Windows Server 2008 – Windows Server 2008 – Network Access Protection Network Access Protection (NAP)(NAP)

Windows Server 2008 – Windows Server 2008 – Network Access Protection Network Access Protection (NAP)(NAP)

Presented by Vu Nguyen Cao SonPresented by Vu Nguyen Cao SonEPG Technical SpecialistEPG Technical Specialisti-sonvu@microsoft.comi-sonvu@microsoft.comwww.CaoSonBlog.comwww.CaoSonBlog.com

Why SecurityWhy Security

Introducing Network Access ProtectionIntroducing Network Access Protection

Using NAP with DHCPUsing NAP with DHCP

Using NAP with Using NAP with VPN/Ipsec/802.1xVPN/Ipsec/802.1x

Q&AQ&A

AgendaAgenda

Media Media

Personal FavorPersonal Favor

I think “it is important and essential to my I think “it is important and essential to my system”system”

My company have “fund” for securityMy company have “fund” for security

Why Security !!!??? – Wrong WayWhy Security !!!??? – Wrong Way

Business ContinutyBusiness Continuty

Why Security !!!??? – Right WayWhy Security !!!??? – Right Way

Risk-based Risk-based model model

Defense in Defense in DepthDepth

Security Security Control with Control with ISO 27001ISO 27001

Risk Risk LevelLevel

ROIROI

Risk-based Decision MakingRisk-based Decision Making

Business and IT TeamsBusiness and IT Teams

““Best Control Best Control Solution”Solution”

Information SecurityInformation Security

““Prioritize Risks”Prioritize Risks”

Business OwnersBusiness Owners

““What’s What’s Important”Important”

Assess Assess RisksRisks

Define Define Security Security

RequirementRequirementss

DeterminDetermine e

AcceptablAcceptable Riske Risk

Design & Build Design & Build Security Security SolutionsSolutions

Operate & Operate & Support Support Security Security SolutionsSolutions

Measure Measure Security Security SolutionsSolutions

DemoDemo

Examining Connection Trace Examining Connection Trace Logs Logs

Examine Event LogsExamine Event Logs Examine Connection LogsExamine Connection Logs

demonstrationdemonstration

Defense in Depth with Microsoft Defense in Depth with Microsoft ProductProduct

Enhanced SecurityAll communications are authenticated, authorized & healthyDefense-in-depth on your terms with DHCP, VPN, IPsec, 802.1XPolicy-based access that IT Pros can set and control

Increased Business Value

Preserves user productivity Extends existing investments in Microsoft and 3rd party infrastructure Broad industry partnership

Network Access Protection BenefitsNetwork Access Protection Benefits

Risk Risk LevelLevel

Health and Policy

Validation

Defense at

Multiple Layers

ROIROI

Healthy Endpoints Connect

Leverage Existing

Investments

Why SecurityWhy Security

Introducing Network Access ProtectionIntroducing Network Access Protection

Using NAP with DHCPUsing NAP with DHCP

Using NAP with Using NAP with VPN/Ipsec/802.1xVPN/Ipsec/802.1x

Q&AQ&A

AgendaAgenda

Network Access Protection SolutionNetwork Access Protection Solution

Policy ValidationPolicy Validation

Network RestrictionNetwork Restriction

RemediationRemediation

Ongoing ComplianceOngoing Compliance

Polices, Procedures, Polices, Procedures, and Awarenessand Awareness

DataData

ApplicationApplication

HostHost

Internal NetworkInternal Network

PerimeterPerimeter

NAP Architecture OverviewNAP Architecture Overview

Network Network Policy ServerPolicy Server

Quarantine Server (QS)Quarantine Server (QS)

ClientClient

Quarantine Agent (QA)Quarantine Agent (QA)

Health policyHealth policyUpdatesUpdatesHealthHealth

StatementsStatements

NetworkNetworkAccessAccess

RequestsRequests

System Health System Health Servers Servers

Remediation Remediation Servers Servers

HealthHealthCertificateCertificate

Network Access Devices Network Access Devices and Serversand Servers

System Health Agent (SHASystem Health Agent (SHA))MS and 3rd PartiesMS and 3rd Parties

System Health ValidatorSystem Health Validator

Enforcement Client (EC)Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)(DHCP, IPSec, 802.1X, VPN)

NetworkNetworkAccessAccess

RequestsRequests Not Not CompliantCompliant

Policy Compliant

Policy Compliant

How NAP Works How NAP Works

Corporate NetworkCorporate Network

Restricted Restricted NetworkNetwork

WindowsWindowsClientClient

Network Network EnformentEnformentEndpointEndpoint

NPSNPS

ActiveActiveDirectoryDirectory

RemediationRemediationServersServers

HealthHealthStatementsStatements

QAQA

SHASHA

ECEC QSQS

SHVSHV

Why Microsoft NAPWhy Microsoft NAP

Soft-based solution, free with Windows Soft-based solution, free with Windows Server 2008.Server 2008.

Integrated into the client operating system Integrated into the client operating system (XP SP3, Vista)(XP SP3, Vista)

Intergrated with Core System Intergrated with Core System (SCCM,FCS,WSUS)(SCCM,FCS,WSUS)

Integration with 3Integration with 3rdrd party security party security products(Cisco,Juniper,Symantec, Mcafee)products(Cisco,Juniper,Symantec, Mcafee)

NAP + Domain & Server Isolation = NAP + Domain & Server Isolation = Enforment SecEnforment Sec

Multiple types of enforcementMultiple types of enforcement

Why SecurityWhy Security

Introducing Network Access ProtectionIntroducing Network Access Protection

Using NAP with DHCPUsing NAP with DHCP

Using NAP with Using NAP with VPN/Ipsec/802.1xVPN/Ipsec/802.1x

Q&AQ&A

AgendaAgenda

NAP with DHCPNAP with DHCP

NPS ServerNPS ServerClientClient DHCP ServerDHCP Server

VPN ServerVPN Server

IEEE 802.1X DevicesIEEE 802.1X Devices

Remediation Remediation Servers Servers

Requesting access. Requesting access. Here’s my newHere’s my newhealth status.health status.

The client requests The client requests and receives and receives updatesupdates

I need to lease I need to lease an IP addressan IP address

You are not within the You are not within the Health Policy Health Policy requirementsrequirements

Access granted. Here is Access granted. Here is your new IP addressyour new IP address

Demonstration EnvironmentDemonstration Environment

Configuring NAP for DHCP Configuring NAP for DHCP

demonstrationdemonstration

Why SecurityWhy Security

Introducing Network Access ProtectionIntroducing Network Access Protection

Using NAP with DHCPUsing NAP with DHCP

Using NAP with VPN/Ipsec/802.1xUsing NAP with VPN/Ipsec/802.1x

Q&AQ&A

AgendaAgenda

NAP with VPN and RRASNAP with VPN and RRAS

NPS ServerClient VPN Server

Remediation Servers

RADIUS MessagesPEAP Messages

IPsec-based CommunicationIPsec-based Communication

Secure networkSecure network

Boundary networkBoundary network

Restricted networkRestricted network

IPsec AuthenticatedIPsec Authenticated

UnauthenticatedUnauthenticated

Most Wireless Security for Enterprise with NAPMost Wireless Security for Enterprise with NAPInteroperation with many 802.1x SwitchInteroperation with many 802.1x Switch

Network Policy ServerNetwork Policy ServerAuthentication ServerAuthentication Server

802.1x Access Points802.1x Access Points

802.1x Switch802.1x SwitchWireless ClientsWireless Clients

Active DirectoryActive Directory

Health Requirement Health Requirement ServerServer

Certificate Authority Certificate Authority (Optional)(Optional)

Using NAP with 802.1x DeviceUsing NAP with 802.1x Device

Q&A and Thanks YouQ&A and Thanks Youwww.CaoSonBlog.comwww.CaoSonBlog.com