May 30May 30thth – 31 – 31stst, 2007, 2007Chateau Laurier Chateau Laurier OttawaOttawa

May 30May 30thth – 31 – 31stst, 2007, 2007Chateau Laurier Chateau Laurier OttawaOttawa

Securing Your Securing Your Network – End to End Network – End to End ConnectivityConnectivity

Securing Your Securing Your Network – End to End Network – End to End ConnectivityConnectivityPat FettyPat FettySenior Program ManagerSenior Program ManagerWindows Customer Advisory TeamWindows Customer Advisory TeamMicrosoft CorporationMicrosoft Corporation

Initial Customer PainInitial Customer Pain

Virus entering the enterprise Virus entering the enterprise by:by:

Employees returning from Employees returning from tripstrips

Consultants/guests plugging Consultants/guests plugging inin

Employees VPN-ing in Employees VPN-ing in

Attacking vulnerable Attacking vulnerable machines in the networkmachines in the network

Year Virus WW Financial Impact (USD)

19991999 MelissaMelissa 1.10 Billion1.10 Billion

20002000 Love BugLove Bug 8.75 Billion8.75 Billion

20012001 Code RedCode Red 2.75 Billion2.75 Billion

20022002 KlezKlez 750 Million750 Million

20032003 SlammerSlammer 1.25 Billion1.25 Billion

Causing loss of productivity and financial Causing loss of productivity and financial lossloss

Source: Virus Attack Costs are Rising –Again. Computer Economics, Inc. Source: Virus Attack Costs are Rising –Again. Computer Economics, Inc. Sept 2003. Sept 2003.

ObjectiveObjective NAPNAP HowHow

Comply to Health Comply to Health PolicyPolicy YesYes Check machine state before allowing Check machine state before allowing

accessaccess

Remediate Remediate VulnerabilitiesVulnerabilities YesYes In conjunction with SMS/WUS and 3In conjunction with SMS/WUS and 3rdrd

PartiesParties

Detect/ManageDetect/ManageYesYes In conjunction with SMS/MOM and 3In conjunction with SMS/MOM and 3rdrd

partiesparties

IT Administrators looking for tools to:IT Administrators looking for tools to:

The 4 Pillars of NAPThe 4 Pillars of NAP

Policy ValidationPolicy Validation Determines whether the computers are Determines whether the computers are compliant with the company’s security compliant with the company’s security policy. Compliant computers are deemed policy. Compliant computers are deemed “healthy.”“healthy.”

Network RestrictionNetwork RestrictionRestricts network access to computers Restricts network access to computers based on their health.based on their health.

Automatic RemediationAutomatic RemediationProvides necessary updates to allow the Provides necessary updates to allow the computer to “get healthy.” Once healthy, computer to “get healthy.” Once healthy, the network restrictions are removed.the network restrictions are removed.

Ongoing ComplianceOngoing ComplianceChanges to the company’s security policy or Changes to the company’s security policy or to the computers’ health may dynamically to the computers’ health may dynamically result in network restrictions.result in network restrictions.

Requesting access. Requesting access. Here’s my newHere’s my new

health status.health status.

Network Access Protection Walk-throughNetwork Access Protection Walk-through

NPS PolicyNPS PolicyServerServer

ClientClientNetwork Network Access Access DeviceDevice

(DHCP, VPN)(DHCP, VPN)

Remediation Remediation Servers Servers

May I have access?May I have access?Here’s my current Here’s my current

health status. health status.

Should this client be Should this client be restricted basedrestricted basedon its health? on its health?

Ongoing policy Ongoing policy updates to NPS Policy updates to NPS Policy

Server Server

You are given You are given restricted accessrestricted access

until fix-up.until fix-up.

Can I have Can I have updates?updates?

Here you go.Here you go.

According to According to policy, the client is policy, the client is

not up to date. not up to date. Quarantine client, Quarantine client,

request it to request it to update.update.

Corporate NetworkCorporate Network

Restricted NetworkRestricted Network

Client is granted access to full intranet. Client is granted access to full intranet.

System Health System Health Servers Servers

According to According to policy, the client policy, the client is up to date. is up to date.

Grant access.Grant access.

NAP - Enforcement NAP - Enforcement OptionsOptionsEnforcementEnforcement Healthy ClientHealthy Client Unhealthy ClientUnhealthy Client

DHCPDHCP Full IP address given, Full IP address given, full accessfull access Restricted set of routesRestricted set of routes

VPN (Microsoft VPN (Microsoft and 3and 3rdrd Party) Party) Full accessFull access Restricted VLANRestricted VLAN

802.1X802.1X Full accessFull access Restricted VLANRestricted VLAN

IPsecIPsec

Can communicate Can communicate with any trusted with any trusted peerpeer

Healthy peers reject Healthy peers reject connection requests connection requests from unhealthy systemsfrom unhealthy systems

Complements layer 2 protectionComplements layer 2 protectionWorks with existing servers and Works with existing servers and

infrastructureinfrastructureFlexible isolationFlexible isolation

Threat MatrixThreat Matrix

Mitigation Solution

Threat

Affected security objectives

Co

nfid

entia

lity

Dat

a in

teg

rity

Sys

tem

inte

gri

ty

Ava

ilab

ility

Ipse

c

802.

1x

DH

CP

Eavesdropping Examples Yes √Denial of Service Yes √Man in the Middle Yes Yes Yes √Replay Yes Yes √Spoofing Yes Yes Yes Yes √Back door Yes Yes √ √ √Rogue Client √ √Spyware Yes √ √ √Virus (simple) Yes √ √ √Movement between networks Yes Yes Yes Yes √Worms Yes √ √ √

IPSec-based NAP FeaturesIPSec-based NAP FeaturesIsolation of unhealthy clients using IPSecIsolation of unhealthy clients using IPSecSecure enforcementSecure enforcement

Can not be bypassed by reconfiguring clientCan not be bypassed by reconfiguring clientOr by use of hubs / virtual PC technologyOr by use of hubs / virtual PC technology

No infrastructure upgradeNo infrastructure upgradeWorks with today’s switches and routersWorks with today’s switches and routersNo need to replace/upgrade DHCP, VPN, etc.No need to replace/upgrade DHCP, VPN, etc.

Flexible isolationFlexible isolationHealthy systems can connect to quarantined Healthy systems can connect to quarantined systems but not vice versasystems but not vice versaIsolation model defined by policyIsolation model defined by policy

802.1X and IPsec = 802.1X and IPsec = Customer ChoiceCustomer Choice

NAP supports bothNAP supports both

Integrated defense in depth at multiple layers Integrated defense in depth at multiple layers

Fast network access for healthy clientsFast network access for healthy clients

Network agnostic but network vendors able to Network agnostic but network vendors able to innovate and provide valueinnovate and provide value

Customer choice: ability to protect network Customer choice: ability to protect network access, host access, application access in any access, host access, application access in any combination, as needed, where appropriatecombination, as needed, where appropriate

IPSec-based NAP Isolation IPSec-based NAP Isolation

BLOCKEDBLOCKED

QuarantineQuarantineZoneZone

BoundaryBoundaryZoneZone

ProtectedProtectedZoneZoneALLOWEDALLOWED

ALLOWEALLOWEDD

ALLOWEALLOWEDD

Policy DefinitionsProtectedZone

All systems possess a Health CertificateAuthentication required to connect into a system

BoundaryZone

All systems possess a Health CertificateAuthentication requested but not required to connect into a system

QuarantineZone

No Health CertificatesNo IPSec policies

IPSec-based NAP Walk-IPSec-based NAP Walk-throughthrough

Accessing the networkAccessing the networkXX

Remediation Remediation ServerServer

NPSNPSHRAHRA

May I have a health May I have a health certificate? Here’s my SoH.certificate? Here’s my SoH. Client ok?Client ok?

No. Needs fix-up.No. Needs fix-up.You don’t get a health You don’t get a health certificate.certificate.Go fix up.Go fix up.I need updates.I need updates.

Here you go.Here you go.

Yes. Issue Yes. Issue health certificate.health certificate.

Here’s your health Here’s your health certificate.certificate.

ClientClient

QuarantineQuarantineZoneZone

BoundaryBoundaryZoneZone

ProtectedProtectedZoneZone

Network Access Protection Solution Take-Network Access Protection Solution Take-AwaysAways

NAP means network health and trusted NAP means network health and trusted communicationscommunications

Windows platform pieces with health and enforcement Windows platform pieces with health and enforcement plug-insplug-insIntegrated defense in depth at multiple layersIntegrated defense in depth at multiple layers

Customer choice – flexible, selectable enforcementCustomer choice – flexible, selectable enforcementProtect network access, host access, application access Protect network access, host access, application access in any combination as needed where appropriate in any combination as needed where appropriate

Broad industry supportBroad industry supportExtensible platform architecture – network vendors able Extensible platform architecture – network vendors able to innovate and provide valueto innovate and provide valueStandards-based approach means you can deploy a Standards-based approach means you can deploy a multi-vendor, end-to-end solutionmulti-vendor, end-to-end solutionFull ecosystem of partners (50+) means your third-party Full ecosystem of partners (50+) means your third-party investments will be preservedinvestments will be preserved

Deployment preparation tasks:Deployment preparation tasks:Health Modeling Health Modeling

Exemption Analysis Exemption Analysis

Health Policy Zoning Health Policy Zoning

NPS (RADIUS) DeploymentNPS (RADIUS) Deployment

Zone Enforcement SelectionZone Enforcement Selection

Rollout Planning and Change Process Rollout Planning and Change Process ControlControl

NAP is coming in Server 2008. Why NAP is coming in Server 2008. Why should I start work now?should I start work now?

Network Access Protection Network Access Protection TimelineTimeline

Server 2008 Beta 3 – May 2007Server 2008 Beta 3 – May 2007NPS EnhancementsNPS Enhancements

XPSP2 Beta NAP Client AvailableXPSP2 Beta NAP Client Available

• Server 2008 RTM – 2H 2007Server 2008 RTM – 2H 2007

General availabilityGeneral availability

Resources & ContactsResources & Contacts

Web site and whitepapers: Web site and whitepapers:

www.microsoft.com/napInformation on SDK distribution: Information on SDK distribution: napsdk@microsoft.com

Questions or feedback: Questions or feedback: asknap@microsoft.com

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

AppendixAppendix

Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.

Quarantine Agent (QA) = Reports client health status, coordinates between SHA and NAD.Quarantine Agent (QA) = Reports client health status, coordinates between SHA and NAD.

Network Access Protection Network Access Protection ComponentsComponents

NPS Policy NPS Policy ServerServer

Quarantine Server (QS)Quarantine Server (QS)

ClientClient

Quarantine Agent (QA)Quarantine Agent (QA)

Health policyHealth policyUpdatesUpdates

HealthHealthStatementsStatements

NetworkNetworkAccessAccess

RequestsRequests

System Health Servers System Health Servers Remediation Servers Remediation Servers

Health ComponentsHealth ComponentsSystem Health Agents (SHA) = Declare health (patch state, virus signature, system System Health Agents (SHA) = Declare health (patch state, virus signature, system

configuration, etc.).configuration, etc.).System Health Validators (SHV) = Certify declarations made by health agents.System Health Validators (SHV) = Certify declarations made by health agents.

Remediation Servers = Install necessary patches, configurations, Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state.applications. Bring clients to healthy state.

Enforcement ComponentsEnforcement ComponentsQuarantine Enforcement Clients (QEC) = Negotiate access with network access Quarantine Enforcement Clients (QEC) = Negotiate access with network access

device(s); DHCP, VPN, 1X, IPSec QECs.device(s); DHCP, VPN, 1X, IPSec QECs.

Health Registration Authority = Issues certificates to clients that pass health checks.Health Registration Authority = Issues certificates to clients that pass health checks.

Platform Platform ComponentsComponents

System Health Servers = Define health requirements for system components on the client.System Health Servers = Define health requirements for system components on the client.QA/QSQA/QS= Windows components= Windows components

HealthHealthCertificateCertificate

Network Access Device &Network Access Device &Health Registration Authority Health Registration Authority

Network Access Devices = Provide network access to healthy endpoints.Network Access Devices = Provide network access to healthy endpoints.

SHA1SHA1 SHA2SHA2

SHV1SHV1 SHV2SHV2

QEC1QEC1 QEC2QEC2