Windows Server 2008 Network Access Protection Richard Chiu
Network Access Protection Solution Overview Policy Validation Determines whether the computers are compliant with the company s security policy. Compliant computers are deemed healthy Network Restriction Restricts network access to computers based on their health Remediation Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed Ongoing Compliance Changes to the company s security policy or to the computers health may dynamically result in network restrictions
What is Network Access Protection (NAP) Additional protection from Malware threats and other client configuration inconsistencies Its all about Defending-in-depth! NAP is about stopping the next big virus or vulnerability by ensuring clients are well maintained and isolated if deemed unhealthy Provides centralized definition, integration, and enforcement of system health requirements to help prevent the exposure to malware on a private network NAP is a designed to be a client Health Checker - it is not the best solution for: blocking unauthorized users rogue machine control software distribution control
Why Use Network Access Protection? Healthy computer Private Network Unhealthy computer
Why Use Network Access Protection? We do not trust users to install all patches and updates as required and need to verify that systems comply with policies Do the systems have: current anti-virus software? current anti-spyware? current corporate-approved patches? host-based state-full firewall enabled? What other configuration settings are required for adherence to the organization s security policies?
Network Access Protection Network Access Protection Policy-based solution that Validates whether computers meet health policies Limits access for noncompliant computers Automatically remediates noncompliant computers Continuously updates compliant computers to maintain health state Intranet
NAP Platform Architecture VPN Server Active Directory IEEE 802.1X Devices Internet Perimeter Network DHCP Server Health Registration Authority Intranet NAP Health Policy Server Restricted Network Remediation Servers NAP Client with limited access
Network Access Protection Components Enforcement Platform Health Components Quarantine System Health Enforcement Agent Agents (QA)(SHA) = Clients Reports = Declare (QEC) client = health Negotiate (patch status, access state, coordinates with virus network signature, between access SHA system device(s); and NAD. DHCP, configuration, Quarantine VPN, Server 1X, etc.). IPSec (QS) QECs. = Restricts client s network access based on what SHV certifies. System Network Health Access Validators Devices = (SHV) Provide = Certify network declarations access to healthy made by endpoints. health agents. Health System Registration Health Servers Authority = Define = Issues health certificates requirements to clients for system that pass components health checks. on the client. Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state. Remediation Servers System Health Servers SHA 1 Updates Client Quarantine Agent (QA) QEC 1 SHA 2 QEC 2 Health Statements Health Certificate Network Access Requests Network Access Device & Health Registration Authority Health policy SHV 1 Network Policy Server SHV 2 Quarantine Server (QS)
Network Access Protection Walk-through Restricted Network Remediation Servers Corporate Network System Health Servers Downloading updates Client needs updates Client needs access and provides current Requesting access. based on health Status. new health status Ongoing policy updates to Client is granted Network Policy Server Access to full intranet. Should this client be restricted based on its health? Client Client given restricted access until fix-up Network Access Device (DHCP, VPN) According According to to policy, policy, the the client client is is up not to up date. to date. Quarantine Grant client, access. request it to update. Network Policy Server
What Are System Health Validators System Health Validators are server software counterparts to system health agents Each SHA on the client has a corresponding SHV in NPS SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client SHVs contain the required configuration settings on client computers The Windows Security SHV corresponds to the Microsoft SHA on client computers
NAP Client Non-compliant and no Auto Remediation Complaint / Auto Remediated
NAP - Enforcement Options Enforcement Healthy Client Unhealthy Client DHCP VPN (MS and 3 rd Party) Full IP address given, full access Full access Restricted set of routes Restricted VLAN 802.1X Full access Restricted VLAN IPsec Can communicate with any trusted peer Healthy peers reject connection requests from unhealthy systems Complements layer 2 protection Works with existing servers and infrastructure Flexible isolation
IPsec-based NAP Isolation Model Protected Zone Policy Definitions All systems possess a Health Certificate Authentication required to connect into a system ALLOWED Quarantine Zone ALLOWED ALLOWED Boundary Zone Protected Zone Boundary Zone Quarantine Zone All systems possess a Health Certificate Authentication requested but not required to connect into a system No Health Certificates No IPsec policies BLOCKED
Network Policy Options Allow full network access Allow full network access for limited time Enforcement is deferred until a later date Limited network access Access is restricted to remediation servers
System Health Agent Options Windows SHA Antivirus settings Antispyware settings Firewall settings Windows Updates Settings System Center Configuration Manager 2007 (SCCM) SHA Patch Management Forefront Client Security (FCS) SHA 3rd party SHAs Including Avenda, Nortel, UNET.
Certification Authority Issues health certs for NAP-compliant machines via the HRA proxy These are regular X.509 certificates with a very short lifetime System Health Authentication OID in the certificate Certificate Authority requirements: Enterprise or standalone subordinate CA under a trusted Root CA Windows Server 2003 or later (needs to support MS Client Cert Enrollment) Recommended that dedicated health certificate-issuing CAs are deployed No revocation is typically required due to short certificate lifetime High volume of certificates issued could impact other services also relying on the CA Notes: No Enforcement model needs CA for Exemption Certificates Beware the default CA install behavior when NAP roles are added to the server s configuration and CA does not already exist Try to keep CA close to HRA in distributed/large deployments
Remediation Servers Any service that needs to be available to clients for remediation to happen Depend on what SHAs are being used by organization Remediation Servers need to be reachable from unhealthy clients Publish remediation servers externally to the Internet Use separate IP subnet for remediation servers Require additional (non-health) client certificate to secure access to remediation subnet
Preparing for Network Access Protection Preparing for NAP is going to take effort and time Take advantage of the time to prepare your networks for the new health compliance and enforcement model Ensure NAP readiness across your IT organization Deployment preparation tasks: Health Modeling Health Policy Zoning Secure Network Infrastructure Analysis IAS (RADIUS) Deployment Zone Enforcement Selection Exemption Analysis Rollout Planning and Change Process Control Success Matrices and Measures
Deploy the Underlying Infrastructure Design and deploy a complete RADIUS solution Remote Access RAS/VPN/Firewall Corporate Network LAN Access RADIUS Active Directory Wireless AP/ Switch IAS/RADIUS Server Dial-up/ADSL Wireless AP RADIUS IAS/RADIUS Proxy
SCCM Network Access Protection `
What s Next?
Protect Everywhere, Access Anywhere Identity-centric Scale across physical, virtual, and cloud environments
Effectively Managing Identity & Access Services Edge Server Applications Information Protection Client and Server OS
NAP with Forefront Client
Forefront Client Security Health Validator Forefront Client Security Health Validator is the antivirus and antispyware compoent to system health agents
Forefront Client Security Health Validator Forefront Client Security Health Validator is the antivirus and antispyware compoent to system health agents
NAP architecture with Forefront Client Security SHA/SHV
Business Ready Security Help securely enable business Identity Highly Secure & Interoperable Platform from: Block Cost Siloed to: Enable Value Seamless
Identity and Security Division at Microsoft
DirectAccess DirectAccess Client (Windows 7) Internet Tunnel over IPv4 UDP, HTTPS, etc. DirectAccess Server (Server 2008 R2) Encrypted IPsec+ESP IPsec Gateway IPsec Hardware Offload Supported
Simplify the Security Experience; Manage Compliance
2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.