170 likes | 322 Views
Selecting the Right Network Access Protection Architecture. Infrastructure Planning and Design Series. What Is IPD?. Guidance that aims to clarify and streamline the planning and design process for Microsoft ® infrastructure technologies IPD…in 50 pages: Defines decision flow
E N D
Selecting the Right Network Access Protection Architecture Infrastructure Planning and Design Series
What Is IPD? Guidance that aims to clarify and streamline the planning and design process for Microsoft® infrastructure technologies IPD…in 50 pages: • Defines decision flow • Describes decisions to be made • Relates decisions and options for the business • Frames additional questions for business understanding • Replaces Windows Server System™ Reference Architecture (WSSRA) Download the IPD Guides at www.microsoft.com/ipd
Getting Started Selecting the Right nAP Architecture
Purpose and Agenda • Purpose • To assist in the decision-making process regarding which enforcement methods to use in conjunction with Network Access Protection (NAP) to meet business and technical requirements • Agenda • Determine which components to use in a NAP architecture
What Is NAP? • Network Access Protection is a policy-based solution that: • Validates whether computers meet health policies • Can limit access for noncompliant computers • Automatically remediates noncompliant computers • Continuously updates compliant computers to maintain health state • Offers administrators a wide range of choice and deployment flexibility to better secure their Windows networks
Why Implement NAP? • Controlled access for guests, vendors, partners • Improved resilience to malware as network health increases • More robust update infrastructure • Managed compliance
Key Messages for NAP • The NAP client can be Windows Server® 2008, Windows Vista®, Windows® XP SP3, or third-party (Linux + Macintosh) • NAP is built into Windows that you enable via GP/script • NAP requires a minimum of one Windows Server 2008 machine to get started
Decision Flow • Determine the client connectivity • Determine enforcement layer • If enforcement is at network layer, select enforcement options
Determine Client Connectivity • Type of network connectivity dictates appropriate enforcement methods. Client devices connect two ways: • Locally—via wired or wireless • Remotely—such as VPN
Determine VPN Platform • Will the VPN platform be Microsoft or third-party? • Microsoft VPN selected: • If IT selects RRAS to provide remote access, VPN server must run Windows Server 2008 • Low level of complexity and cost to implement • Third-party VPN selected: • If IT selects a third-party VPN, IPsec can be used to restrict client device access • High level of complexity and medium cost to implement
Enforcement Layer Decision • Enforce NAP restrictions at each host or enforce on network? • Enforce restrictions at hosts selected: • Using IPsec provides robust security • High level of complexity and medium cost to implement • Enforce restrictions on network selected: • Depending on specific network-based enforcement method, security level less robust than IPsec • Medium level of complexity and highcost to implement
NAP Restrictions – Host vs. Network Enforcement • Use the table below to select between: • IPsec – host-based • 802.1X – network-based • DHCP – network-based
Additional Considerations for NAP • Determine system compliance requirements • Combining NAP technologies • Dependencies
Summary and Conclusion • NAP flexibility provides choice • NAP is deployment ready Provide feedback to satfdbk@microsoft.com
Find More Information • Download the full document and other IPD guides: • www.microsoft.com/ipd • Contact the IPD team: • satfdbk@microsoft.com • Visit the Microsoft Solution Accelerators Web site: • www.microsoft.com/technet/SolutionAccelerators