Transcript Technial overview about Network Access Protection (NAP

Kunal Kodkani
Senior Consultant, Microsoft Consulting Services
Microsoft Corporation
[email protected]
Introduction
NAP Overview
NAP platform architecture
NAP enforcement methods
Demo NAP IPSec enforcement
SDI Overview
Multiple points of attachment: wireless, lan, wan, extranet
Parties with differing rights: employees, vendors, partners
Proliferation of devices: PCs, phones, PDAs, devices
Need to control guest, vendor and partners access
Increased exposure to malware
Evolved security model -- from perimeter control to
everywhere control
Authenticate users and grant access based on role and
compliance to corporate governance standards
Aggressively update out-of-compliance systems
Apply access policy throughout the network
Comprehensive, policy-based authentication and compliance
throughout the network
Intranet
Allows you to control access to your
network using
Policy-based enforcement
Logical network isolation using IP Security
(IPSec)
Wireless security technologies
Microsoft solutions in this area
NAP
SDI
Securing Wireless using Certificate Services
http://www.microsoft.com/downloads/details.aspx?fa
milyid=CDB639B3-010B-47E7-B234A27CDA291DAD&displaylang=en
Introduction
NAP Overview
NAP platform architecture
NAP enforcement methods
Demo NAP IPSec enforcement
SDI Overview
Policy Validation
Determines whether the computers are compliant
with the company’s security policy. Compliant
computers are deemed “healthy
Network Restriction
Restricts network access to
computers
based on their health
Remediation
Provides necessary updates to allow the computer to
“get healthy.” Once healthy, the network restrictions
are removed
Ongoing Compliance
Changes to the company’s security policy or to the
computers’ health may dynamically result in network
restrictions
Platform that enforces compliance with
health requirements for network access or
communication
NAP is not a security solution to keep the
bad guy off your network
Application programming interfaces (APIs)
Allows for integration with third-party vendors
Introduction
NAP Overview
NAP platform architecture
NAP enforcement methods
Demo NAP IPSec enforcement
SDI Overview
How It Works
1 Access requested
2 Authentication Information
including ID and health
status
Policy Servers
1
e.g.., Patch, AV
Microsoft
NPS
2
3
Not policy
compliant
Restricted
Network
3 NPS validates against
health policy
4 If compliant, access
granted
If not compliant, restricted
5 network access and
remediation
DHCP,
VPN
Switch/Router
5
Remediatio
n
Servers
e.g., Patch
Policy
compliant
4
Corporate Network
Network
Access
Requests
Updates
Health policy
Health
Statements
(SHA)
(SHA)
MS SHA, SMS
3rd Parties
Health
Certificate
NAP Agent
(EC)
(DHCP, IPsec,
802.1X, VPN)
(EC)
3rd Party EAP
VPN’s
802.1x Switches
Policy Firewalls
SSL VPN Gateways
Certificate Servers
System Health
Validator
NAP Server
SHV_2
SHV_1
SHV_3
SHV API
NAP Administration Server
NPS Service
NAP EC_A
NAP EC_B
NAP EC_C
SHA_1
SHA_2
SHA_3
SHA API
NAP Agent
NAP EC API
NAP EC_A
NAP EC_B
NAP EC_C
SHA_1
SHA_2
SHV_2
SHV_1
SHV_4
SHA API
SHV API
NAP Agent
NAP Administrative Server
NAP EC API
NAP
EC_A
NAP
EC_B
NPS Service
NAP
ES_B
NAP
ES_A
Introduction
NAP Overview
NAP platform architecture
NAP enforcement methods
Demo NAP IPSec enforcement
SDI Overview
Enforcement
IPsec
802.1X
VPN
DHCP
Healthy Client
Client receives
health certificate,
can communicate
with any trusted
peer
Full access
Full access
Full IP address
given
Unhealthy Client
No health certificate
issued, healthy peers
reject connection
requests from
unhealthy systems
Restricted VLAN
Restricted VLAN
Restricted set of
routes
For noncompliant computers, prevents
communication with compliant computers
Compliant computers obtain a health
certificate as proof of their health
compliance
Health certificate is used for peer
authentication when negotiating IPsecprotected communications
Health certificate carries the client
authentication EKU in the certificate
In the IPsec configuration only NAP health
certificates can be accepted for IPsec
authentication
Remediation
Server
Network
Policy Server
Protected Network
Boundary Network
Health
Registration
Authority
Quarantine Restricted
Network
1. Client starts up on the restricted network
Remediation
Server
Network
Policy Server
Protected Network
Boundary Network
Health
Registration
Authority
Quarantine Restricted
Network
2. Client creates an HTTPS secure communication channel with the Health
Registration Authority
Remediation
Server
Network
Policy Server
Protected Network
Boundary Network
Health
Registration
Authority
Quarantine Restricted
Network
3. Client sends its credentials, a PKCS#10 and its list of SoHs (State of health
to the Health Registration Authority (HRA) through the SSL tunnel.
Remediation
Server
Network
Policy Server
Protected Network
Boundary Network
Health
Registration
Authority
Quarantine Restricted
Network
4. HCS forwards the client identity and health status information to the Network
Policy Server (NPS) based on its NPS proxy configuration for validation using
RADIUS Access-Request message.
Remediation
Server
Network
Policy Server
Protected Network
Boundary Network
Health
Registration
Authority
Quarantine Restricted
Server on Network
the Network Policy
5. NAP Administration
Server passes the SoHs
(Statement of Health) to their System Health Validators (SHV).
6. SHVs evaluate the SoHs and respond with SoH Responses (SoHR).
7. NPS evaluates the SoHRs against policy settings and makes a
limited/unlimited network access decision.
Remediation
Server
Network
Policy Server
Protected Network
Boundary Network
Health
Registration
Authority
Quarantine Restricted
Network
8. Network Policy Server sends a RADIUS Access-Accept message that
contains the System SoHR (Statement of Health Response) and the list of
SoHRs to the Health Registration Authority.
Remediation
Server
Network
Policy Server
Protected Network
Boundary Network
Health
Registration
Authority
Quarantine Restricted
Network
9. The Health Registration Authority sends the System State of Health
Responses (SoHRs )and the list of SoHRs through the SSL tunnel to the client.
Remediation
Server
Network
Policy Server
Protected Network
Boundary Network
Health
Registration
Authority
Health
Certification
Authority
Quarantine Restricted
Network
10 a. If compliant, the Health Registration authority sends the client’s PKCS#10
request to the Health certification authority and finally sends the health
certificate through the SSL tunnel to the client.
Remediation
Server
Network
Policy Server
Protected Network
Boundary Network
Health
Registration
Authority
Quarantine Restricted
Network
10 b. The NAP Agent passes the State of Health Responses to the System
Health Agents that are installed on the client.
Remediation
Server
Network
Policy Server
Protected Network
Boundary Network
Health
Registration
Authority
Quarantine Restricted
Network
11. System Health Agents perform remediation and pass updated Statement of
Health (SoH) to the NAP Agent..
Remediation
Server
Network
Policy Server
Protected Network
Boundary Network
Health
Registration
Authority
Quarantine Restricted
Network
12. Client creates a new HTTPS channel with the Health Registration Authority
Remediation
Server
Network
Policy Server
Protected Network
Boundary Network
Health
Registration
Authority
Quarantine Restricted
Network
13. Client sends its credentials, a new PKCS#10 request and its updates list of
State of Health’s (SoHs) to the Health Registration Authority
Remediation
Server
Network
Policy Server
Protected Network
Boundary Network
Health
Registration
Authority
Health
Certification
Authority
Quarantine Restricted
Network
14. Health Registration Authority validates the credentials and the new list of
SoHs with the Network Policy Server and obtains a health certificate for the
client.
Introduction
NAP Overview
NAP platform architecture
NAP enforcement methods
Demo NAP IPSec enforcement
SDI Overview
Requires PKI to be deployed
Only works in a managed environment
(machines must be domain joined)
Certificates are the only supported
credential (compared to IPsec server and
domain isolation)
Requires and additional role to be deployed
on the network (HRA)
Protects you in a virtual environment
Near real/time operation
Unhealthy clients are truly isolated
(credential automatically revoked by the
NAP agent)
Offers authentication AND encryption
(encryption is optional, not required)
Works with any switch, router or AP
Technologies are built into Windows (client
and server platforms)
For noncompliant computers, prevents
unlimited access to a network through an
802.1X-authenticated connection
Restricted Network
System Health
Servers
Remediation
Servers
Here you go.
Can I have
updates?
Ongoing policy updates
to Network Policy Server
May I have access?
Requesting
access.
Here’s
my current
Here’s
my new
healthhealth
status.status.
Client
You are given
restricted access
until fix-up.
Should this client be
restricted based
on its health?
802.1x
Switch
According to policy,
According to policy,
the client is not up to
the client is up to
MS NPS
date. Quarantine
date.
client, request it to
update.
Client
is granted access to full intranet.
Grant access.
Requires compatible hardware
Bootstrapping clients with credentials is
challenging
Dynamic VLAN switching during the boot
process can be problematic
Requires designing multiple VLAN’s based
on health state
Requires Windows supplicant to be used
Industry standard protocol supported by all
switch and AP vendors
Supplicant is built into Windows
Supports password based or certificates as
the credential
Can be deployed in conjunction with DHCP
or IPsec enforcements
Reporting Mode
Allows you to gather information as to what is
on your network
Deferred Enforcement
Introduces NAP to your use population and
allows them to police themselves
Full Enforcement
Non-complaint machines will be quarantined
and auto remediated
Introduction
NAP Overview
NAP platform architecture
NAP enforcement methods
Demo NAP IPSec enforcement
SDI Overview
 Labs
 Unmanaged
guests
 Malicious users
Domain Isolation
Protects trusted systems from untrusted or
malicious computers
IPsec authentication required for all incoming
connections
IPsec used to authenticate remote host
Connection request refused if authentication fails
IPsec ensures data integrity for all connections
And optionally encryption
Works in the network layer
Regardless of the underlying physical layer (hubs,
switches, wireless)
7/7/2015
51
IPsec policy determines computer behavior
Requires authentication for inbound connections
Ensures data integrity
Adds encryption if necessary
Group Policies used to distribute IPsec policy to
hosts
Kerberos (AD) or digital certificates used for
authentication
7/7/2015
52
Active Directory
Domain Controller
Corporate
Network
Trusted File
Server
X
HR Workstation Servers with
Sensitive Data
Unmanaged/Rogue
Computer
Network Printer
Managed
Computer
Managed
Computer
Trusted
Computers
Untrusted
7/7/2015
53
Corporate
Network
Active Directory
Domain Controller
Trusted Resource
Server
X
Developer
Workstation
X
Untrusted
Server Isolation
7/7/2015
Managed
Computer
Managed
Computer
Source Code
Servers
Server
Isolation
Domain
Isolation
Protect specific high-valued hosts and data
54
Adds a layer of authorization on top of the
authentication performed by IPsec
After authentication, Windows evaluates if remote
host has access permissions
Access is granted if AD computer account has Access
to this computer from the network privilege
To configure Server Isolation, remove
Authenticated Users from this privilege
Grant access to Domain Users, and to the
appropriate computer accounts
7/7/2015
55
SDI Introduction
http://technet.microsoft.com/enus/library/cc725770.aspx
Windows Firewall Advanced Security and
IPSec
http://technet.microsoft.com/enus/library/cc732283.aspx
http://technet.microsoft.com/enus/network/bb545879.aspx
Design Guides
Virtual Labs
Step-by-step Guides
Webcasts
Cisco NAC Interoperability Whitepaper
http://download.microsoft.com/download/d/0/8/
d08df717-d752-4fa2-a77aab29f0b29266/NAC-NAP_Whitepaper.pdf
UNET provides:
NAP agent for Linux
NAP agent for Mac OS X
http://unet.co.kr/nap/index.html
Avenda provides
NAP agent for Linux
http://www.avendasys.com/products/technologi
es.php
check out these websites, blogs & more!
Presentations
TechDays: www.techdays.ch
MSDN Events: http://www.microsoft.com/switzerland/msdn/de/presentationfinder.mspx
MSDN Webcasts: http://www.microsoft.com/switzerland/msdn/de/finder/default.mspx
MSDN Events
MSDN Events: http://www.microsoft.com/switzerland/msdn/de/events/default.mspx
Save the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin
MSDN Flash (our by weekly newsletter)
Subscribe: http://www.microsoft.com/switzerland/msdn/de/flash.mspx
MSDN Team Blog
RSS: http://blogs.msdn.com/swiss_dpe_team/Default.aspx
Developer User Groups & Communities
Mobile Devices: http://www.pocketpc.ch/
Microsoft Solutions User Group Switzerland: www.msugs.ch
.NET Managed User Group of Switzerland: www.dotmugs.ch
FoxPro User Group Switzerland: www.fugs.ch
check out these websites, blogs & more!
Presentations
TechDays: www.techdays.ch
TechNet Events
TechNet Events: http://technet.microsoft.com/de-ch/bb291010.aspx
Save the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin
TechNet Flash (our by weekly newsletter)
Subscribe: http://technet.microsoft.com/de-ch/bb898852.aspx
Schweizer IT Professional und TechNet Blog
RSS: http://blogs.technet.com/chitpro-de/
IT Professional User Groups & Communities
SwissITPro User Group: www.swissitpro.ch
NT Anwendergruppe Schweiz: www.nt-ag.ch
PASS (Professional Association for SQL Server): www.sqlpass.ch
7. – 8. April 2010
Congress Center Basel
Premium Sponsoring Partners
Classic Sponsoring Partners
Media Partner