MS NAP - Security Day
-
Upload
vncson -
Category
Technology
-
view
1.135 -
download
1
description
Transcript of MS NAP - Security Day
Windows Server 2008 – Windows Server 2008 – Network Access Protection Network Access Protection (NAP)(NAP)
Windows Server 2008 – Windows Server 2008 – Network Access Protection Network Access Protection (NAP)(NAP)
Presented by Vu Nguyen Cao SonPresented by Vu Nguyen Cao SonEPG Technical SpecialistEPG Technical [email protected]@microsoft.comwww.CaoSonBlog.comwww.CaoSonBlog.com
Why SecurityWhy Security
Introducing Network Access ProtectionIntroducing Network Access Protection
Using NAP with DHCPUsing NAP with DHCP
Using NAP with Using NAP with VPN/Ipsec/802.1xVPN/Ipsec/802.1x
Q&AQ&A
AgendaAgenda
Media Media
Personal FavorPersonal Favor
I think “it is important and essential to my I think “it is important and essential to my system”system”
My company have “fund” for securityMy company have “fund” for security
Why Security !!!??? – Wrong WayWhy Security !!!??? – Wrong Way
Business ContinutyBusiness Continuty
Why Security !!!??? – Right WayWhy Security !!!??? – Right Way
Risk-based Risk-based model model
Defense in Defense in DepthDepth
Security Security Control with Control with ISO 27001ISO 27001
Risk Risk LevelLevel
ROIROI
Risk-based Decision MakingRisk-based Decision Making
Business and IT TeamsBusiness and IT Teams
““Best Control Best Control Solution”Solution”
Information SecurityInformation Security
““Prioritize Risks”Prioritize Risks”
Business OwnersBusiness Owners
““What’s What’s Important”Important”
Assess Assess RisksRisks
Define Define Security Security
RequirementRequirementss
DeterminDetermine e
AcceptablAcceptable Riske Risk
Design & Build Design & Build Security Security SolutionsSolutions
Operate & Operate & Support Support Security Security SolutionsSolutions
Measure Measure Security Security SolutionsSolutions
DemoDemo
Examining Connection Trace Examining Connection Trace Logs Logs
Examine Event LogsExamine Event Logs Examine Connection LogsExamine Connection Logs
demonstrationdemonstration
Defense in Depth with Microsoft Defense in Depth with Microsoft ProductProduct
Enhanced SecurityAll communications are authenticated, authorized & healthyDefense-in-depth on your terms with DHCP, VPN, IPsec, 802.1XPolicy-based access that IT Pros can set and control
Increased Business Value
Preserves user productivity Extends existing investments in Microsoft and 3rd party infrastructure Broad industry partnership
Network Access Protection BenefitsNetwork Access Protection Benefits
Risk Risk LevelLevel
Health and Policy
Validation
Defense at
Multiple Layers
ROIROI
Healthy Endpoints Connect
Leverage Existing
Investments
Why SecurityWhy Security
Introducing Network Access ProtectionIntroducing Network Access Protection
Using NAP with DHCPUsing NAP with DHCP
Using NAP with Using NAP with VPN/Ipsec/802.1xVPN/Ipsec/802.1x
Q&AQ&A
AgendaAgenda
Network Access Protection SolutionNetwork Access Protection Solution
Policy ValidationPolicy Validation
Network RestrictionNetwork Restriction
RemediationRemediation
Ongoing ComplianceOngoing Compliance
Polices, Procedures, Polices, Procedures, and Awarenessand Awareness
DataData
ApplicationApplication
HostHost
Internal NetworkInternal Network
PerimeterPerimeter
NAP Architecture OverviewNAP Architecture Overview
Network Network Policy ServerPolicy Server
Quarantine Server (QS)Quarantine Server (QS)
ClientClient
Quarantine Agent (QA)Quarantine Agent (QA)
Health policyHealth policyUpdatesUpdatesHealthHealth
StatementsStatements
NetworkNetworkAccessAccess
RequestsRequests
System Health System Health Servers Servers
Remediation Remediation Servers Servers
HealthHealthCertificateCertificate
Network Access Devices Network Access Devices and Serversand Servers
System Health Agent (SHASystem Health Agent (SHA))MS and 3rd PartiesMS and 3rd Parties
System Health ValidatorSystem Health Validator
Enforcement Client (EC)Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)(DHCP, IPSec, 802.1X, VPN)
NetworkNetworkAccessAccess
RequestsRequests Not Not CompliantCompliant
Policy Compliant
Policy Compliant
How NAP Works How NAP Works
Corporate NetworkCorporate Network
Restricted Restricted NetworkNetwork
WindowsWindowsClientClient
Network Network EnformentEnformentEndpointEndpoint
NPSNPS
ActiveActiveDirectoryDirectory
RemediationRemediationServersServers
HealthHealthStatementsStatements
QAQA
SHASHA
ECEC QSQS
SHVSHV
Why Microsoft NAPWhy Microsoft NAP
Soft-based solution, free with Windows Soft-based solution, free with Windows Server 2008.Server 2008.
Integrated into the client operating system Integrated into the client operating system (XP SP3, Vista)(XP SP3, Vista)
Intergrated with Core System Intergrated with Core System (SCCM,FCS,WSUS)(SCCM,FCS,WSUS)
Integration with 3Integration with 3rdrd party security party security products(Cisco,Juniper,Symantec, Mcafee)products(Cisco,Juniper,Symantec, Mcafee)
NAP + Domain & Server Isolation = NAP + Domain & Server Isolation = Enforment SecEnforment Sec
Multiple types of enforcementMultiple types of enforcement
Why SecurityWhy Security
Introducing Network Access ProtectionIntroducing Network Access Protection
Using NAP with DHCPUsing NAP with DHCP
Using NAP with Using NAP with VPN/Ipsec/802.1xVPN/Ipsec/802.1x
Q&AQ&A
AgendaAgenda
NAP with DHCPNAP with DHCP
NPS ServerNPS ServerClientClient DHCP ServerDHCP Server
VPN ServerVPN Server
IEEE 802.1X DevicesIEEE 802.1X Devices
Remediation Remediation Servers Servers
Requesting access. Requesting access. Here’s my newHere’s my newhealth status.health status.
The client requests The client requests and receives and receives updatesupdates
I need to lease I need to lease an IP addressan IP address
You are not within the You are not within the Health Policy Health Policy requirementsrequirements
Access granted. Here is Access granted. Here is your new IP addressyour new IP address
Demonstration EnvironmentDemonstration Environment
Configuring NAP for DHCP Configuring NAP for DHCP
demonstrationdemonstration
Why SecurityWhy Security
Introducing Network Access ProtectionIntroducing Network Access Protection
Using NAP with DHCPUsing NAP with DHCP
Using NAP with VPN/Ipsec/802.1xUsing NAP with VPN/Ipsec/802.1x
Q&AQ&A
AgendaAgenda
NAP with VPN and RRASNAP with VPN and RRAS
NPS ServerClient VPN Server
Remediation Servers
RADIUS MessagesPEAP Messages
IPsec-based CommunicationIPsec-based Communication
Secure networkSecure network
Boundary networkBoundary network
Restricted networkRestricted network
IPsec AuthenticatedIPsec Authenticated
UnauthenticatedUnauthenticated
Most Wireless Security for Enterprise with NAPMost Wireless Security for Enterprise with NAPInteroperation with many 802.1x SwitchInteroperation with many 802.1x Switch
Network Policy ServerNetwork Policy ServerAuthentication ServerAuthentication Server
802.1x Access Points802.1x Access Points
802.1x Switch802.1x SwitchWireless ClientsWireless Clients
Active DirectoryActive Directory
Health Requirement Health Requirement ServerServer
Certificate Authority Certificate Authority (Optional)(Optional)
Using NAP with 802.1x DeviceUsing NAP with 802.1x Device
Q&A and Thanks YouQ&A and Thanks Youwww.CaoSonBlog.comwww.CaoSonBlog.com