1 / 27

Security hardening IV

Security hardening IV. NAP a karantény. Jiří Hýzler , MCT, MVP OKsystem s.r.o. 22 / 05 /0 8. O čem bude seminář. Dnes se podíváme Network Access Protection (NAP) technologii, představenou ve Windows Server 2008: Architektura a komponenty NAP

yardley
Download Presentation

Security hardening IV

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SecurityhardeningIV NAP a karantény Jiří Hýzler, MCT, MVP OKsystem s.r.o. 22/05/08

  2. O čem bude seminář • Dnes se podíváme Network Access Protection (NAP) technologii, představenou ve Windows Server 2008: • Architektura a komponenty NAP • Fungování NAP v souvislosti s přidělováním adres z DHCP serveru, pro VPN připojení, fungování NAP na počítačích využívající IPSec komunikaci , fungování NAP pro IEEE802.1X autentizovaná připojení • Demo ukázky NAP ECenforcement a konfigurace NPS • připomenutí VPN Network Access QuarantineControl • co je nového / odstraněno v RRAS ve Windows Server 2008 • Diskuse

  3. Proč používat Network Access Protection? Healthy computer Private Network Unhealthy computer

  4. Scenario 1: Notebooky vašich zaměstnanců NAP

  5. Scenario 2: Pracovní stanice v lokální síti Network Policy Server

  6. Scenario 3: Notebooky návštěv, zákazníků, ... Network Policy Server

  7. Scenario 4: Nespravované domácí počítače

  8. Komponenty NAP

  9. Komunikace v NAP

  10. Komponenty Network Protection Services • Network Policy Server (NPS) • Network Access Protection (NAP) Policy Server • IEEE 802.11 Wireless • IEEE 802.3 Wired • RADIUS Server • RADIUS Proxy • Routing and Remote Access • Remote Access Service • Routing • Health Registration Authority (HRA)

  11. NAP Architektura System Health Servers Remediation Servers Updates Health policy Network Access Requests Client Health Statements MS Network Policy Server System Health Agent (SHA) MS and 3rd Parties Health Certificate System Health Validator Quarantine Agent (QA) Network Access Devices and Servers Enforcement Client (EC) (DHCP, IPSec, 802.1X, VPN) Quarantine Server (QS)

  12. Network Layer Protection sNAP Restricted Network System Health Servers Remediation Servers Here you go. Can I have updates? Ongoing policy updates to Network Policy Server May I have access? Here’s my current health status. Should this client be restricted based on its health? Requesting access. Here’s my new health status. According to policy, the client is not up to date. Quarantine client, request it to update. MS NPS Client According to policy, the client is up to date. Grant access. You are given restricted access until fix-up. 802.1x Switch Client is granted access to full intranet.

  13. NAP – Enforcement Options Enforcement Healthy Client Unhealthy Client DHCP Full IP address given, full access Restricted set of routes VPN Full access Restricted VLAN 802.1X Full access Restricted VLAN IPsec Can communicate with any trusted peer Healthy peers reject connection requests from unhealthy systems Complements layer 2 protection Works with existing servers and infrastructure Offers flexible isolation

  14. Host Layer Protection sNAP No Policy Authentication Optional Authentication Required May I have a health certificate? Here’s my SoH. Client ok? Yes. Issue health certificate. No. Needs fix-up. You don’t get a health certificate. Go fix up. Here’s your health certificate.  X HRA Client I need updates. Accessing the network Here you go. NPS Remediation Server No Policy Authentication Optional Authentication Required X HRA Client Accessing the network NPS Remediation Server

  15. IPsecenforcement IPsec Authenticated Unauthenticated Secure network Boundary network Restricted network

  16. NAP sDHCP IEEE 802.1X Devices I need to Lease an IP address Requesting access. Here’s my new health status. DHCP Server NPS Server You are not within the Health Policy requirements The client requests and receives updates Access Granted. Here is your new IP Address VPN Server Remediation Servers Client

  17. DHCP NAP enforcement DEMO

  18. NAP sRRAS (VPN) RADIUS Messages PEAP Messages Client NPS Server VPN Server Remediation Servers

  19. VPN NAP enforcement DEMO

  20. VPN Quarantine Control - připomenutí VPN Quarantine Control: • Umožňuje provést inspekciVPNklientských počítačů ještě před tím než jim umožníte přistupovat do firemní sítě • Používá klientské skripty pro analýzu bezpečnostní konfigurace vzdáleného klienta – během této doby se klient nachází ve VPNQuarantine network, která může mít omezený přístup k firemním prostředkům • Po ověřění bezpečnostní konfigurace se VPNklient připojený k VPN serveru se přesune z VPN Quarantine network do VPN Clients network

  21. Jak pracuje VPN Quarantine Control? VPN Clients Network WebServer DomainController Quarantine script Quarantine remote access policy RQC.exe DNSServer FileServer VPN QuarantineClients Network VPN Clients Network WebServer DomainController Quarantine script Quarantine remote access policy RQC.exe VPNServer DNSServer FileServer VPN QuarantineClients Network

  22. Co je nového v RRAS ve Windows Server 2008 • NAP enforcementforVPN • konfigurace remoteaccesspolicy je nyní přes Network Policy Server (NPS) • SecureSocketTunnelingProtocol (SSTP) • podpora pro Windows Server 2008 a Windows Vista SP1 (v XPSP3 není !!) • prochází přes NAT (TCP 443) – změna portu v HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters\ • nastavte ListenerPortna požadovanou hodnotu (více v http://support.microsoft.com/kb/947032) • změny v kryptografických algoritmech • PPTP • podpora pouze 128-bit RC4 encryption algorithm • podpora 40 and 56-bit RC4odstraněna, ale může být přidána (není doporučeno) změnou klíče v registrech • L2TP/IPsec • podpora DES s MD5 odstraněna , ale může být přidána (není doporučeno) změnou klíče v registrech • IKE Main Mode podporuje: • nově AES 256, AES 192, AES 128 a zachován je 3DES • Secure Hash Algorithm 1 (SHA1) integrity check algorithm • nově Diffie-Hellman (DH) groups 19 a 20 pro Main Mode negotiation • IKE Quick Mode podporuje: • nově AES 256, AES 192, AES 128 a zachován je 3DES • Secure Hash Algorithm 1 (SHA1) integrity check algorithm

  23. Co je odstraněno ve Windows Server 2008 • BandwidthAllocationProtocol (BAP). Odstraněn z Windows Vista. Disabled v Windows Server 2008. • X.25. • Serial Line Interface Protocol (SLIP). SLIP-basedconnections jsou automaticky aktualizovány na PPP-basedconnections. • Asynchronous Transfer Mode (ATM). • IP overIEEE 1394. • NWLinkIPX/SPX/NetBIOSCompatible Transport Protocol. • Servicesfor Macintosh. • Open ShortestPathFirst (OSPF) routingprotocolcomponent

  24. Odkazy • Network Access Protection: http://www.microsoft.com/windowsserver2008/en/us/nap-product-home.aspx • Introduction to Network Access Protection: http://www.microsoft.com/technet/network/nap/napoverview.mspx • Network Access Protection Platform Architecture : http://www.microsoft.com/technet/network/nap/naparch.mspx • Network Access Protection Policies in Windows Server 2008: http://go.microsoft.com/fwlink/?LinkId=57932 • Internet Protocol Security Enforcement in the Network Access Protection Platform: http://www.microsoft.com/technet/network/nap/napipsec.mspx • Support Webcast: Introduction to Network Access Protection: http://support.microsoft.com/kb/921070 • Network Access Protection: Frequently Asked Questions: http://www.microsoft.com/technet/network/nap/napfaq.mspx • Network Access Protection: TechNet Forums: http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=576&SiteID=17 • Step-by-Step Guide: Demonstrate NAP IPsec Enforcement in a Test Lab: http://www.microsoft.com/downloads/details.aspx?FamilyID=298ff956-1e6c-4d97-a3ed-7e7ffc4bed32&displaylang=en • Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab: http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb-bba2-07605eff0608&displaylang=en

  25. Odkazy • Step-by-Step Guide: Demonstrate NAP VPN Enforcement in a Test Lab: http://www.microsoft.com/downloads/details.aspx?FamilyID=729bba00-55ad-4199-b441-378cc3d900a7&displaylang=en • Step-by-Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab: http://www.microsoft.com/downloads/details.aspx?FamilyID=ac38e5bb-18ce-40cb-8e59-188f7a198897&displaylang=en • TechNet Virtual Lab: Network Access Protection with IPSec Enforcement  : http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032345136&EventCategory=3&culture=en-US&CountryCode=US • Improving Network Compliance with Windows Server 2008 Network Access Protection: http://www.microsoft.com/technet/security/learning/networkcompliance.mspx

  26. Diskuse • Otázky ?

More Related