Presentation is loading. Please wait.

Presentation is loading. Please wait.

May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Securing Your Network – End to End Connectivity Pat Fetty Senior Program Manager Windows Customer Advisory.

Published byBritney Neal Modified over 8 years ago

Similar presentations

Presentation on theme: "May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Securing Your Network – End to End Connectivity Pat Fetty Senior Program Manager Windows Customer Advisory."— Presentation transcript:

1 May 30 th – 31 st, 2007 Chateau Laurier Ottawa

2 Securing Your Network – End to End Connectivity Pat Fetty Senior Program Manager Windows Customer Advisory Team Microsoft Corporation

3 Initial Customer Pain Virus entering the enterprise by: Employees returning from trips Consultants/guests plugging in Employees VPN-ing in Attacking vulnerable machines in the network YearVirus WW Financial Impact (USD) 1999Melissa 1.10 Billion 2000 Love Bug 8.75 Billion 2001 Code Red 2.75 Billion 2002Klez 750 Million 2003Slammer 1.25 Billion Causing loss of productivity and financial loss Source: Virus Attack Costs are Rising –Again. Computer Economics, Inc. Sept 2003. ObjectiveNAPHow Comply to Health Policy Yes Check machine state before allowing access Remediate Vulnerabilities Yes In conjunction with SMS/WUS and 3 rd Parties Detect/ManageYes In conjunction with SMS/MOM and 3 rd parties IT Administrators looking for tools to:

4 The 4 Pillars of NAP Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy.” Network Restriction Restricts network access to computers based on their health. Automatic Remediation Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed. Ongoing Compliance Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.

5 Requesting access. Here’s my new health status. Network Access Protection Walk-through NPS Policy Server Client NetworkAccessDevice (DHCP, VPN) RemediationServers May I have access? Here’s my current health status. Should this client be restricted based on its health? Ongoing policy updates to NPS Policy Server You are given restricted access until fix-up. Can I have updates? Here you go. According to policy, the client is not up to date. Quarantine client, request it to update. Corporate Network Restricted Network Client is granted access to full intranet. System Health Servers According to policy, the client is up to date. Grant access.

6 NAP - Enforcement Options Enforcement Healthy Client Unhealthy Client DHCP Full IP address given, full access Restricted set of routes VPN (Microsoft and 3 rd Party) Full access Restricted VLAN 802.1X Full access Restricted VLAN IPsec Can communicate with any trusted peer Healthy peers reject connection requests from unhealthy systems Complements layer 2 protection Works with existing servers and infrastructure Flexible isolation

7 Threat Matrix

8 IPSec-based NAP Features Isolation of unhealthy clients using IPSec Secure enforcement Can not be bypassed by reconfiguring client Or by use of hubs / virtual PC technology No infrastructure upgrade Works with today’s switches and routers No need to replace/upgrade DHCP, VPN, etc. Flexible isolation Healthy systems can connect to quarantined systems but not vice versa Isolation model defined by policy

9 802.1X and IPsec = Customer Choice NAP supports both Integrated defense in depth at multiple layers Fast network access for healthy clients Network agnostic but network vendors able to innovate and provide value Customer choice: ability to protect network access, host access, application access in any combination, as needed, where appropriate

10 IPSec-based NAP Isolation BLOCKED QuarantineZone BoundaryZone ProtectedZone ALLOWED ALLOWEDALLOWED Policy Definitions Protected Zone All systems possess a Health Certificate Authentication required to connect into a system Boundary Zone All systems possess a Health Certificate Authentication requested but not required to connect into a system Quarantine Zone No Health Certificates No IPSec policies

11 IPSec-based NAP Walk- through Accessing the network X Remediation Server NPS HRA May I have a health certificate? Here’s my SoH. Client ok? No. Needs fix-up. You don’t get a health certificate. Go fix up. I need updates. Here you go. Yes. Issue health certificate. Here’s your health certificate. Client QuarantineZone BoundaryZone ProtectedZone

12

13 Network Access Protection Solution Take-Aways NAP means network health and trusted communications Windows platform pieces with health and enforcement plug-ins Integrated defense in depth at multiple layers Customer choice – flexible, selectable enforcement Protect network access, host access, application access in any combination as needed where appropriate Broad industry support Extensible platform architecture – network vendors able to innovate and provide value Standards-based approach means you can deploy a multi- vendor, end-to-end solution Full ecosystem of partners (50+) means your third-party investments will be preserved

14 Deployment preparation tasks: Health Modeling Exemption Analysis Health Policy Zoning NPS (RADIUS) Deployment Zone Enforcement Selection Rollout Planning and Change Process Control NAP is coming in Server 2008. Why should I start work now?

15 Network Access Protection Timeline Server 2008 Beta 3 – May 2007 NPS Enhancements XPSP2 Beta NAP Client Available Server 2008 RTM – 2H 2007Server 2008 RTM – 2H 2007 General availability

16 Resources & Contacts Web site and whitepapers: www.microsoft.com/nap Information on SDK distribution: napsdk@microsoft.com napsdk@microsoft.com Questions or feedback: asknap@microsoft.com

17 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

18 Appendix

19 Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies. Quarantine Agent (QA) = Reports client health status, coordinates between SHA and NAD. Network Access Protection Components NPS Policy Server Quarantine Server (QS) Client Quarantine Agent (QA) Health policy Updates HealthStatements NetworkAccessRequests System Health Servers Remediation Servers Health Components System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.). System Health Validators (SHV) = Certify declarations made by health agents. Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state. Enforcement Components Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs. Health Registration Authority = Issues certificates to clients that pass health checks. Platform Components System Health Servers = Define health requirements for system components on the client. QA/QS = Windows components HealthCertificate Network Access Device & Health Registration Authority Network Access Devices = Provide network access to healthy endpoints. SHA1SHA2 SHV1SHV2 QEC1QEC2

Download ppt "May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Securing Your Network – End to End Connectivity Pat Fetty Senior Program Manager Windows Customer Advisory."

Similar presentations

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Tech·Ed North America /6/2017 9:33 AM

Tech·Ed North America /6/2017 9:33 AM
Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.

Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
May 30 th – 31 st, 2006 Sheraton Ottawa. Network Access Protection Gene Ferioli Program Manager Customer Advisory Team Microsoft Corporation.

May 30 th – 31 st, 2006 Sheraton Ottawa. Network Access Protection Gene Ferioli Program Manager Customer Advisory Team Microsoft Corporation.
Copyright line. Network Access Protection EXAM OBJECTIVES  Working with NAP.

Copyright line. Network Access Protection EXAM OBJECTIVES  Working with NAP.
Chapter 13 Securing Windows Server 2008

Chapter 13 Securing Windows Server 2008
Agenda Introduction Network Access Protection platform architecture

Agenda Introduction Network Access Protection platform architecture
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.

Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Jayson Ferron CIO Interactive Security Training WSV206.

Jayson Ferron CIO Interactive Security Training WSV206.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
Windows Clients and Windows Server 2008 NAP: Session objectives See why using the built functionality of Windows in both.

Windows Clients and Windows Server 2008 NAP: Session objectives See why using the built functionality of Windows in both.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

Similar presentations

Ads by Google