Upload
britney-neal
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
May 30May 30thth – 31 – 31stst, 2007, 2007Chateau Laurier Chateau Laurier OttawaOttawa
May 30May 30thth – 31 – 31stst, 2007, 2007Chateau Laurier Chateau Laurier OttawaOttawa
Securing Your Securing Your Network – End to End Network – End to End ConnectivityConnectivity
Securing Your Securing Your Network – End to End Network – End to End ConnectivityConnectivityPat FettyPat FettySenior Program ManagerSenior Program ManagerWindows Customer Advisory TeamWindows Customer Advisory TeamMicrosoft CorporationMicrosoft Corporation
Initial Customer PainInitial Customer Pain
Virus entering the enterprise Virus entering the enterprise by:by:
Employees returning from Employees returning from tripstrips
Consultants/guests plugging Consultants/guests plugging inin
Employees VPN-ing in Employees VPN-ing in
Attacking vulnerable Attacking vulnerable machines in the networkmachines in the network
Year Virus WW Financial Impact (USD)
19991999 MelissaMelissa 1.10 Billion1.10 Billion
20002000 Love BugLove Bug 8.75 Billion8.75 Billion
20012001 Code RedCode Red 2.75 Billion2.75 Billion
20022002 KlezKlez 750 Million750 Million
20032003 SlammerSlammer 1.25 Billion1.25 Billion
Causing loss of productivity and financial Causing loss of productivity and financial lossloss
Source: Virus Attack Costs are Rising –Again. Computer Economics, Inc. Source: Virus Attack Costs are Rising –Again. Computer Economics, Inc. Sept 2003. Sept 2003.
ObjectiveObjective NAPNAP HowHow
Comply to Health Comply to Health PolicyPolicy YesYes Check machine state before allowing Check machine state before allowing
accessaccess
Remediate Remediate VulnerabilitiesVulnerabilities YesYes In conjunction with SMS/WUS and 3In conjunction with SMS/WUS and 3rdrd
PartiesParties
Detect/ManageDetect/ManageYesYes In conjunction with SMS/MOM and 3In conjunction with SMS/MOM and 3rdrd
partiesparties
IT Administrators looking for tools to:IT Administrators looking for tools to:
The 4 Pillars of NAPThe 4 Pillars of NAP
Policy ValidationPolicy Validation Determines whether the computers are Determines whether the computers are compliant with the company’s security compliant with the company’s security policy. Compliant computers are deemed policy. Compliant computers are deemed “healthy.”“healthy.”
Network RestrictionNetwork RestrictionRestricts network access to computers Restricts network access to computers based on their health.based on their health.
Automatic RemediationAutomatic RemediationProvides necessary updates to allow the Provides necessary updates to allow the computer to “get healthy.” Once healthy, computer to “get healthy.” Once healthy, the network restrictions are removed.the network restrictions are removed.
Ongoing ComplianceOngoing ComplianceChanges to the company’s security policy or Changes to the company’s security policy or to the computers’ health may dynamically to the computers’ health may dynamically result in network restrictions.result in network restrictions.
Requesting access. Requesting access. Here’s my newHere’s my new
health status.health status.
Network Access Protection Walk-throughNetwork Access Protection Walk-through
NPS PolicyNPS PolicyServerServer
ClientClientNetwork Network Access Access DeviceDevice
(DHCP, VPN)(DHCP, VPN)
Remediation Remediation Servers Servers
May I have access?May I have access?Here’s my current Here’s my current
health status. health status.
Should this client be Should this client be restricted basedrestricted basedon its health? on its health?
Ongoing policy Ongoing policy updates to NPS Policy updates to NPS Policy
Server Server
You are given You are given restricted accessrestricted access
until fix-up.until fix-up.
Can I have Can I have updates?updates?
Here you go.Here you go.
According to According to policy, the client is policy, the client is
not up to date. not up to date. Quarantine client, Quarantine client,
request it to request it to update.update.
Corporate NetworkCorporate Network
Restricted NetworkRestricted Network
Client is granted access to full intranet. Client is granted access to full intranet.
System Health System Health Servers Servers
According to According to policy, the client policy, the client is up to date. is up to date.
Grant access.Grant access.
NAP - Enforcement NAP - Enforcement OptionsOptionsEnforcementEnforcement Healthy ClientHealthy Client Unhealthy ClientUnhealthy Client
DHCPDHCP Full IP address given, Full IP address given, full accessfull access Restricted set of routesRestricted set of routes
VPN (Microsoft VPN (Microsoft and 3and 3rdrd Party) Party) Full accessFull access Restricted VLANRestricted VLAN
802.1X802.1X Full accessFull access Restricted VLANRestricted VLAN
IPsecIPsec
Can communicate Can communicate with any trusted with any trusted peerpeer
Healthy peers reject Healthy peers reject connection requests connection requests from unhealthy systemsfrom unhealthy systems
Complements layer 2 protectionComplements layer 2 protectionWorks with existing servers and Works with existing servers and
infrastructureinfrastructureFlexible isolationFlexible isolation
Threat MatrixThreat Matrix
Mitigation Solution
Threat
Affected security objectives
Co
nfid
entia
lity
Dat
a in
teg
rity
Sys
tem
inte
gri
ty
Ava
ilab
ility
Ipse
c
802.
1x
DH
CP
Eavesdropping Examples Yes √Denial of Service Yes √Man in the Middle Yes Yes Yes √Replay Yes Yes √Spoofing Yes Yes Yes Yes √Back door Yes Yes √ √ √Rogue Client √ √Spyware Yes √ √ √Virus (simple) Yes √ √ √Movement between networks Yes Yes Yes Yes √Worms Yes √ √ √
IPSec-based NAP FeaturesIPSec-based NAP FeaturesIsolation of unhealthy clients using IPSecIsolation of unhealthy clients using IPSecSecure enforcementSecure enforcement
Can not be bypassed by reconfiguring clientCan not be bypassed by reconfiguring clientOr by use of hubs / virtual PC technologyOr by use of hubs / virtual PC technology
No infrastructure upgradeNo infrastructure upgradeWorks with today’s switches and routersWorks with today’s switches and routersNo need to replace/upgrade DHCP, VPN, etc.No need to replace/upgrade DHCP, VPN, etc.
Flexible isolationFlexible isolationHealthy systems can connect to quarantined Healthy systems can connect to quarantined systems but not vice versasystems but not vice versaIsolation model defined by policyIsolation model defined by policy
802.1X and IPsec = 802.1X and IPsec = Customer ChoiceCustomer Choice
NAP supports bothNAP supports both
Integrated defense in depth at multiple layers Integrated defense in depth at multiple layers
Fast network access for healthy clientsFast network access for healthy clients
Network agnostic but network vendors able to Network agnostic but network vendors able to innovate and provide valueinnovate and provide value
Customer choice: ability to protect network Customer choice: ability to protect network access, host access, application access in any access, host access, application access in any combination, as needed, where appropriatecombination, as needed, where appropriate
IPSec-based NAP Isolation IPSec-based NAP Isolation
BLOCKEDBLOCKED
QuarantineQuarantineZoneZone
BoundaryBoundaryZoneZone
ProtectedProtectedZoneZoneALLOWEDALLOWED
ALLOWEALLOWEDD
ALLOWEALLOWEDD
Policy DefinitionsProtectedZone
All systems possess a Health CertificateAuthentication required to connect into a system
BoundaryZone
All systems possess a Health CertificateAuthentication requested but not required to connect into a system
QuarantineZone
No Health CertificatesNo IPSec policies
IPSec-based NAP Walk-IPSec-based NAP Walk-throughthrough
Accessing the networkAccessing the networkXX
Remediation Remediation ServerServer
NPSNPSHRAHRA
May I have a health May I have a health certificate? Here’s my SoH.certificate? Here’s my SoH. Client ok?Client ok?
No. Needs fix-up.No. Needs fix-up.You don’t get a health You don’t get a health certificate.certificate.Go fix up.Go fix up.I need updates.I need updates.
Here you go.Here you go.
Yes. Issue Yes. Issue health certificate.health certificate.
Here’s your health Here’s your health certificate.certificate.
ClientClient
QuarantineQuarantineZoneZone
BoundaryBoundaryZoneZone
ProtectedProtectedZoneZone
Network Access Protection Solution Take-Network Access Protection Solution Take-AwaysAways
NAP means network health and trusted NAP means network health and trusted communicationscommunications
Windows platform pieces with health and enforcement Windows platform pieces with health and enforcement plug-insplug-insIntegrated defense in depth at multiple layersIntegrated defense in depth at multiple layers
Customer choice – flexible, selectable enforcementCustomer choice – flexible, selectable enforcementProtect network access, host access, application access Protect network access, host access, application access in any combination as needed where appropriate in any combination as needed where appropriate
Broad industry supportBroad industry supportExtensible platform architecture – network vendors able Extensible platform architecture – network vendors able to innovate and provide valueto innovate and provide valueStandards-based approach means you can deploy a Standards-based approach means you can deploy a multi-vendor, end-to-end solutionmulti-vendor, end-to-end solutionFull ecosystem of partners (50+) means your third-party Full ecosystem of partners (50+) means your third-party investments will be preservedinvestments will be preserved
Deployment preparation tasks:Deployment preparation tasks:Health Modeling Health Modeling
Exemption Analysis Exemption Analysis
Health Policy Zoning Health Policy Zoning
NPS (RADIUS) DeploymentNPS (RADIUS) Deployment
Zone Enforcement SelectionZone Enforcement Selection
Rollout Planning and Change Process Rollout Planning and Change Process ControlControl
NAP is coming in Server 2008. Why NAP is coming in Server 2008. Why should I start work now?should I start work now?
Network Access Protection Network Access Protection TimelineTimeline
Server 2008 Beta 3 – May 2007Server 2008 Beta 3 – May 2007NPS EnhancementsNPS Enhancements
XPSP2 Beta NAP Client AvailableXPSP2 Beta NAP Client Available
• Server 2008 RTM – 2H 2007Server 2008 RTM – 2H 2007
General availabilityGeneral availability
Resources & ContactsResources & Contacts
Web site and whitepapers: Web site and whitepapers:
www.microsoft.com/napInformation on SDK distribution: Information on SDK distribution: [email protected]
Questions or feedback: Questions or feedback: [email protected]
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
AppendixAppendix
Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.
Quarantine Agent (QA) = Reports client health status, coordinates between SHA and NAD.Quarantine Agent (QA) = Reports client health status, coordinates between SHA and NAD.
Network Access Protection Network Access Protection ComponentsComponents
NPS Policy NPS Policy ServerServer
Quarantine Server (QS)Quarantine Server (QS)
ClientClient
Quarantine Agent (QA)Quarantine Agent (QA)
Health policyHealth policyUpdatesUpdates
HealthHealthStatementsStatements
NetworkNetworkAccessAccess
RequestsRequests
System Health Servers System Health Servers Remediation Servers Remediation Servers
Health ComponentsHealth ComponentsSystem Health Agents (SHA) = Declare health (patch state, virus signature, system System Health Agents (SHA) = Declare health (patch state, virus signature, system
configuration, etc.).configuration, etc.).System Health Validators (SHV) = Certify declarations made by health agents.System Health Validators (SHV) = Certify declarations made by health agents.
Remediation Servers = Install necessary patches, configurations, Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state.applications. Bring clients to healthy state.
Enforcement ComponentsEnforcement ComponentsQuarantine Enforcement Clients (QEC) = Negotiate access with network access Quarantine Enforcement Clients (QEC) = Negotiate access with network access
device(s); DHCP, VPN, 1X, IPSec QECs.device(s); DHCP, VPN, 1X, IPSec QECs.
Health Registration Authority = Issues certificates to clients that pass health checks.Health Registration Authority = Issues certificates to clients that pass health checks.
Platform Platform ComponentsComponents
System Health Servers = Define health requirements for system components on the client.System Health Servers = Define health requirements for system components on the client.QA/QSQA/QS= Windows components= Windows components
HealthHealthCertificateCertificate
Network Access Device &Network Access Device &Health Registration Authority Health Registration Authority
Network Access Devices = Provide network access to healthy endpoints.Network Access Devices = Provide network access to healthy endpoints.
SHA1SHA1 SHA2SHA2
SHV1SHV1 SHV2SHV2
QEC1QEC1 QEC2QEC2