100 likes | 116 Views
This article explores the evolution of network access protection technologies and discusses the requirements and preferences of CSOs in terms of network security. It covers topics such as industry trends, consolidation of functionality, mobility, trust boundaries, and more.
E N D
Customer Insight: CSO's Perspective – What Edge? Microsoft Research EdgeNet, June 2006 Mark Ashida General Manager Windows Enterprise Networking
The Evolution of Our Thinking • Industry Trends • Consolidation of functionality vs. appliances • Mobility driving more devices, roaming users, policies • Trust boundaries are vague - hard to define & control • Network Access Protection (NAP) • Defined initial requirements with customers • Early & consistent review with Microsoft IT dept • Refined functionality with feedback from pilot programs • Technology Adoption Program (TAP), Vista Beta Customers
Internet Restricted Zone New PC Logical CorpNet ProvisioningServers Internet DHCP, DNS, AAA X Employee, Partner, Guest PC IPSec Security Seamless Network Gateways Non-domain joined, Non-IPSec Devices What Edge? • VLAN’s, IPsec, internal firewalls, NAC appliances • Jericho Forum • Logical L3+ vs. L2
Thinking Evolution • Network Access Protection Abstraction Health State Network Infrastructure Policy store RADIUS Quarantine Agent Enforcement 802.1x, IPsec
Thinking Evolution • Network Access Protection Abstraction Health State Policy store RADIUS Quarantine Agent Enforcement 802.1x, IPsec Control Plane Enforcement/ Network Assets Network Infrastructure
Enforcement/ Network Assets Network Infrastructure Thinking Evolution Single Dashboard Reporting MOM MOM Pak MOM Pak MOM Pak Health State UI Diag Policy store RADIUS Quarantine Agent Enforcement 802.1x, IPsec Control Plane
Thinking Evolution NAP Configuration Help Desk Security Provisioning Performance Network State Database (in MOM) Policy store RADIUS DHCP Clients WINS VM/TPM DNS Network Infrastructure
What CSO’s want. • Want it soon – they want PAC not NAC • Fined grained admission per resource based upon • Fined grained based upon rich information such as: • Identity (permanent and temporary) • Machine state (health) • Application • Entry point • Time of day, etc. • Interoperability with current infrastructure/desktops • Multi-vendor solution • Federated trust would be nice • Manageability
What CSO’s don’t want • Don’t make it uneconomical for us to deploy • Help desk • Management • Multiple solutions • Don’t break Provisioning/Logon/SSO • Is 802.1x the right enforcement method? • Practical deployment issues – beaconing, provisioning, multimac on single port, VM’s,
Unashamed Vista/LHS Plug • Network Diagnostics – why can’t you connect and repair • NAP Agent – why you can’t connect/Help desk • MOM Desktop NAP Agent – events/alarms from desktop, expanding to all networking elements on desktop (QoS, etc.) • IPsec – giving you virtual logical groups anywhere in the world (240k desktops at MS) with much reduced deployment costs • Adaptive NEW IP Stack – much better throughput, up to 80+Mbs on a 100Mbs port vs. 20 previously • IP Offload – 10Ge announced now • IPv6 – on by default