Getting Ready for Network Access Protection Jeff Alexander Technology Advisor Microsoft Agenda Network Access Protection in context Network Access Protection architecture How Network Access Protection works Network Access Protection solution summary Integrating the Edge Policy, not topology, defines the edge The Four Pillars of Network Access Protection Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy Network Restriction Restricts network access to computers based on their health Remediation Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed Ongoing Compliance Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions Network Access Protection Components Enforcement Components Health Components Platform Components System Health Agents = Declare (patch state, virusnetwork signature, system Quarantine Enforcement (QEC) Negotiate access with access device(s); Quarantine Agent (QA)(SHA) =Clients Reports client=health health status, coordinates between SHA and QEC. configuration, etc.). DHCP, VPN, 1X, IPSec QECs. Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies. System = Certify declarations made byendpoints. health agents. NetworkHealth AccessValidators Devices =(SHV) Provide network access to healthy SystemRegistration Health Servers = Define healthcertificates requirements for system components on the client. Health Authority = Issues to clients that pass health checks. Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state. Remediation Servers System Health Servers Health policy Updates Client SHA 1 SHA 2 Quarantine Agent (QA) QEC 1 QEC 2 Health Statements Network Access Requests Health Certificate Network Access Device & Health Registration Authority Network Policy Server SHV 1 SHV 2 Quarantine Server (QS) Network Access Protection Partners Microsoft Integration Ecosystem Partners Networking Anti-Virus Endpoint Security Update/Management Systems Integrators IPsec-based NAP Walk-through Quarantine Zone Boundary Zone Protected Zone May I have a health certificate? Here’s my SoH. Client ok? Exchange Host Here’s You don’t yourget health a health certificate. certificate. Go fix up. I need updates. HRA Accessing the network Yes.Needs Issue fix-up. No. health certificate. Here you go. Remediation Server Policy Server Network Access Protection NAP - Enforcement Options Enforcement Healthy Client DHCP Full IP address given, full Restricted set of routes access VPN (Microsoft and 3rd Party) Full access Restricted VLAN 802.1X Full access Restricted VLAN Can communicate with any trusted peer Healthy peers reject connection requests from unhealthy systems IPsec Unhealthy Client Complements layer 2 protection Works with existing servers and infrastructure Flexible isolation 802.1X and IPsec = Customer Choice NAP supports both Each has advantages and weaknesses Integrated defense in depth at multiple layers Fast network access for healthy clients Standard 802.1X authentication; extensions to PEAP and 802.1X not required Network agnostic but network vendors able to innovate and provide value Customer choice: ability to protect network access, host access, application access in any combination, as needed, where appropriate Deploy in combination according to needs, risks, existing infrastructure and upgrade schedule NAP is coming in Longhorn. Why should I start work now? Customers can take advantage of the time they have to prepare their networks for the new model Deployment preparation tasks: Health Modeling Exemption Analysis Health Policy Zoning Secure Network Infrastructure Analysis IAS (RADIUS) Deployment Zone Enforcement Selection Rollout Planning and Change Process Control Success Matrices and Measures Health Modeling What do I consider healthy for my network? Do I have a written and approved health policy? More than a technical discussion – different areas and divisions will have different policies. What are the corporate basics? What are the niche policies? Basics: Anti-virus, Patch Control, Personal Firewall, etc. Niche: Specialized OS Config, Application Sets, PKI allotments, etc. Allot the time and resource to assess your corporate risk areas Health control should be a top-down mandate for the enterprise Allot the time to work with divisions and their architects Exemption Analysis Who gets a “pass”? Basic Exemptions will be supplied by default (OS Level and type) Exemptions need to manageable Work up an exemption documentation process eventually you will want to know where the holes are! Mitigation plans for the exemptions Can we isolate them through other means? IP Segmentation VLAN Control Extranet/Guest Access Secure Network Infrastructure Analysis Enforcement First – Health Second NAP cannot protect the network from malicious users and systems NAP is designed as the health overlay to the network security systems NAP is dependant on its enforcement mechanisms IPsec, VPN, 802.1x and DHCP need to be designed and deployed as security solutions in their own right prior to overlaying health control. Zone Enforcement Selection Wired/Wireless LAN Zones LAN Zones IPsec, 802.1x and DHCP are the choices for enforcement make a planning matrix for managed vs. unmanaged clients wired vs. wireless clients apply the appropriate enforcement solutions Zone Enforcement Method Policy Rev Wired/ Wireless Managed Zone A IPsec 1.2.5 Wired 100% Zone B 802.1x 2.5.7 Both 100% Zone C DHCP 1.2.5 Both 65% Zacme Maintaining the Operations Successfully Vulnerability identified 1 6 Measure and report results of compliance monitoring Assess and track risk related to vulnerability 5 Enforce compliance after grace period 4 Scan the network for compliance to security policy 2 If risk is high or critical, update policy and notify clients 3 Develop scanning criteria to detect security compliance Success Matrices and Metrics Security/health is an ongoing process The only way to improve incident response is to have success factors and metrics to analyze Be sure to analyze core security/health operations and track your ability to mitigate ongoing health How long does it take to “seal off” various policy zones? Do we need to adjust policy or remediation control in a given zone? What are the goals and measures that you want to attain for each health zone and the company as a whole? NAP is the way you can proactively mitigate your security/health stance The technology is DEPENDENT on your processes Solution Take-Aways Policy driven access control Windows platform pieces with health and enforcement plug-ins Integrated defense in depth at multiple layers Customer choice – flexible, selectable enforcement Protect network access, host access, application access in any combination as needed where appropriate Based on customer need, risk assessment, existing infrastructure, upgrade cycle Broad industry support Extensible platform architecture – network vendors able to innovate and provide value Standards-based approach means a multi-vendor, end-to-end solution Full ecosystem of partners (50+) means customer investments will be preserved Resources & Contacts Web site and whitepapers: www.microsoft.com/nap Information on SDK distribution: napsdk@microsoft.com Questions or feedback: asknap@microsoft.com Resources Technical Chats and Webcasts http://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp Microsoft Learning and Certification http://www.microsoft.com/learning/default.mspx MSDN & TechNet http://microsoft.com/msdn http://microsoft.com/technet Virtual Labs http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx Newsgroups http://communities2.microsoft.com/ communities/newsgroups/en-us/default.aspx Technical Community Sites http://www.microsoft.com/communities/default.mspx User Groups http://www.microsoft.com/communities/usergroups/default.mspx © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.