1 / 30

Jeff.Sigmanmicrosoft Senior Program Manager

The {case} for NAP. Yesterday's network access controlSingle function products primarily at the perimeterGets expanded by NAPAuthentication throughout the networkBased on identity Based on group and roleAcross perimeter, internal network, hostGovernance and risk managementCentral policy def

alicia
Download Presentation

Jeff.Sigmanmicrosoft Senior Program Manager

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    2. Jeff.Sigman@microsoft.com Senior Program Manager

    3. The {case} for NAP Yesterday’s network access control Single function products primarily at the perimeter Gets expanded by NAP Authentication throughout the network Based on identity Based on group and role Across perimeter, internal network, host Governance and risk management Central policy defines ‘healthy’ Compliance reported, tracked Compliance used for authorization Resulting in Policy Based Access Control Controlled access for guests, vendors, partners Improved resilience to malware as network health increases More robust update infrastructure Managed compliance

    4. Internal Network Protection with NAP {restricting physical access to authorized and compliant systems}

    5. Perimeter Protection with NAP {protection for roaming machines}

    6. Host Protection with NAP {protecting endpoints on the corporate network and while roaming}

    7. NAP {architecture}

    8. NAP {progress}

    9. NAP {standards and interoperability}

    10. NAP {demo}

    12. Avenda Systems {extending NAP} Linux NAP Agent CentOS 5 & above Fedora 6 & above Red Hat Enterprise Linux 4 & 5 SUSE Enterprise Desktop distributions Windows Universal SHA/SHV Windows Vista Windows XP SP3 Windows 2008 Server eTIPS Policy Management System

    13. Avenda Systems {comprehensive health} Linux NAP Agent 802.1X Enforcement (Wired/Wireless) Service Firewall Anti-Virus Windows Universal SHA/SHV Service Firewall Anti-Virus & Anti-Malware REGISTRY!

    14. NAP {demo}

    15. Napera {network health made easy}

    16. Napera {easy to deploy, easy to expand}

    17. Napera {reporting}

    18. NAP {demo}

    19. NAP {deployments}

    20. {deploying} NAP

    21. State-assisted doctoral institution in Muncie, Indiana Human Capital 20,000 students, 6,000 residential 2,800 faculty and staff Technical Capital 10 Gbps multinode network core 1 Gbps building distribution typical 1,100 wireless access points 20,000 network endpoints Majority Windows XP SP2 or higher 15-20% Mac OS, Linux, other Printers, network storage, VoIP devices, PDAs, media players, game consoles Ball State University {NAP hero Alex Chalmers}

    22. Ball State University {adventures in admission control} Fall 2004 Wireless use started dramatically expanding Inline, authentication-only appliances become a bottleneck Opportunity to shift to a quarantine and remediation system Spring 2005 Started Cisco Clean Access deployment project Three phase deployment plan Phase I: Replace existing wireless authentication devices Phase II: Extend authentication to wired networks Phase III: Introduce health assessment, network quarantine, and remediation Late 2005 Deployment Phase I completed

    23. Ball State University {adventures in admission control} Fall 2006 Wired authentication pilot started November 2006 Windows Vista released April 2007 Support for Vista in Clean Access 4.1 Agent August 2007 Clean Access project suspended Wired authentication pilot rolled back

    24. Ball State University {clean access postmortem} Technical Complexity Inline, server-based appliance Needs to know client MAC address All authentication/quarantine traffic routes through Clean Access Server ActiveX/Java control in web authentication Requires additional components to encrypt wireless traffic Health Assessment Available only for Windows platforms Requires deployment of Clean Access Agent Compatibility Support Responsiveness Solution Cost

    25. Ball State University {NAP design considerations} NAP/NPS as a Platform Allows for solving problems that were not in the product design specification Provides the ability to do cross platform health assessment via third party extensions Inline Appliances Not Needed Standards Compliance TNC 802.1X WPA User Experience Solution Cost

    26. Ball State University {designing our NAP deployment} Separate residential network from business network Business network solution based on 802.1X NAP for both wired and wireless Residential network solution still being determined Solution infrastructure based on five Network Policy Servers 2 RADIUS proxy 3 RADIUS policy Geographically distributed across campus Centralized data logging using SQL Server 2005 Service Broker Currently deploying only Windows SHA/SHV Will extend SHA/SHV for 3rd party OSs

    27. Ball State University {designing our NAP deployment}

    28. Ball State University {deployment challenges / solutions} Cross platform health assessment and remediation Non-NAP or non-802.1X capable devices Residence hall deployments Centralized logging and reporting Centralized policy configuration and management Non-domain joined system configuration

    29. NAP {key takeaways} NAP is standards based and broadly adopted Based on standards: 802.1x, EAP, IPsec, X.509, IF-TNCCS-SOH Supports all network and endpoint security vendors Interoperates with Cisco NAC and TNC NAP flexibility provides choice Targeted protection for you specific environment “Rip and replace” NOT required -- fits existing infrastructure NAP is deployment ready In production today at MS and TAP, customer feedback positive On track for general release with Windows Server 2008 Microsoft offers a complete solution ForeFront, SystemCenter, Windows Update integration

    30. NAP {resources} Microsoft Web: Microsoft.com/NAP Blog: Blogs.Technet.com/NAP TechNet: Technet.Microsoft.com/en-us/network/bb545879.aspx Avenda Web: AvendaSys.com/Products/NAP/ Email: AskNAP@AvendaSys.com Napera Web: Napera.com Blog: Napera.com/blog Email: Info@Napera.com

More Related