A Little History (NAP & NAC) Remember TACACS+? (Cisco) Remember PPTP? (Microsoft) Remember L2TP? (Microsoft + Cisco) What we do together: Information Sharing (NAP & NAC) Interoperability between two architectures Driving industry standards
Network Admission Control Guest Speaker: Khun Teerapol Tuanpusa Cisco Systems Thailand NAC Presentation NAC Presentation
Our Security Strategy Isolation and Resiliency A platform more resilient to security threats Advanced Updating Streamline the security update process Authentication, Authorization and Access Control Enable secure business scenarios Engineering Excellence Raise the bar of software security Guidance, Tools and Response Accelerate adoption of best practices
Windows Trustworthy Network Vision Secure transparent network Network topology is not a trust topology All communications are safe and secure IPsec Policy Windows Firewall Mako Anti-Malware Anti-Virus Windows Update XP SP2 SMS How do you ENFORCE the health of the client?
Core Functionality The Network Access Protection system provides three distinct functionalities: 1. Network Policy Validation – is your system healthy? 2. Network Isolation – if you’re not healthy, you’re out! 3. Network Policy Compliance - if you’re not healthy, we’ll help you get there.
Classic VPN Quarantine (WS03) InternetCorpnet ClientRRASIAS Quarantine Issues Reskit tool – We put it into SP1! Spoofable – not secure Hard to implement – manual scripting Implementation - Windows Server 2003 VPN Only Remote Access Solution Only No 3 rd party VPN support Solution: New Quarantine Platform for ALL connection states
Quarantine Architecture Policy Server Enforcers: VPN Quarantine Coordination What’s my health Status? RADIUS/VPN Policy Validation State of Health API Management Reporting = SW by Network Quarantine = SW by Policy Groups Policy Server Policy Server Policy Server Policy Server Policy Client Quarantine Coordination ? Can I have access? ? SoH Please I don’t have an SoH XQuarantined I need Help! Policy? Reports Current Policy Updates Health State Updated! SoH All Clear Is this Valid? Valid Access Granted Network Access Point
What is Quarantine Platform? From Home Returning Laptops Consultants Guests Unhealthy Desktops Health Checkup IT checks “health” of client - patch level, AV, other scriptable checks Network Access Control Access/No Access using R2: DHCP, VPN Longhorn: IPSec Health Maintenance Quarantined clients are given access to fix-up services Can’t protect against malicious users
Components Policy Coordination Client Policy Client (i.e. Anti-virus) Enforcement Technologies (DHCP, VPN) RADIUS Server Policy Servers (Anti-virus; Patch/System Management, etc.) Update Servers (Anti-virus; Patch/System Management, etc.) Client RADIUS Client RADIUS Server Policy Coordination Server DHCP or VPN Client DHCP or VPN Server Policy Server (i.e. Anti-virus) Policy Client (i.e. Patch) Update Server (i.e. Anti-virus) Update Server (i.e. Patch) Hardware Software Policy Compliance Technologies Policy Validation Technologies Network Communications & Isolation Technologies Policy Server (i.e. Patch)
Infrastructure Updates What is going to be touched? Company Network DHCP Servers Isolation Network RADIUS Server VPN/Dial-up Servers Policy Servers (Anti-virus; Patch/System Management, etc.) = Requires server upgrade or deployment Local access machines Remote access machines Update Servers (Anti-virus; Patch/System Management, etc.) * DHCP and VPN are referred to as Enforcement Servers. Enforcement technology can be IPsec.
Network Access Protection Key Take-Aways Focused on Network Health Not just “quarantine” but on returning clients to a healthy state VPN Quarantine available today on Windows Server 2003 Version2 (DHCP/VPN) shipping in R2 Version3 (IPsec) shipping in Longhorn Extensible Architecture Extendable to 3 rd party ISV Scripting allows additional “custom” checks Selectable Network Enforcement DHCP, VPN, IPsec Standard network methods Rich Ecosystem of NAP aware applications