2. Jeff.Sigman@microsoft.com
Senior Program Manager
3. The {case} for NAP Yesterday’s network access control
Single function products primarily at the perimeter
Gets expanded by NAP
Authentication throughout the network
Based on identity
Based on group and role
Across perimeter, internal network, host
Governance and risk management
Central policy defines ‘healthy’
Compliance reported, tracked
Compliance used for authorization
Resulting in Policy Based Access Control
Controlled access for guests, vendors, partners
Improved resilience to malware as network health increases
More robust update infrastructure
Managed compliance
4. Internal Network Protection with NAP�{restricting physical access to authorized and compliant systems}
5. Perimeter Protection with NAP�{protection for roaming machines}
6. Host Protection with NAP�{protecting endpoints on the corporate network and while roaming}
7. NAP {architecture}
8. NAP {progress}
9. NAP {standards and interoperability}
10. NAP {demo}
12. Avenda Systems {extending NAP}
Linux NAP Agent
CentOS 5 & above
Fedora 6 & above
Red Hat Enterprise Linux 4 & 5
SUSE Enterprise Desktop distributions
Windows Universal SHA/SHV
Windows Vista
Windows XP SP3
Windows 2008 Server
eTIPS Policy Management System
13. Avenda Systems {comprehensive health}
Linux NAP Agent
802.1X Enforcement (Wired/Wireless)
Service
Firewall
Anti-Virus
Windows Universal SHA/SHV
Service
Firewall
Anti-Virus & Anti-Malware
REGISTRY!
14. NAP {demo}
15. Napera {network health made easy}
16. Napera {easy to deploy, easy to expand}
17. Napera {reporting}
18. NAP {demo}
19. NAP {deployments}
20. {deploying} NAP
21. State-assisted doctoral institution in Muncie, Indiana
Human Capital
20,000 students, 6,000 residential
2,800 faculty and staff
Technical Capital
10 Gbps multinode network core
1 Gbps building distribution typical
1,100 wireless access points
20,000 network endpoints
Majority Windows XP SP2 or higher
15-20% Mac OS, Linux, other
Printers, network storage, VoIP devices, PDAs, �media players, game consoles
Ball State University {NAP hero Alex Chalmers}
22. Ball State University {adventures in admission control} Fall 2004
Wireless use started dramatically expanding
Inline, authentication-only appliances become a bottleneck
Opportunity to shift to a quarantine and remediation system
Spring 2005
Started Cisco Clean Access deployment project
Three phase deployment plan
Phase I: Replace existing wireless authentication devices
Phase II: Extend authentication to wired networks
Phase III: Introduce health assessment, network quarantine, and remediation
Late 2005
Deployment Phase I completed
23. Ball State University {adventures in admission control} Fall 2006
Wired authentication pilot started
November 2006
Windows Vista released
April 2007
Support for Vista in Clean Access 4.1 Agent
August 2007
Clean Access project suspended
Wired authentication pilot rolled back
24. Ball State University {clean access postmortem} Technical Complexity
Inline, server-based appliance
Needs to know client MAC address
All authentication/quarantine traffic routes through Clean Access Server
ActiveX/Java control in web authentication
Requires additional components to encrypt wireless traffic
Health Assessment
Available only for Windows platforms
Requires deployment of Clean Access Agent
Compatibility Support Responsiveness
Solution Cost
25. Ball State University {NAP design considerations} NAP/NPS as a Platform
Allows for solving problems that were not in the product design specification
Provides the ability to do cross platform health assessment via third party extensions
Inline Appliances Not Needed
Standards Compliance
TNC
802.1X
WPA
User Experience
Solution Cost
26. Ball State University {designing our NAP deployment} Separate residential network from business network
Business network solution based on 802.1X NAP for both wired and wireless
Residential network solution still being determined
Solution infrastructure based on five Network Policy Servers
2 RADIUS proxy
3 RADIUS policy
Geographically distributed across campus
Centralized data logging using SQL Server 2005 Service Broker
Currently deploying only Windows SHA/SHV
Will extend SHA/SHV for 3rd party OSs
27. Ball State University {designing our NAP deployment}
28. Ball State University {deployment challenges / solutions} Cross platform health assessment and remediation
Non-NAP or non-802.1X capable devices
Residence hall deployments
Centralized logging and reporting
Centralized policy configuration and management
Non-domain joined system configuration
29. NAP {key takeaways} NAP is standards based and broadly adopted
Based on standards: 802.1x, EAP, IPsec, X.509, IF-TNCCS-SOH
Supports all network and endpoint security vendors
Interoperates with Cisco NAC and TNC
NAP flexibility provides choice
Targeted protection for you specific environment
“Rip and replace” NOT required -- fits existing infrastructure
NAP is deployment ready
In production today at MS and TAP, customer feedback positive
On track for general release with Windows Server 2008
Microsoft offers a complete solution
ForeFront, SystemCenter, Windows Update integration
30. NAP {resources} Microsoft
Web: Microsoft.com/NAP
Blog: Blogs.Technet.com/NAP
TechNet: Technet.Microsoft.com/en-us/network/bb545879.aspx
Avenda
Web: AvendaSys.com/Products/NAP/
Email: AskNAP@AvendaSys.com
Napera
Web: Napera.com
Blog: Napera.com/blog
Email: Info@Napera.com
