NAC Introduction and Microsoft NAP

Document Sample
NAC Introduction and Microsoft NAP Powered By Docstoc
					       NAC Introduction and
       Microsoft NAP

       Jan De Clercq
       Jan.DeClercq@hp.com

Left
Objectives
• Understand the concept of Network Access Control
• Understand the architecture of Microsoft’s NAP
• Understand the implementation options for MS NAP
Agenda
 What is Network Access Control?
NAP Detailed Architecture
NAP Enforcement
Summary
The Network Boundary
•   Traditional thought:
    − The organization network is considered a “safe” zone
    − Devices attached to the internal network and behind the
      firewall are within the organization networks
•   Are the devices attached to the network safe?
    − Hackers, malicious users/code writers, and unsuspecting
      users have discredited the myth that the “internal”
      network is safe
    − Malicious kits in many forms take advantage of networked
      systems
       • Root kits and viruses (Melissa, Love Bug, Code Red, Slammer)
    − Entry into the organizations network comes in many forms
Controlling Access to the Network
•   Points of network access include:
    − VPN and Dial-up ports
    − Wired and Wireless switch ports
    − DMZ systems with specific access to internal systems
    − Internet exposed applications (i.e. reverse proxy)
•   Control methodologies include:
    − Credential, certificate, and MAC based authentication
    − Access control lists based on IP and port definitions
    − Intrusion Detection/Prevention Systems based on
      malicious pattern matching
The Boundary is Not the Edge
•   As soon as a system touches a foreign network its
    state must be considered unknown
     − Systems in the perimeter network
     − Systems in the extranet
     − Systems on other “unrestricted” networks
     − Mobile systems
     − Non-corporate systems
       • Consultants/guests plugging in
       • Employees using personal systems


    The edge of the network is the end-point system
Network Access Control
Open Standards and Reference Architectures
• Internet Engineering Task Force
  Network Endpoint Assessment
  (IETF NEA or NEA)
    − See RFC 5209
    − Focused on client-server protocols
•   Trusted Computing Group
    Trusted Network Connect
    (TCG TNC or TNC)
    − Some components published
    − Focused on providing an architecture and set of
      protocols to enhance vendor interoperability

* HP is a founding member of the TCG and an active participant in the TNC
TNC
Architecture*
  Access Requester          Policy Enforcement Point    Policy Decision Point



  Integrity Measurement                                 Integrity Measurement
         Collectors                                             Verifiers
                          Integrity Measurement Layer




       TNC Client                                             TNC Server

                           Integrity Evaluation Layer


    Network Access              Policy Enforcement          Network Access
      Requestor                        Point                   Authority

                            Network Access Layer
Network Access Control
Major Industry Players
•   Cisco Network Admission Control
    (CNAC)
    − First major player to market
    − Proprietary implementation based on Cisco devices
    − Co-developed interoperability with Microsoft
•   Microsoft Network Access Protection
    (MSNAP, MNAP, or NAP)
    − Semi-proprietary implementation based on WS2008
    − Working with the TCG to provide wider interoperability
    − Adopting/Creating TNC protocols where it makes sense
•   Many other vendor specific solutions
    − Extreme Networks, Juniper Networks, Mirage Networks,
      Symantec, FreeNAC
Microsoft NAP
Architecture Components
•   NAP Client
    − System Health Agents to collect health information
    − Enforcement Clients request network access
•   NAP Server Platform
    − System Health Validators evaluate information from SHA
    − Policy Server determine client health and access
•   NAP Enforcement Points
    − Pass health information and statements
    − Enforce decision made by Policy Servers
Microsoft NAP
Architecture
   Access Requester        Policy Enforcement Point    Policy Decision Point



      NAP System                                           NAP System
      Health Agents                                       Health Validators
                         Integrity Measurement Layer



                                                         NAP Administration
       NAP Agent
                                                              Server

                          Integrity Evaluation Layer


    NAP Enforcement             NAP Enforcement             NAP Health
        Clients                     Servers                Policy Server
  Microsoft NAP Client                                 Microsoft NPA Services
                           Network Access Layer
NAP Components
  NAC Architecture/Terminology




                                                                                          Microsoft
                  Network                                  Trusted              Network




                                                                       Cisco
IETF




                                 TCG
                                                                                                                 Network Access
                  Endpoint                                 Network              Access                                                                           Component Functions
                                                                                                                   Protection
                 Assessment                                Connect              Control

                                                           Integrity                                                                                                   Collects [health] posture
                   Posture                                                                                           System




                                                                                                                                          Requests access to a
                                                                                          Microsoft NAP Client
                                                         Measurement                                                                                                   information
                                 Access Requester




                                                                                                                                           protected network
                  Collectors                                                                                      Health Agents
Posture Client




                                                          Collectors

                   Posture                                               Cisco Trust                                                                                   Triggers data collection
                                                          TNC Client                                                NAP Agent                                          and delivery
                 Broker Client                                             Agent

                   Posture                                 Network                                                                                                     Delivers posture
                                                                                                                   Enforcement
                  Transport                                Access                                                                                                      information to NAC server
                                                                                                                     Clients
                   Clients                                Requestor
                                                                                Cisco                                                                                  Enforces full, limited or no
                                                            Policy
                                                                               Network                             Enforcement                                         access to a protected
                                                         Enforcement
                                                                               Access                                Servers                                           network
                                                            Point
                                                                               Devices




                                                                                                                                     or denies access to a protected
                                                                                                                                     Authenticates client and grants
                                                           Integrity                                                                                                   Validates [health] posture
                   Posture                                                                                            System
                                                         Measurement                                                                                                   information
                  Validators                                                                                     Health Validators
                                 Policy Decision Point




                                                           Verifiers
                                                                                          Microsoft NPAS
Posture Server




                                                                       Vendor Policy
                                                                         Servers                                                                                       Point of configuration/




                                                                                                                                                 network
                   Posture                                                                                        Administration                                       integration for validators
                                                         TNC Server                                                                                                    and policy servers
                 Broker Sever                                                                                        Server


                   Posture                                Network                                                                                                      Evaluates [health] posture
                                                                                                                   NAP Health                                          information and grants or
                  Transport                                Access         Cisco ACS
                                                                                                                  Policy Server                                        denies access
                   Servers                                Authority
 W2K3 Quarantine Control
Restricted                      Boundary                                    Secure




     VPN Client                                                                              IAS
                                            W2K3 RRAS or                                  (optional)
                                         ISA 2004/2006 Server




1.   Client attempts VPN connection
2.   VPN Server validates credentials with Active Directory
3.   VPN Server validates users right to “dial-in”                                        Active Directory
4.   If credentials and permissions are successfully validated, VPN Server allows quarantined connection
     If credentials and permissions are not successfully validated, the connection is dropped
5.   After a successful connection, the server waits for a response from the administrator provided script
6.   Client accesses and runs the administrator provided script
7.   Client reports script results to server
8.   Based on the script results, the server either maintains the quarantine or allows full access
W2K3 / ISA Quarantine Control
                                      Feature                  NAQC   NAP
•   W2K3 Quarantine
    − Connection Manager (CMAK)       Can deploy with VPN      Yes    Yes
                                      (RRAS)
    − Administrator provided script
                                      Can deploy with IPSec    No     Yes
    − RRAS or IAS (RADIUS)            and HRA
      policies
                                      Can deploy with 802.1X   No     Yes
    − IP Filters                      wired and wireless
•   ISA 2004/2006 Quarantine          Can deploy with TS       No     Yes
    − Similar to the above            Gateway
    − Leverages ISA “Quarantined      Can deploy with DHCP     No     Yes
      VPN Clients network”
                                      Ongoing monitoring of    No     Yes
•   Both employ one time              end-points
    script driven checks              Integrated automatic     No     Yes
                                      remediation

       This is not NAP…               Driven by
                                      administrator provided
                                                               Yes    No

                                      script
 NAP VPN Enforcement
Restricted                       Boundary                                      Secure




     NAP Client
                                                                                             NAP NPS
                                          WS2008 VPN + NPS




1.   Client attempts VPN connection
2.   VPN Server validates credentials with Active Directory
3.   VPN Server validates users right to “dial-in”                                         Active Directory
4.   If credentials and permissions are successfully validated, VPN Server allows quarantined connection
     If credentials and permissions are not successfully validated, the connection is dropped
5.   After a successful connection, the server request the System Statement of Health from the client
6.   Client evaluates monitored components and provides System Statement of Health
7.   Server evaluates System Statement of Health against defined policies
8.   If the client is determined to be healthy, full access is granted
     If the client is determined to be unhealthy, the client is given limited access to remediation servers and
     provided with remediation instructions
9.   If the state of a monitored component changes at any time during the connection, steps 6
     through 8 are immediately repeated
Agenda
 What is Network Access Control?
 NAP Detailed Architecture
NAP Enforcement
Summary
NAP Client
•   NAP Agent
    − Coordinates and exchange info between SHA and EC
    − Continuous monitoring for ongoing policy enforcement
    − Available on Win7, WS2008, Vista, XP SP3
•   NAP Enforcement Client (EC)
    − One for each connection mechanism
      • IPSec, DHCP, VPN, RD Gateway (TS Gateway), 802.1X
      • Handles access requests based on connection type
    − Counterpart to NAP Enforcement Server
•   NAP System Health Agent (SHA)
    − Component that reports on one or more aspect of health
      • Built-in Windows Security Health Validator SHA
    − Counterpart to NAP System Health Validator
NAP Client
Vista vs. XP
•   NAP Client Configuration
    − GUI for Vista, Win7 only
    − Action Center integration in Win7
    − Use NETSH or GPO for Vista, Win7 and XP
•   802.1X enforcement
    − Extensible Authentication Protocol service used for Vista,
      Win7
    − Wired Autoconfig service used for Vista, Win7
    − Wireless EAP over LAN (EAPOL) EC used for XP
    − Wireless Zero Configuration service used for XP
•   Remote Desktop Gateway (formerly TS Gateway)
    − EC only available on Vista, Win7
•   Spyware state detection
    − Windows Defender integration in Vista, Win7
NAP Client Configuration – napclcfg.msc
NAP Server-side
•   NAP Enforcement Server (ES)
    − Exists for each connection type
      • IPSec, DHCP, VPN, RD Gateway, 802.1X devices
      • Enforces access capabilities specified by the NPS
•   NPS Service (RADIUS – formerly IAS)
    − Receives information from the ES, authenticates user
      identity and extracts system health info
    − Evaluates validated health state for policy conformance
•   NAP Administration Server
    − Coordinate and exchange info between SHV and NPS
•   NAP System Health Validator (SHV)
    − Validates health state provided by SHA
Windows SHV: config
NAP Adminstration Interface – Server
Statements about Health
•   Statement of Health (SoH)
    − Defines the state of the
      monitored component
    − Created by SHA and passed to NAP Agent
•   System Statement of Health (SSoH)
    − Complete set of SoHs from all SHAs
    − Packaged by Agent and sent by EC through ES to NPS
•   Statement of Health Response (SoHR)
    − Healthy/Unhealthy Response based on SoH claim
•   System Statement of Health Response (SSoHR)
    − Complete set of SoHRs from all SHVs
    − Packaged by Administration Server for evaluation by NPS
Agenda
 What is Network Access Control?
 NAP Detailed Architecture
 NAP Enforcement
Summary
NAP Enforcement Methodologies
Current Methods:
•   DHCP
•   IPSec
•   VPN
•   802.1X
•   RD Gateway (TS
    Gateway)
 NAP with DHCP Enforcement
Secure
Restricted               Boundary                      Secure




                                  Remediation Server




 NAP Client
   SHA        Create SoH
              Pass SoHR
                   SoH                                             Policy
  Agent       Collect SoHs and Create SSoH                      Administration
              Pass SSoHR
                   SSoH                                            SHVs
                Request DHCP address                               (NPS)
     EC
                    and provide SoH



                                  Enforcement Server
                                 WS2008 DHCP and NPS
NAP with DHCP Enforcement
What you need to know/remember
•   Easy implementation
    − Assumes WS2008 DHCP server
    − Assumes WS2008 Health Policy server (NPS)
    − Client requires:
      • DHCP enabled
      • NAP Agent enabled
      • DHCP Quarantine EC enabled
•   Easily circumvented
    − Manual configuration of TCP/IP stack
    − Useful when absolute compliance is not mandatory
    − Useful for reporting even without quarantine
 NAP with IPSec Enforcement
Secure
Restricted               Boundary                                    Secure




                                  Remediation Server




 NAP Client
   SHA        Create SoH
              Pass SoHR
                    SoH                                                             Policy
  Agent       Collect SoHs and Create SSoH                                       Administration
              Pass SSoHR
                    SSoH                                                            SHVs
              Pass Auth, SSoH, and Health                                           (NPS)
     EC
              Certificate request via
              HTTP/HTTPS


                                  Enforcement Server
                         IPSec Health Registration Authority (NPS)
                                                                              Certificate Authority
NAP with IPSec Enforcement
What you need to know/remember
•   Implementation requires:
    − PKI
    − WS2008 Health Policy server (NPS)
    − WS2008 HRA server (NPS)
    − Client:
       •   NAP Agent enabled
       •   IPSec Relying Party EC enabled
       •   HRAs defined as Trusted Servers
       •   Firewall policies defined
•   Benefits
    − Tamper-resistant enforcement
    − No infrastructure upgrade needed
    − Flexible limitations on network access
    − Optional end-to-end encryption
NAP with IPSec Enforcement
HRA Locations
 NAP with VPN Enforcement
Secure
Restricted                    Boundary                        Secure




                                       Remediation Server




 NAP Client
   SHA             Create SoH
                   Pass SoHR
                          SoH                                             Policy
  Agent            Collect SoHs and Create SSoH                        Administration
                   Pass SSoHR
                          SSoH                                            SHVs
                   Initiate VPN Connection
               EAP-Response/Identity message                              (NPS)
     EC
                EAP-Request/Identity password
              including username andmessage



                                        Enforcement Server
                                      WS2008 NPS (RRAS/VPN)
NAP with VPN Enforcement
What you need to know/remember
•   Easy implementation
    − Assumes WS2008 VPN server
    − Assumes WS2008 Health Policy server (NPS)
    − Requires certificate for NPS (PEAP communications)
    − Client requires:
      • NAP Agent enabled
      • Remote Access Quarantine EC enabled
      • EAP EC enabled
•   More complex client-side configuration
    − VPN connection configuration requires PEAP
      • Mitigate with CMAK
 NAP with 802.1X Enforcement
Secure
Restricted                    Boundary                             Secure




                                        Remediation Server




 NAP Client
   SHA              Create SoH
                    Pass SoHR
                           SoH                                                 Policy
  Agent             Collect SoHs and Create SSoH                            Administration
                    Pass SSoHR
                           SSoH                                                SHVs
                 Initiate 802.1X authentication
               EAP-Response/Identity message                                   (NPS)
     EC
                   using the EAPOL protocol
                EAP-Request/Identity password
              including username andmessage



                                        Enforcement Point
                                   802.1X capable network device
NAP Decision Flow
NAP with 802.1X Enforcement
What you need to know/remember
•   Complex Implementation
    − Requires 802.1X network access device
      • Proper RADIUS configuration
      • Proper VLAN definitions
      • Configuration may vary based on manufacturer and device
    − Assumes WS2008 Health Policy server (NPS)
    − Requires certificate for NPS (PEAP communications)
    − Client requires:
      • NAP Agent enabled
      • EAP EC enabled
Agenda
 What is Network Access Control?
 NAP Detailed Architecture
 NAP Control Mechanisms and Scenarios
 Summary
Summary
•   NAC complements other security technologies
•   NAP is nice for Windows-centric environments
    − Linux, MAC support available from 3rd parties
•   NAC is gaining momentum
    − One form or another is being implemented today
Questions ?

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:14
posted:11/4/2011
language:English
pages:39