1 / 53

Enterprise Network Protection

Enterprise Network Protection. Kunal Kodkani Senior Consultant, Microsoft Consulting Services Microsoft Corporation kunal.kodkani@microsoft.com. Agenda. Introduction NAP Overview NAP platform architecture NAP enforcement methods Demo NAP IPSec enforcement SDI Overview.

ilya
Download Presentation

Enterprise Network Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise Network Protection Kunal Kodkani Senior Consultant, Microsoft Consulting Services Microsoft Corporation kunal.kodkani@microsoft.com

  2. Agenda • Introduction • NAP Overview • NAP platform architecture • NAP enforcement methods • Demo NAP IPSec enforcement • SDI Overview

  3. Today’s Network Challenges Today’s networks are highly connected • Multiple points of attachment: wireless, lan, wan, extranet • Parties with differing rights: employees, vendors, partners • Proliferation of devices: PCs, phones, PDAs, devices Internet Boundary Zone Employees , Partners, Vendors • High connectivity presents new challenges • Need to control guest, vendor and partners access • Increased exposure to malware • Evolved security model -- from perimeter control to everywhere control Intranet Customers Key strategies Authenticate users and grant access based on role and compliance to corporate governance standards Aggressively update out-of-compliance systems Apply access policy throughout the network Partners Solution Comprehensive, policy-based authentication and compliance throughout the network Remote Employees

  4. Enterprise Network Protection • Allows you to control access to your network using • Policy-based enforcement • Logical network isolation using IP Security (IPSec) • Wireless security technologies • Microsoft solutions in this area • NAP • SDI • Securing Wireless using Certificate Services • http://www.microsoft.com/downloads/details.aspx?familyid=CDB639B3-010B-47E7-B234-A27CDA291DAD&displaylang=en

  5. Agenda • Introduction • NAP Overview • NAP platform architecture • NAP enforcement methods • Demo NAP IPSec enforcement • SDI Overview

  6. Policy Based Network Access Protection • Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy • Network Restriction Restricts network access to computers based on their health • Remediation Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed • Ongoing Compliance Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions

  7. What is Network Access Protection? • Platform that enforces compliance with health requirements for network access or communication • NAP is not a security solution to keep the bad guy off your network • Application programming interfaces (APIs) • Allows for integration with third-party vendors

  8. Agenda • Introduction • NAP Overview • NAP platform architecture • NAP enforcement methods • Demo NAP IPSec enforcement • SDI Overview

  9. Network Access ProtectionHow It Works Access requested Authentication Information including ID and health status NPS validates against health policy If compliant, access granted If not compliant, restricted network access and remediation 1 Policy Serverse.g.., Patch, AV 1 Microsoft NPS 2 3 5 Not policy compliant Remediation Serverse.g., Patch 2 RestrictedNetwork 3 Policy compliant DHCP, VPN Switch/Router 4 Corporate Network 4 5

  10. NAP Components Remediation Servers System Health Servers Network Access Requests Updates Health policy Health Statements Client NPS Policy Server(RADIUS) (SHA) MS SHA, SMS (SHA) 3rd Parties Health Certificate System Health Validator NAP Agent 802.1x Switches Policy Firewalls SSL VPN Gateways Certificate Servers (EC) (DHCP, IPsec, 802.1X, VPN) (EC) 3rd Party EAP VPN’s NAP Server

  11. NAP Server-Side Architecture Health Requirement Server 1 Health Requirement Server 2 SHV_2 SHV_3 SHV_1 SHV API NAP health policy server (NPS) NAP Administration Server NPS Service RADIUS NAP EC_A NAP EC_B NAP EC_C Windows-basedNAP enforcement point

  12. NAP Client-Side Architecture Remediation Server 1 Remediation Server 2 SHA_2 SHA_3 SHA_1 SHA API NAP Agent NAP Client NAP EC API NAP EC_A NAP EC_B NAP EC_C

  13. NAP Client-Server Relationships Remediation Server 1 Health requirement Server 1 Provided by NAP platform Provided by Microsoft or third parties Remediation Server 1 Health requirement Server 2 SoHs SSoHs SHA_1 SHA_2 SHV_2 SHV_1 SHV_4 SHA API SHV API NAP health policy server (NPS) NAP Agent NAP Administrative Server NAP Client NPS Service NAP EC API RADIUS NAP EC_A NAP EC_B NAP ES_B NAP ES_A Windows-basedNAP enforcement point

  14. Agenda • Introduction • NAP Overview • NAP platform architecture • NAP enforcement methods • Demo NAP IPSec enforcement • SDI Overview

  15. Multiple Enforcement Options

  16. IPsec enforcement • For noncompliant computers, prevents communication with compliant computers • Compliant computers obtain a health certificate as proof of their health compliance • Health certificate is used for peer authentication when negotiating IPsec-protected communications • Health certificate carries the client authentication EKU in the certificate • In the IPsec configuration only NAP health certificates can be accepted for IPsec authentication

  17. IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 1. Client starts up on the restricted network

  18. IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 2. Client creates an HTTPS secure communication channel with the Health Registration Authority

  19. IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 3. Client sends its credentials, a PKCS#10 and its list of SoHs (State of health to the Health Registration Authority (HRA) through the SSL tunnel.

  20. IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 4. HCS forwards the client identity and health status information to the Network Policy Server (NPS) based on its NPS proxy configuration for validation using RADIUS Access-Request message.

  21. IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 5. NAP Administration Server on the Network Policy Server passes the SoHs (Statement of Health) to their System Health Validators (SHV). 6. SHVs evaluate the SoHs and respond with SoH Responses (SoHR). 7. NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision.

  22. IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 8. Network Policy Server sends a RADIUS Access-Accept message that contains the System SoHR (Statement of Health Response) and the list of SoHRs to the Health Registration Authority.

  23. IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 9. The Health Registration Authority sends the System State of Health Responses (SoHRs )and the list of SoHRs through the SSL tunnel to the client.

  24. IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Health Certification Authority Quarantine Restricted Network 10 a. If compliant, the Health Registration authority sends the client’s PKCS#10 request to the Health certification authority and finally sends the health certificate through the SSL tunnel to the client.

  25. IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 10 b. The NAP Agent passes the State of Health Responses to the System Health Agents that are installed on the client.

  26. IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 11. System Health Agents perform remediation and pass updated Statement of Health (SoH) to the NAP Agent..

  27. IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 12. Client creates a new HTTPS channel with the Health Registration Authority

  28. IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 13. Client sends its credentials, a new PKCS#10 request and its updates list of State of Health’s (SoHs) to the Health Registration Authority

  29. IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Health Certification Authority Quarantine Restricted Network 14. Health Registration Authority validates the credentials and the new list of SoHs with the Network Policy Server and obtains a health certificate for the client.

  30. Agenda • Introduction • NAP Overview • NAP platform architecture • NAP enforcement methods • Demo NAP IPSec enforcement • SDI Overview

  31. NAP IPsec demo

  32. IPsec Enforcement - Cons • Requires PKI to be deployed • Only works in a managed environment (machines must be domain joined) • Certificates are the only supported credential (compared to IPsec server and domain isolation) • Requires and additional role to be deployed on the network (HRA)

  33. IPsec Enforcement - Pros • Protects you in a virtual environment • Near real/time operation • Unhealthy clients are truly isolated (credential automatically revoked by the NAP agent) • Offers authentication AND encryption (encryption is optional, not required) • Works with any switch, router or AP • Technologies are built into Windows (client and server platforms)

  34. 802.1X enforcement • For noncompliant computers, prevents unlimited access to a network through an 802.1X-authenticated connection

  35. Network Layer Protection with NAP System Health Servers Restricted Network Remediation Servers Here you go. Can I have updates? Ongoing policy updates to Network Policy Server May I have access? Here’s my current health status. Should this client be restricted based on its health? Requesting access. Here’s my new health status. According to policy, the client is not up to date. Quarantine client, request it to update. According to policy, the client is up to date. Grant access. You are given restricted access until fix-up. Client 802.1x Switch MS NPS Client is granted access to full intranet.

  36. 802.1x Enforcement - Cons • Requires compatible hardware • Bootstrapping clients with credentials is challenging • Dynamic VLAN switching during the boot process can be problematic • Requires designing multiple VLAN’s based on health state • Requires Windows supplicant to be used

  37. 802.1x Enforcement - Pros • Industry standard protocol supported by all switch and AP vendors • Supplicant is built into Windows • Supports password based or certificates as the credential • Can be deployed in conjunction with DHCP or IPsec enforcements

  38. Taking a phased approach to deployment • Reporting Mode • Allows you to gather information as to what is on your network • Deferred Enforcement • Introduces NAP to your use population and allows them to police themselves • Full Enforcement • Non-complaint machines will be quarantined and auto remediated

  39. Agenda • Introduction • NAP Overview • NAP platform architecture • NAP enforcement methods • Demo NAP IPSec enforcement • SDI Overview

  40. Domain Isolation Overview • Labs • Unmanaged guests • Malicious users Protects trusted systems from untrusted or malicious computers Domain Isolation

  41. IPsec: The Foundation of Isolation • IPsec authentication required for all incoming connections • IPsec used to authenticate remote host • Connection request refused if authentication fails • IPsec ensures data integrity for all connections • And optionally encryption • Works in the network layer • Regardless of the underlying physical layer (hubs, switches, wireless)

  42. How Does Domain Isolation Work? • IPsec policy determines computer behavior • Requires authentication for inbound connections • Ensures data integrity • Adds encryption if necessary • Group Policies used to distribute IPsec policy to hosts • Kerberos (AD) or digital certificates used for authentication

  43. Servers with Sensitive Data HR Workstation Trusted Computers Managed Computer Managed Computer How Domain Isolation Works Active Directory Domain Controller Corporate Network Trusted File Server X Unmanaged/Rogue Computer Network Printer Untrusted

  44. Source Code Servers Server Isolation Developer Workstation Managed Computer Managed Computer Domain Isolation Server Isolation Overview Active Directory Domain Controller Corporate Network Trusted Resource Server X X Untrusted Protect specific high-valued hosts and data Server Isolation

  45. How Does Server Isolation Work? • Adds a layer of authorization on top of the authentication performed by IPsec • After authentication, Windows evaluates if remote host has access permissions • Access is granted if AD computer account has Access to this computer from the network privilege • To configure Server Isolation, remove Authenticated Users from this privilege • Grant access to Domain Users, and to the appropriate computer accounts

  46. SDI Links • SDI Introduction • http://technet.microsoft.com/en-us/library/cc725770.aspx • Windows Firewall Advanced Security and IPSec • http://technet.microsoft.com/en-us/library/cc732283.aspx

  47. NAP Links • http://technet.microsoft.com/en-us/network/bb545879.aspx • Design Guides • Virtual Labs • Step-by-step Guides • Webcasts

  48. NAP Support for Cisco NAC, Linux and Mac OS X • Cisco NAC Interoperability Whitepaper • http://download.microsoft.com/download/d/0/8/d08df717-d752-4fa2-a77a-ab29f0b29266/NAC-NAP_Whitepaper.pdf • UNET provides: • NAP agent for Linux • NAP agent for Mac OS X • http://unet.co.kr/nap/index.html • Avenda provides • NAP agent for Linux • http://www.avendasys.com/products/technologies.php

  49. Your MSDN resourcescheck out these websites, blogs & more! PresentationsTechDays: www.techdays.chMSDN Events: http://www.microsoft.com/switzerland/msdn/de/presentationfinder.mspxMSDN Webcasts: http://www.microsoft.com/switzerland/msdn/de/finder/default.mspx MSDN EventsMSDN Events: http://www.microsoft.com/switzerland/msdn/de/events/default.mspxSave the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin MSDN Flash (our by weekly newsletter)Subscribe: http://www.microsoft.com/switzerland/msdn/de/flash.mspx MSDN Team BlogRSS: http://blogs.msdn.com/swiss_dpe_team/Default.aspx Developer User Groups & CommunitiesMobile Devices: http://www.pocketpc.ch/Microsoft Solutions User Group Switzerland: www.msugs.ch.NET Managed User Group of Switzerland: www.dotmugs.chFoxPro User Group Switzerland: www.fugs.ch

  50. Your TechNet resourcescheck out these websites, blogs & more! PresentationsTechDays: www.techdays.ch TechNet EventsTechNet Events: http://technet.microsoft.com/de-ch/bb291010.aspx Save the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin TechNet Flash (our by weekly newsletter)Subscribe: http://technet.microsoft.com/de-ch/bb898852.aspx Schweizer IT Professional und TechNet BlogRSS: http://blogs.technet.com/chitpro-de/ IT Professional User Groups & CommunitiesSwissITPro User Group: www.swissitpro.chNT Anwendergruppe Schweiz: www.nt-ag.chPASS (Professional Association for SQL Server): www.sqlpass.ch

More Related