530 likes | 788 Views
Enterprise Network Protection. Kunal Kodkani Senior Consultant, Microsoft Consulting Services Microsoft Corporation kunal.kodkani@microsoft.com. Agenda. Introduction NAP Overview NAP platform architecture NAP enforcement methods Demo NAP IPSec enforcement SDI Overview.
E N D
Enterprise Network Protection Kunal Kodkani Senior Consultant, Microsoft Consulting Services Microsoft Corporation kunal.kodkani@microsoft.com
Agenda • Introduction • NAP Overview • NAP platform architecture • NAP enforcement methods • Demo NAP IPSec enforcement • SDI Overview
Today’s Network Challenges Today’s networks are highly connected • Multiple points of attachment: wireless, lan, wan, extranet • Parties with differing rights: employees, vendors, partners • Proliferation of devices: PCs, phones, PDAs, devices Internet Boundary Zone Employees , Partners, Vendors • High connectivity presents new challenges • Need to control guest, vendor and partners access • Increased exposure to malware • Evolved security model -- from perimeter control to everywhere control Intranet Customers Key strategies Authenticate users and grant access based on role and compliance to corporate governance standards Aggressively update out-of-compliance systems Apply access policy throughout the network Partners Solution Comprehensive, policy-based authentication and compliance throughout the network Remote Employees
Enterprise Network Protection • Allows you to control access to your network using • Policy-based enforcement • Logical network isolation using IP Security (IPSec) • Wireless security technologies • Microsoft solutions in this area • NAP • SDI • Securing Wireless using Certificate Services • http://www.microsoft.com/downloads/details.aspx?familyid=CDB639B3-010B-47E7-B234-A27CDA291DAD&displaylang=en
Agenda • Introduction • NAP Overview • NAP platform architecture • NAP enforcement methods • Demo NAP IPSec enforcement • SDI Overview
Policy Based Network Access Protection • Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy • Network Restriction Restricts network access to computers based on their health • Remediation Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed • Ongoing Compliance Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions
What is Network Access Protection? • Platform that enforces compliance with health requirements for network access or communication • NAP is not a security solution to keep the bad guy off your network • Application programming interfaces (APIs) • Allows for integration with third-party vendors
Agenda • Introduction • NAP Overview • NAP platform architecture • NAP enforcement methods • Demo NAP IPSec enforcement • SDI Overview
Network Access ProtectionHow It Works Access requested Authentication Information including ID and health status NPS validates against health policy If compliant, access granted If not compliant, restricted network access and remediation 1 Policy Serverse.g.., Patch, AV 1 Microsoft NPS 2 3 5 Not policy compliant Remediation Serverse.g., Patch 2 RestrictedNetwork 3 Policy compliant DHCP, VPN Switch/Router 4 Corporate Network 4 5
NAP Components Remediation Servers System Health Servers Network Access Requests Updates Health policy Health Statements Client NPS Policy Server(RADIUS) (SHA) MS SHA, SMS (SHA) 3rd Parties Health Certificate System Health Validator NAP Agent 802.1x Switches Policy Firewalls SSL VPN Gateways Certificate Servers (EC) (DHCP, IPsec, 802.1X, VPN) (EC) 3rd Party EAP VPN’s NAP Server
NAP Server-Side Architecture Health Requirement Server 1 Health Requirement Server 2 SHV_2 SHV_3 SHV_1 SHV API NAP health policy server (NPS) NAP Administration Server NPS Service RADIUS NAP EC_A NAP EC_B NAP EC_C Windows-basedNAP enforcement point
NAP Client-Side Architecture Remediation Server 1 Remediation Server 2 SHA_2 SHA_3 SHA_1 SHA API NAP Agent NAP Client NAP EC API NAP EC_A NAP EC_B NAP EC_C
NAP Client-Server Relationships Remediation Server 1 Health requirement Server 1 Provided by NAP platform Provided by Microsoft or third parties Remediation Server 1 Health requirement Server 2 SoHs SSoHs SHA_1 SHA_2 SHV_2 SHV_1 SHV_4 SHA API SHV API NAP health policy server (NPS) NAP Agent NAP Administrative Server NAP Client NPS Service NAP EC API RADIUS NAP EC_A NAP EC_B NAP ES_B NAP ES_A Windows-basedNAP enforcement point
Agenda • Introduction • NAP Overview • NAP platform architecture • NAP enforcement methods • Demo NAP IPSec enforcement • SDI Overview
IPsec enforcement • For noncompliant computers, prevents communication with compliant computers • Compliant computers obtain a health certificate as proof of their health compliance • Health certificate is used for peer authentication when negotiating IPsec-protected communications • Health certificate carries the client authentication EKU in the certificate • In the IPsec configuration only NAP health certificates can be accepted for IPsec authentication
IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 1. Client starts up on the restricted network
IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 2. Client creates an HTTPS secure communication channel with the Health Registration Authority
IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 3. Client sends its credentials, a PKCS#10 and its list of SoHs (State of health to the Health Registration Authority (HRA) through the SSL tunnel.
IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 4. HCS forwards the client identity and health status information to the Network Policy Server (NPS) based on its NPS proxy configuration for validation using RADIUS Access-Request message.
IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 5. NAP Administration Server on the Network Policy Server passes the SoHs (Statement of Health) to their System Health Validators (SHV). 6. SHVs evaluate the SoHs and respond with SoH Responses (SoHR). 7. NPS evaluates the SoHRs against policy settings and makes a limited/unlimited network access decision.
IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 8. Network Policy Server sends a RADIUS Access-Accept message that contains the System SoHR (Statement of Health Response) and the list of SoHRs to the Health Registration Authority.
IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 9. The Health Registration Authority sends the System State of Health Responses (SoHRs )and the list of SoHRs through the SSL tunnel to the client.
IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Health Certification Authority Quarantine Restricted Network 10 a. If compliant, the Health Registration authority sends the client’s PKCS#10 request to the Health certification authority and finally sends the health certificate through the SSL tunnel to the client.
IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 10 b. The NAP Agent passes the State of Health Responses to the System Health Agents that are installed on the client.
IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 11. System Health Agents perform remediation and pass updated Statement of Health (SoH) to the NAP Agent..
IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 12. Client creates a new HTTPS channel with the Health Registration Authority
IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Quarantine Restricted Network 13. Client sends its credentials, a new PKCS#10 request and its updates list of State of Health’s (SoHs) to the Health Registration Authority
IPsec enforcement Remediation Server Network Policy Server Protected Network Boundary Network Health Registration Authority Health Certification Authority Quarantine Restricted Network 14. Health Registration Authority validates the credentials and the new list of SoHs with the Network Policy Server and obtains a health certificate for the client.
Agenda • Introduction • NAP Overview • NAP platform architecture • NAP enforcement methods • Demo NAP IPSec enforcement • SDI Overview
NAP IPsec demo
IPsec Enforcement - Cons • Requires PKI to be deployed • Only works in a managed environment (machines must be domain joined) • Certificates are the only supported credential (compared to IPsec server and domain isolation) • Requires and additional role to be deployed on the network (HRA)
IPsec Enforcement - Pros • Protects you in a virtual environment • Near real/time operation • Unhealthy clients are truly isolated (credential automatically revoked by the NAP agent) • Offers authentication AND encryption (encryption is optional, not required) • Works with any switch, router or AP • Technologies are built into Windows (client and server platforms)
802.1X enforcement • For noncompliant computers, prevents unlimited access to a network through an 802.1X-authenticated connection
Network Layer Protection with NAP System Health Servers Restricted Network Remediation Servers Here you go. Can I have updates? Ongoing policy updates to Network Policy Server May I have access? Here’s my current health status. Should this client be restricted based on its health? Requesting access. Here’s my new health status. According to policy, the client is not up to date. Quarantine client, request it to update. According to policy, the client is up to date. Grant access. You are given restricted access until fix-up. Client 802.1x Switch MS NPS Client is granted access to full intranet.
802.1x Enforcement - Cons • Requires compatible hardware • Bootstrapping clients with credentials is challenging • Dynamic VLAN switching during the boot process can be problematic • Requires designing multiple VLAN’s based on health state • Requires Windows supplicant to be used
802.1x Enforcement - Pros • Industry standard protocol supported by all switch and AP vendors • Supplicant is built into Windows • Supports password based or certificates as the credential • Can be deployed in conjunction with DHCP or IPsec enforcements
Taking a phased approach to deployment • Reporting Mode • Allows you to gather information as to what is on your network • Deferred Enforcement • Introduces NAP to your use population and allows them to police themselves • Full Enforcement • Non-complaint machines will be quarantined and auto remediated
Agenda • Introduction • NAP Overview • NAP platform architecture • NAP enforcement methods • Demo NAP IPSec enforcement • SDI Overview
Domain Isolation Overview • Labs • Unmanaged guests • Malicious users Protects trusted systems from untrusted or malicious computers Domain Isolation
IPsec: The Foundation of Isolation • IPsec authentication required for all incoming connections • IPsec used to authenticate remote host • Connection request refused if authentication fails • IPsec ensures data integrity for all connections • And optionally encryption • Works in the network layer • Regardless of the underlying physical layer (hubs, switches, wireless)
How Does Domain Isolation Work? • IPsec policy determines computer behavior • Requires authentication for inbound connections • Ensures data integrity • Adds encryption if necessary • Group Policies used to distribute IPsec policy to hosts • Kerberos (AD) or digital certificates used for authentication
Servers with Sensitive Data HR Workstation Trusted Computers Managed Computer Managed Computer How Domain Isolation Works Active Directory Domain Controller Corporate Network Trusted File Server X Unmanaged/Rogue Computer Network Printer Untrusted
Source Code Servers Server Isolation Developer Workstation Managed Computer Managed Computer Domain Isolation Server Isolation Overview Active Directory Domain Controller Corporate Network Trusted Resource Server X X Untrusted Protect specific high-valued hosts and data Server Isolation
How Does Server Isolation Work? • Adds a layer of authorization on top of the authentication performed by IPsec • After authentication, Windows evaluates if remote host has access permissions • Access is granted if AD computer account has Access to this computer from the network privilege • To configure Server Isolation, remove Authenticated Users from this privilege • Grant access to Domain Users, and to the appropriate computer accounts
SDI Links • SDI Introduction • http://technet.microsoft.com/en-us/library/cc725770.aspx • Windows Firewall Advanced Security and IPSec • http://technet.microsoft.com/en-us/library/cc732283.aspx
NAP Links • http://technet.microsoft.com/en-us/network/bb545879.aspx • Design Guides • Virtual Labs • Step-by-step Guides • Webcasts
NAP Support for Cisco NAC, Linux and Mac OS X • Cisco NAC Interoperability Whitepaper • http://download.microsoft.com/download/d/0/8/d08df717-d752-4fa2-a77a-ab29f0b29266/NAC-NAP_Whitepaper.pdf • UNET provides: • NAP agent for Linux • NAP agent for Mac OS X • http://unet.co.kr/nap/index.html • Avenda provides • NAP agent for Linux • http://www.avendasys.com/products/technologies.php
Your MSDN resourcescheck out these websites, blogs & more! PresentationsTechDays: www.techdays.chMSDN Events: http://www.microsoft.com/switzerland/msdn/de/presentationfinder.mspxMSDN Webcasts: http://www.microsoft.com/switzerland/msdn/de/finder/default.mspx MSDN EventsMSDN Events: http://www.microsoft.com/switzerland/msdn/de/events/default.mspxSave the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin MSDN Flash (our by weekly newsletter)Subscribe: http://www.microsoft.com/switzerland/msdn/de/flash.mspx MSDN Team BlogRSS: http://blogs.msdn.com/swiss_dpe_team/Default.aspx Developer User Groups & CommunitiesMobile Devices: http://www.pocketpc.ch/Microsoft Solutions User Group Switzerland: www.msugs.ch.NET Managed User Group of Switzerland: www.dotmugs.chFoxPro User Group Switzerland: www.fugs.ch
Your TechNet resourcescheck out these websites, blogs & more! PresentationsTechDays: www.techdays.ch TechNet EventsTechNet Events: http://technet.microsoft.com/de-ch/bb291010.aspx Save the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin TechNet Flash (our by weekly newsletter)Subscribe: http://technet.microsoft.com/de-ch/bb898852.aspx Schweizer IT Professional und TechNet BlogRSS: http://blogs.technet.com/chitpro-de/ IT Professional User Groups & CommunitiesSwissITPro User Group: www.swissitpro.chNT Anwendergruppe Schweiz: www.nt-ag.chPASS (Professional Association for SQL Server): www.sqlpass.ch