Windows Server
Download
Report
Transcript Windows Server
SVR302
网络安全基础架构服务NAP概览
课程内容安排
下一代Windows服务器-Longhorn Server
网络接入保护NAP功能/结构概述
演示
问题交流
下一代Windows服务器Longhorn
下一代Windows服务器Longhorn Server
Server Core
Composable Roles
Solution SKUs
Self-Healing NTFS
Hot-Pluggable Subsystems
Dynamic Partitioning
IIS 7.0
Workflow Foundation
WCF (“Indigo”)
Code Name “Longhorn”
Federated Identity
Network Access Protection
Terminal Services
SMB 2.0
Storage Management
Transactional FS
Windows Server 演变
2009
2007
Windows Server “Longhorn” R2
Windows Server “Longhorn”
2006
2005
Windows Server 2003 Compute Cluster Edition
Windows Small Business Server 2003 R2
Windows Server “Longhorn” Beta 2
Windows Storage Server R2
Windows Server 2003 R2
Windows Server “Longhorn” Beta 1
Windows Server Update Services
Windows Server 2003 x64 Editions
Windows Server 2003 Service Pack 1
网络接入保护NAP功能/结构概述
为什么需要NAP-Network Access Protection?
用户环境
病毒、蠕虫、恶意软件、木马带来的危害
来自多区域、多设备通过公共网络的连接
不充分/被动的防御
用户需求
降低业务与服务的风险
满足强制的法律要求(Sarbanes-Oxley, HIPPA...)
异构体系架构环境的集成
控制集中的管理策略
NAP解决方案概览
策略确认
鉴别计算机是否满足公司的安全策略。满足的电脑被认为是
“健康的。”
网络限制
根据计算机的健康状态限制对网络的访问。
实施补救
提供必要的更新使计算机能够 “实现健康。” 一旦恢复健康,
网络限制被解除。
变化的要求
公司安全策略的变更或者计算机的健康状态可以动态的作用在
网络限制上。
NAP构成
Enforcement
Components
Platform
Health Components
Components
Enforcement
Quarantine
Agent
Client
(QA)
= (SHA)
Negotiates
= Reports
access
client health
with network
status,state,
access
coordinates
device(s).
between SHA
and NAD.
System
Health
Agent
= Declares
(patch
virus
signature,
system
configuration,
etc.).
Network
Quarantine
Access
Server
Device
(QS) == Provides
Restricts network
client’s network
access to
access
healthy
based
endpoints.
on what SHV certifies.
System Health Validator (SHV) = Certifies declarations made by health agents.
= Windows
components
QA/QSRegistration
Health
Authority
= Issues certificates to clients that pass health checks.
System Health Server = Defines health requirements for system components on the client.
Remediation Server = Installs necessary patches, configurations, applications.
Brings client to healthy state.
System Health Servers
Remediation Servers
Client health validation
Policy and updates
Client
Health
Statements
System Health Agents
Quarantine Agent (QA)
NAD
Network
Access
Requests
IAS Server
System
Health Validators
Health
Certificate
HRA
Quarantine Server (QS)
Enforcement Clients
IPsec, 802.1X, DHCP, VPN
Network Access Device &
Health Registration Authority
NAP实施选择
Enforcement
Healthy Client
DHCP
VPN (MS and 3rd
802.1X
Full IP address given, full Restricted set of routes
Full access
Restricted VLAN
Full access
Restricted VLAN
Can communicate with
Healthy peers reject
peer
from unhealthy systems
Complements layer 2 protection
Works with existing servers and infrastructure
Flexible isolation
IPsec
Unhealthy Client
灵活的强制选项
DHCP
VPN
802.1X
IPsec
LAN or Remote
LAN
Remote
LAN
Enables application isolation
Use of existing servers
Use of existing network
Protects against static
Protects against rogue
Protects against virtual PC
No
No
Yes
No
No
No
No
No
Yes
Yes
No
No
No
Yes
No
Yes
No
No
LAN/
WAN
Yes
Yes
Yes
Yes
Yes
Yes
NAP流程
非健康状态客户端 – 802.1X 场景
Corporate Network
Restricted Network
Client
No. I’m putting you on
aI get
restricted
VLAN.
Get Network Access Device
Can
I get
onon
thethe
network
now?
Can
network?
(DHCP, VPN, SSL app proxy
certificate.
Here
isamy
health
certificate.
Here
ishealth
my
health.
802.1x)
Can I have a health
certificate? I’ve
No, you need fix up.
been updated.
Here you go.
Can I have
updates?
IAS
Policy Server
NAD validates with IAS.
HRA validates with IAS.
Health
Registration Authority
Here you go.
Full access granted.
Health certificate is re-used
For subsequent access requests.
Ongoing policy updates
to IAS Policy Server
Remediation
Server
System Health
Servers
NAP流程
健康客户端场景
Corporate Network
Client
Can I get on the network?
Here is my identity.
Network Access Device
(DHCP, VPN, SSL app proxy
802.1x)
IAS
Policy Server
Validates with IAS.
Client is healthy.
Health Registration
Authority
Full access granted.
Remediation
Servers
System Health
Servers
IPsec NAP 功能特点
使用IPsec隔离非健康客户端
安全强化
重新配置的客户端不能通过
或者通过使用hubs / virtual PC 技术
非基础架构升级
工作在今天的交换机/路由器环境
不需要替换/升级 DHCP, VPN, etc.
灵活的隔离
健康的系统能够连接到被隔离的系统,相反则拒绝访问
隔离模式通过策略定制
IPsec NAP 隔离模式
Policy Definitions
Protected
Zone
Quarantine
Zone
All systems
Health
Authentication
required to
into a system
Boundary
Zone
ALLOWED
ALLOWED
Boundary
Zone
All systems
Health
Authentication
requested but
required to
into a system
Quarantine
Zone
No Health
No IPsec
ALLOWED
BLOCKED
Protected
Zone
IPsec NAP 场景
Quarantine
Zone
Boundary
Zone
Protected
Zone
May I have a DHCP
address?
May I have a health
certificate?
Here’s
Here
you my
go. SoH.
Client
DHCP
Client ok?
Yes.
No.
Health
Here’s
your
You
don’t
gethealth
a health
Issue health
fix-up.
Registration Needs
certificate. Go fix up.
certificate.
certificate.
I need updates. Authority
Accessing the network
Here you go.
IAS
Remediation
Server
SMS 与 NAP
1.
SMS 管理的客户端能够保证健康状态
移动客户端返回公司网络时得到更新
连接的桌面机通过例行检查保证健康状态
健康声明基于MSRC公告板
自动的补救
丰富的满足策略报表
2.
3.
SMS-NAP 协同工作保证没有风险暴露
SMS 促进 NAP 架构计划与部署
分布式的结构
客户端安装与更新
SMS 与 NAP
Corporate Network
Tests and authorizes
security update.
Distributes
policy and
security
updates.
Defines enforcement
Sends MSRC bulletin.
Restricted Network
policy.
MS
Download
Center
SMS Site Server
SMS Remediation
Servers
Publishes policy
reference.
Management Point
Here are your updates.
Distribution Point
Requesting updates.
Client
Periodically plumbs policy
reference to IAS Policy
Server.
IAS
Policy Server
Requesting
May access.
I have access?
Here’s
my new
Here’s
health
mystatus
current
with
required
health
security
status.
updates.
You are being given
restricted access until
fix-up.
AD
Should this client be granted
access based on it’s health?
Network
Access
Device
(DHCP,
VPN)
SMS Health Validator
I can validate
Restrict
I can
Can
client,
validate
Grant
you
request
validate
access.
this
client.
this
client’s
health.
it toIt’s
update.
not up to date.
Tell
client?
Yes, meetsit to
Is it up policy.
toupdate.
date?
Client is granted access to full intranet.
Quarantine Server (QS)
NAP集成
好处
•
•
•
•
深入防御体系的多层次集成.
为健康客户端提供快速访问.
网络厂商提供创新的价值.
客户选择 – 能够保护网络访问、主机访问、应用访问,并且按照相应的需要
灵活的集成。
Client
Cisco
ACS
System Health Agent
Quarantine Agent (QA)
3rd Party
VPN / 802.1x
Enforcement
DHCP/VPN
Quarantine
Enforcement
Other
CS
Network Infrastructure
(Cisco or 3rd party, etc.)
Active
Directory
MS IAS
Policy Server
3rd Party
AV, Patch, FW
Health Registration Authority
NAP合作伙伴
Microsoft Integration
Ecosystem Partners
Networking
Anti-Virus
Endpoint Security
Update/Management
Systems Integrators
成功的部署途径
架构预览
开发
一个
计划
与预
算
准备
计划
/设
计运
维架
构
定义
策略
与流
程
部署
部署底层架构
测试
试点
部署
正
式
部
署
NAP部署准备
Preparing for NAP is going to take effort and time
Take advantage of the time to prepare your networks for
the new model
Deployment preparation tasks:
Health Modeling
Health Policy Zoning
Secure Network Infrastructure Analysis
IAS (RADIUS) Deployment
Zone Enforcement Selection
Exemption Analysis
Rollout Planning and Change Process Control
Success Matrices and Measures
Ensure NAP readiness across your IT organization
立刻行动!
测试/试点部署-Longhorn Beta 2
从简单开始
使用DHCP部署管理/升级到IPsec
根据风险评估分阶段实施
Step 1 – Observation mode only
Step 2 – Grant grace period, enforce later
Step 3 – Enforce now
给我们反馈
Web site and whitepapers:
www.microsoft.com/nap
Information on SDK distribution: [email protected]
Questions or feedback:
[email protected]
Network Access Protection Components
System Health Servers
Remediation Servers
(Anti-virus, Patch, System Mgt, etc.)
(Anti-virus, Patch, System Mgt, etc.)
Client health validation
Policy, health checks, updates
Client
System Health Agents
Microsoft and 3rd Party
(AV/Patch/FW/Other)
Statements
of Health
(SoHs)
Network
Access
Requests /
Responses
IAS
Policy Server
System Health Validators
Quarantine Agent (QA)
Quarantine Enforcement Client
3rd
Microsoft and
Party
DHCP/VPN/1X/IPsec
Microsoft and 3rd Party
Network Access Device
(Microsoft and 3rd party DHCP, VPN Servers,
SSL app proxy, Health Registration Authority)
Quarantine Server (QS)
SHA
System Health Agent = Declares health (patch state, virus signature, system configuration, etc.)
SHV
System Health Validator = Certifies declarations made by health agents
QEC
Quarantine Enforcement Client = Negotiates access with specific network access devices
NAD
Network Access Device = Facilitates health reporting, enforces network restrictions
QA
Quarantine Agent = Reports client health status, coordinates between SHA and Quarantine Enforcement
Server (QES), which is on the NAD
QS
Quarantine Server = Restricts client’s network access based on what SHV certifies
SHS
System Health Server = Defines health requirements for system components on the client
RS
Remediation Server = Installs necessary patches, configurations, applications; brings client to healthy state