Windows Server Network Access Protection. Richard Chiu

Similar documents
Module Overview. works Identify NAP enforcement options Identify scenarios for NAP usage

Vishal Shirodkar Technology Specialist Microsoft India Session Code:

Owner of the content within this article is Written by Marc Grote

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Cisco Network Admission Control (NAC) Solution

Symantec Network Access Control Starter Edition

Mohit Saxena Senior Technical Lead Microsoft Corporation

KNOWLEDGE SOLUTIONS. MIC2823 Implementing and Administering Security in a Microsoft Windows Server 2003 Network 5 Day Course

Module 9. Configuring IPsec. Contents:

Designing Windows Server 2008 Network and Applications Infrastructure

Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

Henk Den Baes Technology Advisor Microsoft BeLux

Configuring & Troubleshooting a Windows Server 2008 R2 Network Infrastructure

Symantec Network Access Control Starter Edition

Symantec Network Access Control Starter Edition

Correct Answer: C. Correct Answer: B

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems

HikCentral V.1.1.x for Windows Hardening Guide

HikCentral V1.3 for Windows Hardening Guide

Executive Summery. Siddharta Saha. Downloaded from

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

20413B: Designing and Implementing a Server Infrastructure

Course Content of MCSA ( Microsoft Certified Solutions Associate )

Standardizing Network Access Control: TNC and Microsoft NAP to Interoperate

MOBILE NETWORK ACCESS CONTROL

Exam : Title : PRO: Windows Server 2008, Enterprise Administrator Ver :

Security+ SY0-501 Study Guide Table of Contents

Microsoft Certified Solutions Associate (MCSA)

"Charting the Course... MOC 6435 B Designing a Windows Server 2008 Network Infrastructure Course Summary

Networks with Cisco NAC Appliance primarily benefit from:

Microsoft Certified Solutions Expert (MCSE)

Mobile Network Access Control Extending corporate security policies to mobile devices

10970B: Networking with Windows Server

Deploying Windows Server 2003 Internet Authentication Service (IAS) with Virtual Local Area Networks (VLANs)

MOC 6421B: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

70-647: Windows Server Enterprise Administration. Course Overview. Course Outline

6421A: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

The safer, easier way to help you pass any IT exams. Exam : Administering Windows Server Title : Version : V16.

Security Assessment Checklist

MCSA Windows Server 2012

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

Network Access Control Whitepaper

Cisco NAC Network Module for Integrated Services Routers

HPE Intelligent Management Center

Pulse Policy Secure. Getting Started Guide. Product Release 5.1. Document Revision 1.0 Published:

Implementing Security in Windows 2003 Network (70-299)

MCSA Windows Server 2012

R5: Configuring Windows Server 2008 R2 Network Infrastructure

Enterasys. Design Guide. Network Access Control P/N

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Administering Windows Server 2012

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

QuickSpecs. Aruba ClearPass OnGuard Software. Overview. Product overview. Key Features

McAfee Public Cloud Server Security Suite

Security Enhancements

COURSE OUTLINE MOC 20411: ADMINISTERING WINDOWS SERVER 2012 MODULE 1: CONFIGURING AND TROUBLESHOOTING DOMAIN NAME SYSTEM

Hazardous Endpoints Protecting Your Network From Its Own Devices

Standard For IIUM Wireless Networking

Configuring Dynamic VPN v2.0 Junos 10.4 and above

"Charting the Course... MOC A Planning, Deploying and Managing Microsoft Forefront TMG Course Summary

Administering Windows Server 2012

Palo Alto Networks PCNSE7 Exam

Best MCSA Training in PUNE & Best MCSA Training Institute in MAHARASHTRA

Microsoft Certified System Engineer

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

Administering Windows Server 2012

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

CIS Controls Measures and Metrics for Version 7

Microsoft IT deploys Work Folders as an enterprise client data management solution

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

12/5/2013. work-life blur. more mobile. digital generation. multiple devices. tech. fast savvy

CIS Controls Measures and Metrics for Version 7

Configure Client Posture Policies

HP ProCurve Network Access Controller 800

CompTIA Security+ Certification

Domain Isolation Planning Guide for IT Managers

NE Administering Windows Server 2012

GSE/Belux Enterprise Systems Security Meeting

Google Cloud Platform: Customer Responsibility Matrix. April 2017

VPN Auto Provisioning

Novell ZENworks Network Access Control

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Google on BeyondCorp: Empowering employees with security for the cloud era

Configure Client Posture Policies

Comodo Certificate Manager

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

NE-2277 Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

Remote Connectivity for SAP Solutions over the Internet Technical Specification

Session 7: Configuration Manager

Certificate Enrollment for the Atlas Platform

What s in Installing and Configuring Windows Server 2012 (70-410):

Cloud Security Best Practices

vshield Administration Guide

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Transcription:

Windows Server 2008 Network Access Protection Richard Chiu

Network Access Protection Solution Overview Policy Validation Determines whether the computers are compliant with the company s security policy. Compliant computers are deemed healthy Network Restriction Restricts network access to computers based on their health Remediation Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed Ongoing Compliance Changes to the company s security policy or to the computers health may dynamically result in network restrictions

What is Network Access Protection (NAP) Additional protection from Malware threats and other client configuration inconsistencies Its all about Defending-in-depth! NAP is about stopping the next big virus or vulnerability by ensuring clients are well maintained and isolated if deemed unhealthy Provides centralized definition, integration, and enforcement of system health requirements to help prevent the exposure to malware on a private network NAP is a designed to be a client Health Checker - it is not the best solution for: blocking unauthorized users rogue machine control software distribution control

Why Use Network Access Protection? Healthy computer Private Network Unhealthy computer

Why Use Network Access Protection? We do not trust users to install all patches and updates as required and need to verify that systems comply with policies Do the systems have: current anti-virus software? current anti-spyware? current corporate-approved patches? host-based state-full firewall enabled? What other configuration settings are required for adherence to the organization s security policies?

Network Access Protection Network Access Protection Policy-based solution that Validates whether computers meet health policies Limits access for noncompliant computers Automatically remediates noncompliant computers Continuously updates compliant computers to maintain health state Intranet

NAP Platform Architecture VPN Server Active Directory IEEE 802.1X Devices Internet Perimeter Network DHCP Server Health Registration Authority Intranet NAP Health Policy Server Restricted Network Remediation Servers NAP Client with limited access

Network Access Protection Components Enforcement Platform Health Components Quarantine System Health Enforcement Agent Agents (QA)(SHA) = Clients Reports = Declare (QEC) client = health Negotiate (patch status, access state, coordinates with virus network signature, between access SHA system device(s); and NAD. DHCP, configuration, Quarantine VPN, Server 1X, etc.). IPSec (QS) QECs. = Restricts client s network access based on what SHV certifies. System Network Health Access Validators Devices = (SHV) Provide = Certify network declarations access to healthy made by endpoints. health agents. Health System Registration Health Servers Authority = Define = Issues health certificates requirements to clients for system that pass components health checks. on the client. Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state. Remediation Servers System Health Servers SHA 1 Updates Client Quarantine Agent (QA) QEC 1 SHA 2 QEC 2 Health Statements Health Certificate Network Access Requests Network Access Device & Health Registration Authority Health policy SHV 1 Network Policy Server SHV 2 Quarantine Server (QS)

Network Access Protection Walk-through Restricted Network Remediation Servers Corporate Network System Health Servers Downloading updates Client needs updates Client needs access and provides current Requesting access. based on health Status. new health status Ongoing policy updates to Client is granted Network Policy Server Access to full intranet. Should this client be restricted based on its health? Client Client given restricted access until fix-up Network Access Device (DHCP, VPN) According According to to policy, policy, the the client client is is up not to up date. to date. Quarantine Grant client, access. request it to update. Network Policy Server

What Are System Health Validators System Health Validators are server software counterparts to system health agents Each SHA on the client has a corresponding SHV in NPS SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client SHVs contain the required configuration settings on client computers The Windows Security SHV corresponds to the Microsoft SHA on client computers

NAP Client Non-compliant and no Auto Remediation Complaint / Auto Remediated

NAP - Enforcement Options Enforcement Healthy Client Unhealthy Client DHCP VPN (MS and 3 rd Party) Full IP address given, full access Full access Restricted set of routes Restricted VLAN 802.1X Full access Restricted VLAN IPsec Can communicate with any trusted peer Healthy peers reject connection requests from unhealthy systems Complements layer 2 protection Works with existing servers and infrastructure Flexible isolation

IPsec-based NAP Isolation Model Protected Zone Policy Definitions All systems possess a Health Certificate Authentication required to connect into a system ALLOWED Quarantine Zone ALLOWED ALLOWED Boundary Zone Protected Zone Boundary Zone Quarantine Zone All systems possess a Health Certificate Authentication requested but not required to connect into a system No Health Certificates No IPsec policies BLOCKED

Network Policy Options Allow full network access Allow full network access for limited time Enforcement is deferred until a later date Limited network access Access is restricted to remediation servers

System Health Agent Options Windows SHA Antivirus settings Antispyware settings Firewall settings Windows Updates Settings System Center Configuration Manager 2007 (SCCM) SHA Patch Management Forefront Client Security (FCS) SHA 3rd party SHAs Including Avenda, Nortel, UNET.

Certification Authority Issues health certs for NAP-compliant machines via the HRA proxy These are regular X.509 certificates with a very short lifetime System Health Authentication OID in the certificate Certificate Authority requirements: Enterprise or standalone subordinate CA under a trusted Root CA Windows Server 2003 or later (needs to support MS Client Cert Enrollment) Recommended that dedicated health certificate-issuing CAs are deployed No revocation is typically required due to short certificate lifetime High volume of certificates issued could impact other services also relying on the CA Notes: No Enforcement model needs CA for Exemption Certificates Beware the default CA install behavior when NAP roles are added to the server s configuration and CA does not already exist Try to keep CA close to HRA in distributed/large deployments

Remediation Servers Any service that needs to be available to clients for remediation to happen Depend on what SHAs are being used by organization Remediation Servers need to be reachable from unhealthy clients Publish remediation servers externally to the Internet Use separate IP subnet for remediation servers Require additional (non-health) client certificate to secure access to remediation subnet

Preparing for Network Access Protection Preparing for NAP is going to take effort and time Take advantage of the time to prepare your networks for the new health compliance and enforcement model Ensure NAP readiness across your IT organization Deployment preparation tasks: Health Modeling Health Policy Zoning Secure Network Infrastructure Analysis IAS (RADIUS) Deployment Zone Enforcement Selection Exemption Analysis Rollout Planning and Change Process Control Success Matrices and Measures

Deploy the Underlying Infrastructure Design and deploy a complete RADIUS solution Remote Access RAS/VPN/Firewall Corporate Network LAN Access RADIUS Active Directory Wireless AP/ Switch IAS/RADIUS Server Dial-up/ADSL Wireless AP RADIUS IAS/RADIUS Proxy

SCCM Network Access Protection `

What s Next?

Protect Everywhere, Access Anywhere Identity-centric Scale across physical, virtual, and cloud environments

Effectively Managing Identity & Access Services Edge Server Applications Information Protection Client and Server OS

NAP with Forefront Client

Forefront Client Security Health Validator Forefront Client Security Health Validator is the antivirus and antispyware compoent to system health agents

Forefront Client Security Health Validator Forefront Client Security Health Validator is the antivirus and antispyware compoent to system health agents

NAP architecture with Forefront Client Security SHA/SHV

Business Ready Security Help securely enable business Identity Highly Secure & Interoperable Platform from: Block Cost Siloed to: Enable Value Seamless

Identity and Security Division at Microsoft

DirectAccess DirectAccess Client (Windows 7) Internet Tunnel over IPv4 UDP, HTTPS, etc. DirectAccess Server (Server 2008 R2) Encrypted IPsec+ESP IPsec Gateway IPsec Hardware Offload Supported

Simplify the Security Experience; Manage Compliance

2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback