managed Computer

Managed Computer

Domain Isolation

Server Isolation Overview

Active Directory Domain Controller

Corporate Network

Trusted Resource Server

X

X

Untrusted

Protect specific high-valued hosts and data

Server Isolation

how does server isolation work
How Does Server Isolation Work?
  • Adds a layer of authorization on top of the authentication performed by IPsec
    • After authentication, Windows evaluates if remote host has access permissions
    • Access is granted if AD computer account has Access to this computer from the network privilege
  • To configure Server Isolation, remove Authenticated Users from this privilege
  • Grant access to Domain Users, and to the appropriate computer accounts
sdi links
SDI Links
  • SDI Introduction
    • http://technet.microsoft.com/en-us/library/cc725770.aspx
  • Windows Firewall Advanced Security and IPSec
    • http://technet.microsoft.com/en-us/library/cc732283.aspx
nap links
NAP Links
  • http://technet.microsoft.com/en-us/network/bb545879.aspx
    • Design Guides
    • Virtual Labs
    • Step-by-step Guides
    • Webcasts
nap support for cisco nac linux and mac os x
NAP Support for Cisco NAC, Linux and Mac OS X
  • Cisco NAC Interoperability Whitepaper
    • http://download.microsoft.com/download/d/0/8/d08df717-d752-4fa2-a77a-ab29f0b29266/NAC-NAP_Whitepaper.pdf
  • UNET provides:
    • NAP agent for Linux
    • NAP agent for Mac OS X
    • http://unet.co.kr/nap/index.html
  • Avenda provides
    • NAP agent for Linux
    • http://www.avendasys.com/products/technologies.php
y our msdn resources check out these websites blogs more
Your MSDN resourcescheck out these websites, blogs & more!

PresentationsTechDays: www.techdays.chMSDN Events: http://www.microsoft.com/switzerland/msdn/de/presentationfinder.mspxMSDN Webcasts: http://www.microsoft.com/switzerland/msdn/de/finder/default.mspx

MSDN EventsMSDN Events: http://www.microsoft.com/switzerland/msdn/de/events/default.mspxSave the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin

MSDN Flash (our by weekly newsletter)Subscribe: http://www.microsoft.com/switzerland/msdn/de/flash.mspx

MSDN Team BlogRSS: http://blogs.msdn.com/swiss_dpe_team/Default.aspx

Developer User Groups & CommunitiesMobile Devices: http://www.pocketpc.ch/Microsoft Solutions User Group Switzerland: www.msugs.ch.NET Managed User Group of Switzerland: www.dotmugs.chFoxPro User Group Switzerland: www.fugs.ch

y our technet resources check out these websites blogs more
Your TechNet resourcescheck out these websites, blogs & more!

PresentationsTechDays: www.techdays.ch

TechNet EventsTechNet Events: http://technet.microsoft.com/de-ch/bb291010.aspx Save the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin

TechNet Flash (our by weekly newsletter)Subscribe: http://technet.microsoft.com/de-ch/bb898852.aspx

Schweizer IT Professional und TechNet BlogRSS: http://blogs.technet.com/chitpro-de/

IT Professional User Groups & CommunitiesSwissITPro User Group: www.swissitpro.chNT Anwendergruppe Schweiz: www.nt-ag.chPASS (Professional Association for SQL Server): www.sqlpass.ch

save the date for tech days next year

Save the date for tech·days nextyear!

7. – 8. April 2010Congress Center Basel

slide52

Premium Sponsoring Partners

Classic Sponsoring Partners

Media Partner

ad