Enterprise network protection l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 53

Enterprise Network Protection PowerPoint PPT Presentation


  • 141 Views
  • Uploaded on
  • Presentation posted in: General

Enterprise Network Protection. Kunal Kodkani Senior Consultant, Microsoft Consulting Services Microsoft Corporation [email protected] Agenda. Introduction NAP Overview NAP platform architecture NAP enforcement methods Demo NAP IPSec enforcement SDI Overview.

Download Presentation

Enterprise Network Protection

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Enterprise network protection l.jpg

Enterprise Network Protection

Kunal Kodkani

Senior Consultant, Microsoft Consulting Services

Microsoft Corporation

[email protected]


Agenda l.jpg

Agenda

  • Introduction

  • NAP Overview

  • NAP platform architecture

  • NAP enforcement methods

  • Demo NAP IPSec enforcement

  • SDI Overview


Today s network challenges l.jpg

Today’s Network Challenges

Today’s networks are highly connected

  • Multiple points of attachment: wireless, lan, wan, extranet

  • Parties with differing rights: employees, vendors, partners

  • Proliferation of devices: PCs, phones, PDAs, devices

Internet

Boundary Zone

Employees , Partners, Vendors

  • High connectivity presents new challenges

  • Need to control guest, vendor and partners access

  • Increased exposure to malware

  • Evolved security model -- from perimeter control to everywhere control

Intranet

Customers

Key strategies

Authenticate users and grant access based on role and compliance to corporate governance standards

Aggressively update out-of-compliance systems

Apply access policy throughout the network

Partners

Solution

Comprehensive, policy-based authentication and compliance throughout the network

Remote Employees


Enterprise network protection4 l.jpg

Enterprise Network Protection

  • Allows you to control access to your network using

    • Policy-based enforcement

    • Logical network isolation using IP Security (IPSec)

    • Wireless security technologies

  • Microsoft solutions in this area

    • NAP

    • SDI

    • Securing Wireless using Certificate Services

      • http://www.microsoft.com/downloads/details.aspx?familyid=CDB639B3-010B-47E7-B234-A27CDA291DAD&displaylang=en


Agenda5 l.jpg

Agenda

  • Introduction

  • NAP Overview

  • NAP platform architecture

  • NAP enforcement methods

  • Demo NAP IPSec enforcement

  • SDI Overview


Policy based network access protection l.jpg

Policy Based Network Access Protection

  • Policy Validation

    Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy

  • Network Restriction

    Restricts network access to computers based on their health

  • Remediation

    Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed

  • Ongoing Compliance

    Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions


What is network access protection l.jpg

What is Network Access Protection?

  • Platform that enforces compliance with health requirements for network access or communication

  • NAP is not a security solution to keep the bad guy off your network

  • Application programming interfaces (APIs)

    • Allows for integration with third-party vendors


Agenda8 l.jpg

Agenda

  • Introduction

  • NAP Overview

  • NAP platform architecture

  • NAP enforcement methods

  • Demo NAP IPSec enforcement

  • SDI Overview


Network access protection how it works l.jpg

Network Access ProtectionHow It Works

Access requested

Authentication Information including ID and health status

NPS validates against health policy

If compliant, access granted

If not compliant, restricted network access and remediation

1

Policy Serverse.g.., Patch, AV

1

Microsoft NPS

2

3

5

Not policy compliant

Remediation Serverse.g., Patch

2

RestrictedNetwork

3

Policy compliant

DHCP, VPN

Switch/Router

4

Corporate Network

4

5


Nap components l.jpg

NAP Components

Remediation

Servers

System Health

Servers

Network

Access

Requests

Updates

Health policy

Health

Statements

Client

NPS Policy Server(RADIUS)

(SHA)

MS SHA, SMS

(SHA)

3rd Parties

Health

Certificate

System Health Validator

NAP Agent

802.1x Switches

Policy Firewalls

SSL VPN Gateways

Certificate Servers

(EC)

(DHCP, IPsec,

802.1X, VPN)

(EC)

3rd Party EAP

VPN’s

NAP Server


Nap server side architecture l.jpg

NAP Server-Side Architecture

Health Requirement

Server 1

Health Requirement

Server 2

SHV_2

SHV_3

SHV_1

SHV API

NAP health policy server (NPS)

NAP Administration Server

NPS Service

RADIUS

NAP EC_A

NAP EC_B

NAP EC_C

Windows-basedNAP enforcement point


Nap client side architecture l.jpg

NAP Client-Side Architecture

Remediation

Server 1

Remediation

Server 2

SHA_2

SHA_3

SHA_1

SHA API

NAP Agent

NAP Client

NAP EC API

NAP EC_A

NAP EC_B

NAP EC_C


Nap client server relationships l.jpg

NAP Client-Server Relationships

Remediation

Server 1

Health requirement

Server 1

Provided by NAP platform

Provided by Microsoft or third parties

Remediation

Server 1

Health requirement

Server 2

SoHs

SSoHs

SHA_1

SHA_2

SHV_2

SHV_1

SHV_4

SHA API

SHV API

NAP health policy server (NPS)

NAP Agent

NAP Administrative Server

NAP Client

NPS Service

NAP EC API

RADIUS

NAP EC_A

NAP EC_B

NAP ES_B

NAP ES_A

Windows-basedNAP enforcement point


Agenda14 l.jpg

Agenda

  • Introduction

  • NAP Overview

  • NAP platform architecture

  • NAP enforcement methods

  • Demo NAP IPSec enforcement

  • SDI Overview


Multiple enforcement options l.jpg

Multiple Enforcement Options


Ipsec enforcement l.jpg

IPsec enforcement

  • For noncompliant computers, prevents communication with compliant computers

  • Compliant computers obtain a health certificate as proof of their health compliance

    • Health certificate is used for peer authentication when negotiating IPsec-protected communications

    • Health certificate carries the client authentication EKU in the certificate

    • In the IPsec configuration only NAP health certificates can be accepted for IPsec authentication


Ipsec enforcement17 l.jpg

IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

1. Client starts up on the restricted network


Ipsec enforcement18 l.jpg

IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

2. Client creates an HTTPS secure communication channel with the Health Registration Authority


Ipsec enforcement19 l.jpg

IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

3. Client sends its credentials, a PKCS#10 and its list of SoHs (State of health to the Health Registration Authority (HRA) through the SSL tunnel.


Ipsec enforcement20 l.jpg

IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

4. HCS forwards the client identity and health status information to the Network Policy Server (NPS) based on its NPS proxy configuration for validation using RADIUS Access-Request message.


Ipsec enforcement21 l.jpg

IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

5. NAP Administration Server on the Network Policy Server passes the SoHs (Statement of Health) to their System Health Validators (SHV).

6. SHVs evaluate the SoHs and respond with SoH Responses (SoHR).

7. NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision.


Ipsec enforcement22 l.jpg

IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

8. Network Policy Server sends a RADIUS Access-Accept message that contains the System SoHR (Statement of Health Response) and the list of SoHRs to the Health Registration Authority.


Ipsec enforcement23 l.jpg

IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

9. The Health Registration Authority sends the System State of Health Responses (SoHRs )and the list of SoHRs through the SSL tunnel to the client.


Ipsec enforcement24 l.jpg

IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Health Certification Authority

Quarantine Restricted Network

10 a. If compliant, the Health Registration authority sends the client’s PKCS#10 request to the Health certification authority and finally sends the health certificate through the SSL tunnel to the client.


Ipsec enforcement25 l.jpg

IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

10 b. The NAP Agent passes the State of Health Responses to the System Health Agents that are installed on the client.


Ipsec enforcement26 l.jpg

IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

11. System Health Agents perform remediation and pass updated Statement of Health (SoH) to the NAP Agent..


Ipsec enforcement27 l.jpg

IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

12. Client creates a new HTTPS channel with the Health Registration Authority


Ipsec enforcement28 l.jpg

IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Quarantine Restricted Network

13. Client sends its credentials, a new PKCS#10 request and its updates list of State of Health’s (SoHs) to the Health Registration Authority


Ipsec enforcement29 l.jpg

IPsec enforcement

Remediation Server

Network Policy Server

Protected Network

Boundary Network

Health Registration Authority

Health Certification Authority

Quarantine Restricted Network

14. Health Registration Authority validates the credentials and the new list of SoHs with the Network Policy Server and obtains a health certificate for the client.


Agenda30 l.jpg

Agenda

  • Introduction

  • NAP Overview

  • NAP platform architecture

  • NAP enforcement methods

  • Demo NAP IPSec enforcement

  • SDI Overview


Nap ipsec l.jpg

NAP IPsec

demo


Ipsec enforcement cons l.jpg

IPsec Enforcement - Cons

  • Requires PKI to be deployed

  • Only works in a managed environment (machines must be domain joined)

  • Certificates are the only supported credential (compared to IPsec server and domain isolation)

  • Requires and additional role to be deployed on the network (HRA)


Ipsec enforcement pros l.jpg

IPsec Enforcement - Pros

  • Protects you in a virtual environment

  • Near real/time operation

  • Unhealthy clients are truly isolated (credential automatically revoked by the NAP agent)

  • Offers authentication AND encryption (encryption is optional, not required)

  • Works with any switch, router or AP

  • Technologies are built into Windows (client and server platforms)


802 1x enforcement l.jpg

802.1X enforcement

  • For noncompliant computers, prevents unlimited access to a network through an 802.1X-authenticated connection


Network layer protection with nap l.jpg

Network Layer Protection with NAP

System Health

Servers

Restricted Network

Remediation

Servers

Here you go.

Can I have updates?

Ongoing policy updates to Network Policy Server

May I have access?

Here’s my current

health status.

Should this client be restricted based

on its health?

Requesting access. Here’s my new

health status.

According to policy, the client is not up to date. Quarantine client, request it to update.

According to policy, the client is up to date.

Grant access.

You are given restricted access

until fix-up.

Client

802.1x

Switch

MS NPS

Client is granted access to full intranet.


802 1x enforcement cons l.jpg

802.1x Enforcement - Cons

  • Requires compatible hardware

  • Bootstrapping clients with credentials is challenging

  • Dynamic VLAN switching during the boot process can be problematic

  • Requires designing multiple VLAN’s based on health state

  • Requires Windows supplicant to be used


802 1x enforcement pros l.jpg

802.1x Enforcement - Pros

  • Industry standard protocol supported by all switch and AP vendors

  • Supplicant is built into Windows

  • Supports password based or certificates as the credential

  • Can be deployed in conjunction with DHCP or IPsec enforcements


Taking a phased approach to deployment l.jpg

Taking a phased approach to deployment

  • Reporting Mode

    • Allows you to gather information as to what is on your network

  • Deferred Enforcement

    • Introduces NAP to your use population and allows them to police themselves

  • Full Enforcement

    • Non-complaint machines will be quarantined and auto remediated


Agenda39 l.jpg

Agenda

  • Introduction

  • NAP Overview

  • NAP platform architecture

  • NAP enforcement methods

  • Demo NAP IPSec enforcement

  • SDI Overview


Domain isolation overview l.jpg

Domain Isolation Overview

  • Labs

  • Unmanaged guests

  • Malicious users

Protects trusted systems from untrusted or malicious computers

Domain Isolation


Ipsec the foundation of isolation l.jpg

IPsec: The Foundation of Isolation

  • IPsec authentication required for all incoming connections

    • IPsec used to authenticate remote host

    • Connection request refused if authentication fails

  • IPsec ensures data integrity for all connections

    • And optionally encryption

  • Works in the network layer

    • Regardless of the underlying physical layer (hubs, switches, wireless)


How does domain isolation work l.jpg

How Does Domain Isolation Work?

  • IPsec policy determines computer behavior

    • Requires authentication for inbound connections

    • Ensures data integrity

    • Adds encryption if necessary

  • Group Policies used to distribute IPsec policy to hosts

  • Kerberos (AD) or digital certificates used for authentication


How domain isolation works l.jpg

Servers with Sensitive Data

HR Workstation

Trusted Computers

Managed Computer

Managed Computer

How Domain Isolation Works

Active Directory Domain Controller

Corporate Network

Trusted File Server

X

Unmanaged/Rogue Computer

Network Printer

Untrusted


Server isolation overview l.jpg

Source Code Servers

Server Isolation

Developer Workstation

Managed Computer

Managed Computer

Domain Isolation

Server Isolation Overview

Active Directory Domain Controller

Corporate Network

Trusted Resource Server

X

X

Untrusted

Protect specific high-valued hosts and data

Server Isolation


How does server isolation work l.jpg

How Does Server Isolation Work?

  • Adds a layer of authorization on top of the authentication performed by IPsec

    • After authentication, Windows evaluates if remote host has access permissions

    • Access is granted if AD computer account has Access to this computer from the network privilege

  • To configure Server Isolation, remove Authenticated Users from this privilege

  • Grant access to Domain Users, and to the appropriate computer accounts


Sdi links l.jpg

SDI Links

  • SDI Introduction

    • http://technet.microsoft.com/en-us/library/cc725770.aspx

  • Windows Firewall Advanced Security and IPSec

    • http://technet.microsoft.com/en-us/library/cc732283.aspx


Nap links l.jpg

NAP Links

  • http://technet.microsoft.com/en-us/network/bb545879.aspx

    • Design Guides

    • Virtual Labs

    • Step-by-step Guides

    • Webcasts


Nap support for cisco nac linux and mac os x l.jpg

NAP Support for Cisco NAC, Linux and Mac OS X

  • Cisco NAC Interoperability Whitepaper

    • http://download.microsoft.com/download/d/0/8/d08df717-d752-4fa2-a77a-ab29f0b29266/NAC-NAP_Whitepaper.pdf

  • UNET provides:

    • NAP agent for Linux

    • NAP agent for Mac OS X

    • http://unet.co.kr/nap/index.html

  • Avenda provides

    • NAP agent for Linux

    • http://www.avendasys.com/products/technologies.php


Y our msdn resources check out these websites blogs more l.jpg

Your MSDN resourcescheck out these websites, blogs & more!

PresentationsTechDays: www.techdays.chMSDN Events: http://www.microsoft.com/switzerland/msdn/de/presentationfinder.mspxMSDN Webcasts: http://www.microsoft.com/switzerland/msdn/de/finder/default.mspx

MSDN EventsMSDN Events: http://www.microsoft.com/switzerland/msdn/de/events/default.mspxSave the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin

MSDN Flash (our by weekly newsletter)Subscribe: http://www.microsoft.com/switzerland/msdn/de/flash.mspx

MSDN Team BlogRSS: http://blogs.msdn.com/swiss_dpe_team/Default.aspx

Developer User Groups & CommunitiesMobile Devices: http://www.pocketpc.ch/Microsoft Solutions User Group Switzerland: www.msugs.ch.NET Managed User Group of Switzerland: www.dotmugs.chFoxPro User Group Switzerland: www.fugs.ch


Y our technet resources check out these websites blogs more l.jpg

Your TechNet resourcescheck out these websites, blogs & more!

PresentationsTechDays: www.techdays.ch

TechNet EventsTechNet Events: http://technet.microsoft.com/de-ch/bb291010.aspx Save the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin

TechNet Flash (our by weekly newsletter)Subscribe: http://technet.microsoft.com/de-ch/bb898852.aspx

Schweizer IT Professional und TechNet BlogRSS: http://blogs.technet.com/chitpro-de/

IT Professional User Groups & CommunitiesSwissITPro User Group: www.swissitpro.chNT Anwendergruppe Schweiz: www.nt-ag.chPASS (Professional Association for SQL Server): www.sqlpass.ch


Save the date for tech days next year l.jpg

Save the date for tech·days nextyear!

7. – 8. April 2010Congress Center Basel


Slide52 l.jpg

Premium Sponsoring Partners

Classic Sponsoring Partners

Media Partner


  • Login