Getting Ready for Network
Access Protection
Jeff Alexander
Technology Advisor
Microsoft
Agenda
Network Access Protection in context
Network Access Protection architecture
How Network Access Protection works
Network Access Protection solution summary
Integrating the Edge
Policy, not topology, defines the edge
The Four Pillars of Network Access
Protection
Policy Validation
Determines whether the computers are compliant with the
company’s security policy. Compliant computers are
deemed “healthy
Network Restriction
Restricts network access to computers based on their health
Remediation
Provides necessary updates to allow the computer to “get
healthy.” Once healthy, the network restrictions are removed
Ongoing Compliance
Changes to the company’s security policy or to the
computers’ health may dynamically result in network
restrictions
Network Access Protection Components
Enforcement
Components
Health Components
Platform
Components
System
Health
Agents
= Declare
(patch
state,
virusnetwork
signature,
system
Quarantine
Enforcement
(QEC)
Negotiate
access
with
access
device(s);
Quarantine
Agent
(QA)(SHA)
=Clients
Reports
client=health
health
status,
coordinates
between
SHA
and QEC.
configuration,
etc.).
DHCP,
VPN, 1X,
IPSec QECs.
Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.
System
= Certify
declarations
made byendpoints.
health agents.
NetworkHealth
AccessValidators
Devices =(SHV)
Provide
network
access to healthy
SystemRegistration
Health Servers
= Define
healthcertificates
requirements
for system
components
on the client.
Health
Authority
= Issues
to clients
that pass
health checks.
Remediation Servers = Install necessary patches, configurations, applications.
Bring clients to healthy state.
Remediation Servers
System Health Servers
Health policy
Updates
Client
SHA
1
SHA
2
Quarantine Agent (QA)
QEC
1
QEC
2
Health
Statements
Network
Access
Requests
Health
Certificate
Network Access Device &
Health Registration Authority
Network
Policy
Server
SHV
1
SHV
2
Quarantine Server (QS)
Network Access Protection Partners
Microsoft Integration
Ecosystem Partners
Networking
Anti-Virus
Endpoint Security
Update/Management
Systems Integrators
IPsec-based NAP Walk-through
Quarantine
Zone
Boundary
Zone
Protected
Zone
May I have a health certificate?
Here’s my SoH.
Client ok?
Exchange
Host
Here’s
You don’t
yourget
health
a health
certificate.
certificate.
Go fix up. I need updates.
HRA
Accessing the network
Yes.Needs
Issue fix-up.
No.
health certificate.

Here you go.
Remediation
Server
Policy
Server
Network Access Protection
NAP - Enforcement Options
Enforcement
Healthy Client
DHCP
Full IP address given, full
Restricted set of routes
access
VPN (Microsoft and
3rd Party)
Full access
Restricted VLAN
802.1X
Full access
Restricted VLAN
Can communicate with
any trusted peer
Healthy peers reject
connection requests from
unhealthy systems
IPsec
Unhealthy Client
Complements layer 2 protection
Works with existing servers and infrastructure
Flexible isolation
802.1X and IPsec = Customer Choice
NAP supports both
Each has advantages and weaknesses
Integrated defense in depth at multiple layers
Fast network access for healthy clients
Standard 802.1X authentication; extensions to PEAP
and 802.1X not required
Network agnostic but network vendors able to innovate
and provide value
Customer choice: ability to protect network access,
host access, application access in any combination, as
needed, where appropriate
Deploy in combination according to needs, risks,
existing infrastructure and upgrade schedule
NAP is coming in Longhorn. Why
should I start work now?
Customers can take advantage of the time they
have to prepare their networks for the new model
Deployment preparation tasks:
Health Modeling
Exemption Analysis
Health Policy Zoning
Secure Network Infrastructure Analysis
IAS (RADIUS) Deployment
Zone Enforcement Selection
Rollout Planning and Change Process Control
Success Matrices and Measures
Health Modeling
What do I consider healthy for my network?
Do I have a written and approved health policy?
More than a technical discussion – different areas and divisions
will have different policies.
What are the corporate basics? What are the niche policies?
Basics: Anti-virus, Patch Control, Personal Firewall, etc.
Niche: Specialized OS Config, Application Sets, PKI allotments,
etc.
Allot the time and resource to assess your corporate risk areas
Health control should be a top-down mandate for the enterprise
Allot the time to work with divisions and their architects
Exemption Analysis
Who gets a “pass”?
Basic Exemptions will be supplied by default (OS
Level and type)
Exemptions need to manageable
Work up an exemption documentation process eventually you will want to know where the holes are!
Mitigation plans for the exemptions
Can we isolate them through other means?
IP Segmentation
VLAN Control
Extranet/Guest Access
Secure Network Infrastructure Analysis
Enforcement First – Health Second
NAP cannot protect the network from malicious
users and systems
NAP is designed as the health overlay to the
network security systems
NAP is dependant on its enforcement mechanisms
IPsec, VPN, 802.1x and DHCP need to be
designed and deployed as security solutions in
their own right prior to overlaying health control.
Zone Enforcement Selection
Wired/Wireless LAN Zones
LAN Zones
IPsec, 802.1x and DHCP are the choices for enforcement
make a planning matrix for managed vs. unmanaged clients
wired vs. wireless clients
apply the appropriate enforcement solutions
Zone
Enforcement
Method
Policy Rev
Wired/
Wireless
Managed
Zone A
IPsec
1.2.5
Wired
100%
Zone B
802.1x
2.5.7
Both
100%
Zone C
DHCP
1.2.5
Both
65%
Zacme Maintaining the Operations Successfully
Vulnerability identified
1
6
Measure and
report results of
compliance
monitoring
Assess and
track risk related
to vulnerability
5
Enforce
compliance after
grace period
4
Scan the
network for
compliance to
security policy
2
If risk is high or
critical, update
policy and notify
clients
3
Develop
scanning criteria
to detect security
compliance
Success Matrices and Metrics
Security/health is an ongoing process
The only way to improve incident response is to have success
factors and metrics to analyze
Be sure to analyze core security/health operations and track your ability
to mitigate ongoing health
How long does it take to “seal off” various policy zones?
Do we need to adjust policy or remediation control in a given zone?
What are the goals and measures that you want to attain for each health zone and the
company as a whole?
NAP is the way you can proactively mitigate your security/health
stance
The technology is DEPENDENT on your processes
Solution Take-Aways
Policy driven access control
Windows platform pieces with health and enforcement plug-ins
Integrated defense in depth at multiple layers
Customer choice – flexible, selectable enforcement
Protect network access, host access, application access in any
combination as needed where appropriate
Based on customer need, risk assessment, existing infrastructure,
upgrade cycle
Broad industry support
Extensible platform architecture – network vendors able to innovate and
provide value
Standards-based approach means a multi-vendor, end-to-end solution
Full ecosystem of partners (50+) means customer investments will be
preserved
Resources & Contacts
Web site and whitepapers:
www.microsoft.com/nap
Information on SDK distribution:
napsdk@microsoft.com
Questions or feedback:
asknap@microsoft.com
Resources
Technical Chats and Webcasts
http://www.microsoft.com/communities/chats/default.mspx
http://www.microsoft.com/usa/webcasts/default.asp
Microsoft Learning and Certification
http://www.microsoft.com/learning/default.mspx
MSDN & TechNet
http://microsoft.com/msdn
http://microsoft.com/technet
Virtual Labs
http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx
Newsgroups
http://communities2.microsoft.com/
communities/newsgroups/en-us/default.aspx
Technical Community Sites
http://www.microsoft.com/communities/default.mspx
User Groups
http://www.microsoft.com/communities/usergroups/default.mspx
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.