1 / 20

Providing 802.1X Enforcement For Network Access Protection

Providing 802.1X Enforcement For Network Access Protection. Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation. Goals. Overview Network Access Protection (NAP) – architecture and extensibility Demonstrate 802.1x NAP Target audience

valiant
Download Presentation

Providing 802.1X Enforcement For Network Access Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Providing 802.1X Enforcement For Network Access Protection Mudit GoelDevelopment ManagerWindows Enterprise NetworkingMicrosoft Corporation

  2. Goals Overview • Network Access Protection (NAP) – architecture and extensibility • Demonstrate 802.1x NAP Target audience • Hardware Vendors (e.g.: 1x hardware) • Connectivity software (1x supplicant, EAP methods)

  3. What Is In It For You? • Add value to your hardware based products or solutions • Demonstrated interoperability with NAP • Easy configuration of 1x Hardware for NAP • Unique value that you can add to your device • Easier to develop EAP related software • EAP extensibility model • Client: Supplicants and Methods • Server: Methods • More satisfied customers

  4. Interconnected networks Distributed data Mobile workers Business extranets Remote access Web services Wireless Mobile smart devices Life In A Highly-Connected World Internet Perimeter Intranet Customers Web Server X Infrastructure Servers Extranet Server Business Partners Remote Access Gateway Remote Employees

  5. Problem • Very little isolation in network • Customers control very small percent of endpoints • De-perimeterization of devices happening now • Customers have little or no way of enforcing or even validating security policy compliance • Need for security at multiple layers

  6. Network Access Protection (NAP) Solution Overview • Policy Validation • Are computers “healthy” – compliant with company’s security policy • Network Restriction • Restrict network access based on their health • Remediation • Provides necessary updates to become healthy • Once healthy, the network restrictions are removed • Ongoing Compliance • Changes in computers’ health may dynamically result in network restrictions

  7. System health servers Network Access Protection Walk-Through Corporate Network Restricted Network Remediation servers Here you go Can I have updates? Ongoing policy updates to NPS Policy Server May I have access? Here’s my current health status Requesting access. Here’s my new health status Should this client be restricted based on its health? According to policy, the client is not up to date. Quarantine client, request it to update According to policy, the client is up to date Grant access You are given restricted access until fix-up 802.1x Switch / AP Microsoft network policy server Client Client is granted access to full intranet

  8. NAP Architecture Overview System Health Servers Remediation Servers Updates Health policy Network Access Requests Client Health Statements Microsoft Network Policy Server (NPS) System Health Agent (SHA) MS and 3rd Parties Health Certificate System Health Validator (SHV) MS and 3rd Parties NAP Agent (QA) Network Access Devices and Servers Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN) NAP Server (QS) • Client • SHA – health agents check client state • QA – coordinates SHA/EC • EC – method of enforcement • Remediation server • Serves up patches, AV signatures, etc. • Network access devices and server • Access points, switches, VPN servers, HRA • Network Policy Server • QS – coordinates SHV • SHV – validates client health • System health server • Provides client compliance policies

  9. System Health Servers Remediation Servers Extending NAP • Published APIs • SHA API • QEC API • SHV API • EAP Host Supplicant • EAP Host Method (Peer and Authenticator) • 802.1x client extensibility Health policy Updates Client Microsoft Network Policy Server System Health Agent (SHA) Microsoft and 3rd Parties Network Access Requests System Health Validator (SHV) Microsoft and 3rd Parties Health Statements NAP Agent (QA) NAP Server (QS) 3rd Party QEC EapQEC Health Certificate 3rd party EAP methods EapHost EapHost Network Access Devices and Servers PEAP 3rd party EAP methods PEAP 802.1x supplicant 3rd party EAP supplicants • Licensed Protocols • SoH / SoHR • RADIUS extensions • EAP TLVs • Health Certificate Enrollment Protocol

  10. RADIUS Attributes For NAP • Microsoft-Quarantine-State • Machine access should be • Full Access • Quarantined • Probation until a certain time • Microsoft-Quarantine-Grace-Time • Specified date and time for probation • Microsoft-IPv4-Remediation-Servers • Collection of IPv4 addresses of fixup servers • Microsoft-IPv6-Remediation-Servers • Collection of IPv6 addresses of fixup servers • Microsoft-Attribute-Not-Quarantine-Capable • Machine requesting access is not participating in NAP

  11. 802.1x AP / Controller EAP Extensibility Client Microsoft Network Policy Server System Health Agent (SHA) Microsoft and 3rd Parties • Supplicant API • 3rd party EAP supplicants can plug-in e.g. 802.x, IKEv2, VPN • Supplicants can become NAP aware by using EapHost • Method API • Enables 3rd party methods to plug-in e.g. EAP-TTLS, EAP-SIM, EAP-FAST System Health Validator NAP Agent (QA) RADIUS (EAP) 802.1x (EAP) Quarantine Server (QS) 3rd Party QEC EapQEC 3rd Party EAP Methods EapHost EapHost PEAP 3rd Party EAP Methods PEAP 802.1x supplicant 3rd Party EAP Supplicants

  12. Network Access Protection Demo Chandra NakulaTest LeadWindows Enterprise Networking

  13. Demo Setup NPS Server (Radius) Vista Client DHCP Server HP Pro-curve Switch

  14. 802.1x Wired NAP ? Full Access VLAN Restricted VLAN ? Client Radius EAP Switch PEAP NPS Server (Radius)

  15. Call To ActionNAS Devices (1x APs / Controllers) • Ensure that your device works with NAP • Value: Device is NAP capable and hence more attractive to customers • Use the NAP related RADIUS attributes to make your configuration for NAP easier • Value: Customers would find it easier to configure your device from NPS for NAP • Extend NAP to deliver value to the customer • On the client, switch, or end to end

  16. Call To ActionNICs, EAP Supplicants, EAP methods • Test NAP interoperability with your hardware • Extend NAP to deliver value to the customer (Adopt EAPHost and NAP) • Write EAP methods to Eaphost • Leverage NAP in hardware, supplicants and EAP methods • Use EAPHost extensibility to build your supplicants • Work with us to address 802.x challenges • Multi-MAC • Heterogeneous environments • Bootstrapping • Timing issues

  17. Additional Resources • Web Resources • NAP: http://www.microsoft.com/NAP • EAP: http://www.microsoft.com/EAP • Additional Resources • Information on NAP SDK distribution • WDK – actual working sample EAP Methods and Supplicant • MSDN – EH Documentation and API references • E-mails • Questions or feedback NAP: EAP: napsdk @ microsoft.com asknap @ microsoft.com eapqa @ microsoft.com

  18. Q&A

  19. © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related