Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.

Similar presentations


Presentation on theme: "Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology."— Presentation transcript:

1 Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology Specialist Microsoft Thailand

2 Agenda Security is a problem of IT industry Security Onion A Little History of NAP & NAC NACNAP Available Products in Thai Market

3 Security Onion

4 A Little History (NAP & NAC) Remember TACACS+? (Cisco) Remember PPTP? (Microsoft) Remember L2TP? (Microsoft + Cisco) What we do together: Information Sharing (NAP & NAC) Interoperability between two architectures Driving industry standards

5 Network Admission Control Guest Speaker: Khun Teerapol Tuanpusa Cisco Systems Thailand NAC Presentation NAC Presentation

6 Network Access Protection

7 Our Security Strategy Isolation and Resiliency A platform more resilient to security threats Advanced Updating Streamline the security update process Authentication, Authorization and Access Control Enable secure business scenarios Engineering Excellence Raise the bar of software security Guidance, Tools and Response Accelerate adoption of best practices

8 Windows Trustworthy Network Vision Secure transparent network Network topology is not a trust topology All communications are safe and secure IPsec Policy Windows Firewall Mako Anti-Malware Anti-Virus Windows Update XP SP2 SMS How do you ENFORCE the health of the client?

9 Core Functionality The Network Access Protection system provides three distinct functionalities: 1. Network Policy Validation – is your system healthy? 2. Network Isolation – if you’re not healthy, you’re out! 3. Network Policy Compliance - if you’re not healthy, we’ll help you get there.

10 Classic VPN Quarantine (WS03) InternetCorpnet ClientRRASIAS Quarantine Issues Reskit tool – We put it into SP1! Spoofable – not secure Hard to implement – manual scripting Implementation - Windows Server 2003 VPN Only Remote Access Solution Only No 3 rd party VPN support Solution: New Quarantine Platform for ALL connection states

11 How does it look today?

12

13

14 Quarantine Architecture Policy Server Enforcers: VPN Quarantine Coordination What’s my health Status? RADIUS/VPN Policy Validation State of Health API Management Reporting = SW by Network Quarantine = SW by Policy Groups Policy Server Policy Server Policy Server Policy Server Policy Client Quarantine Coordination ? Can I have access? ? SoH Please I don’t have an SoH XQuarantined I need Help! Policy? Reports Current Policy Updates Health State Updated! SoH All Clear Is this Valid? Valid  Access Granted Network Access Point

15 What is Quarantine Platform? From Home Returning Laptops Consultants Guests Unhealthy Desktops Health Checkup IT checks “health” of client - patch level, AV, other scriptable checks Network Access Control Access/No Access using R2: DHCP, VPN Longhorn: IPSec Health Maintenance Quarantined clients are given access to fix-up services Can’t protect against malicious users

16 Components Policy Coordination Client Policy Client (i.e. Anti-virus) Enforcement Technologies (DHCP, VPN) RADIUS Server Policy Servers (Anti-virus; Patch/System Management, etc.) Update Servers (Anti-virus; Patch/System Management, etc.) Client RADIUS Client RADIUS Server Policy Coordination Server DHCP or VPN Client DHCP or VPN Server Policy Server (i.e. Anti-virus) Policy Client (i.e. Patch) Update Server (i.e. Anti-virus) Update Server (i.e. Patch) Hardware Software Policy Compliance Technologies Policy Validation Technologies Network Communications & Isolation Technologies Policy Server (i.e. Patch)

17 Infrastructure Updates What is going to be touched? Company Network DHCP Servers Isolation Network RADIUS Server VPN/Dial-up Servers Policy Servers (Anti-virus; Patch/System Management, etc.) = Requires server upgrade or deployment Local access machines Remote access machines Update Servers (Anti-virus; Patch/System Management, etc.) * DHCP and VPN are referred to as Enforcement Servers. Enforcement technology can be IPsec.

18 Roadmap

19 Network Access Protection Key Take-Aways Focused on Network Health Not just “quarantine” but on returning clients to a healthy state VPN Quarantine available today on Windows Server 2003 Version2 (DHCP/VPN) shipping in R2 Version3 (IPsec) shipping in Longhorn Extensible Architecture Extendable to 3 rd party ISV Scripting allows additional “custom” checks Selectable Network Enforcement DHCP, VPN, IPsec Standard network methods Rich Ecosystem of NAP aware applications

20 Can’t wait for Longhorn?

21 Try these products Software Update Services (SUS) m/sus/default.mspx m/sus/default.mspx MS Baseline Security Analyzer (MBSA) s/mbsahome.mspx s/mbsahome.mspx ISA Server Windows Server 2003’s CMAK default.mspx default.mspx

22 Network Access Protection Info External Website: External Questions and Feedback Security Guidance Center Tools External Website: External Questions and Feedback Security Guidance Center Tools

23 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.


Download ppt "Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology."

Similar presentations


Ads by Google