Corporate Network Setup Diagram by mar10407

VIEWS: 0 PAGES: 53

Corporate Network Setup Diagram document sample

More Info
									Kunal Kodkani
Senior Consultant, Microsoft Consulting Services
Microsoft Corporation
kunal.kodkani@microsoft.com
Introduction
NAP Overview
NAP platform architecture
NAP enforcement methods
Demo NAP IPSec enforcement
SDI Overview
 Multiple points of attachment: wireless, lan, wan, extranet
 Parties with differing rights: employees, vendors, partners
 Proliferation of devices: PCs, phones, PDAs, devices



Need to control guest, vendor and partners access
Increased exposure to malware                                  Intranet
Evolved security model -- from perimeter control to
everywhere control



Authenticate users and grant access based on role and
compliance to corporate governance standards
Aggressively update out-of-compliance systems
Apply access policy throughout the network



Comprehensive, policy-based authentication and compliance
throughout the network
Allows you to control access to your
network using
   Policy-based enforcement
   Logical network isolation using IP Security
   (IPSec)
   Wireless security technologies
Microsoft solutions in this area
   NAP
   SDI
   Securing Wireless using Certificate Services
     http://www.microsoft.com/downloads/details.aspx?fa
     milyid=CDB639B3-010B-47E7-B234-
     A27CDA291DAD&displaylang=en
Introduction
NAP Overview
NAP platform architecture
NAP enforcement methods
Demo NAP IPSec enforcement
SDI Overview
Policy Validation
  Determines whether the computers are compliant
  with the company’s security policy. Compliant
  computers are deemed “healthy
Network Restriction
  Restricts network access to
  computers
  based on their health
Remediation
  Provides necessary updates to allow the computer to
  “get healthy.” Once healthy, the network restrictions
  are removed
Ongoing Compliance
  Changes to the company’s security policy or to the
  computers’ health may dynamically result in network
  restrictions
Platform that enforces compliance with
health requirements for network access or
communication
NAP is not a security solution to keep the
bad guy off your network
Application programming interfaces (APIs)
  Allows for integration with third-party vendors
Introduction
NAP Overview
NAP platform architecture
NAP enforcement methods
Demo NAP IPSec enforcement
SDI Overview
How It Works
                                                                         Policy Servers
                                 1                                         e.g.., Patch, AV
1 Access requested
                                                Microsoft
2 Authentication Information                     NPS            3
  including ID and health
  status                                                    Not policy     5
                                           2                compliant
                                                                     Restricted
                                                                                    Remediation
                                                                                      Servers

3 NPS validates against
                                                                                      e.g., Patch
                                                                     Network
  health policy                                         Policy
                                                      compliant
                                      DHCP,

4 If compliant, access
                                       VPN
                                                                    Corporate Network
   granted
                                     Switch/Router
                                                            4

  If not compliant, restricted
5 network access and
  remediation
          Updates                                              Network           Health policy
                                                                Access
                                                               Requests
                                    Health
                                  Statements


  (SHA)              (SHA)
MS SHA, SMS         3rd Parties
                                    Health
                                   Certificate
                                                                          System Health
       NAP Agent                                                            Validator
                                               802.1x Switches
                                               Policy Firewalls
   (EC)               (EC)                   SSL VPN Gateways
(DHCP, IPsec,   3rd Party EAP                                              NAP Server
                    VPN’s                     Certificate Servers
802.1X, VPN)
 SHV_1           SHV_2               SHV_3


                 SHV API

         NAP Administration Server

               NPS Service




NAP EC_A        NAP EC_B        NAP EC_C
 SHA_1       SHA_2        SHA_3


            SHA API


           NAP Agent


           NAP EC API


NAP EC_A   NAP EC_B     NAP EC_C
SHA_1    SHA_2   SHV_2      SHV_1       SHV_4


   SHA API                SHV API

  NAP Agent       NAP Administrative Server

                         NPS Service
  NAP EC API

NAP      NAP
EC_A     EC_B        NAP         NAP
                     ES_B        ES_A
Introduction
NAP Overview
NAP platform architecture
NAP enforcement methods
Demo NAP IPSec enforcement
SDI Overview
Enforcement   Healthy Client        Unhealthy Client
              Client receives       No health certificate
              health certificate,   issued, healthy peers
IPsec         can communicate       reject connection
              with any trusted      requests from
              peer                  unhealthy systems
802.1X        Full access           Restricted VLAN
VPN           Full access           Restricted VLAN
              Full IP address       Restricted set of
DHCP
              given                 routes
For noncompliant computers, prevents
communication with compliant computers
Compliant computers obtain a health
certificate as proof of their health
compliance
  Health certificate is used for peer
  authentication when negotiating IPsec-
  protected communications
  Health certificate carries the client
  authentication EKU in the certificate
  In the IPsec configuration only NAP health
  certificates can be accepted for IPsec
  authentication
                   Remediation                    Network
                     Server                     Policy Server


                                                                Protected Network


                                                                   Boundary Network

                                         Health
                                       Registration
                                        Authority


                             Quarantine Restricted
                                   Network



1. Client starts up on the restricted network
                 Remediation                    Network
                   Server                     Policy Server


                                                              Protected Network


                                                                 Boundary Network

                                       Health
                                     Registration
                                      Authority


                           Quarantine Restricted
                                 Network



2. Client creates an HTTPS secure communication channel with the Health
Registration Authority
                  Remediation                    Network
                    Server                     Policy Server


                                                               Protected Network


                                                                  Boundary Network

                                        Health
                                      Registration
                                       Authority


                            Quarantine Restricted
                                  Network



3. Client sends its credentials, a PKCS#10 and its list of SoHs (State of health
to the Health Registration Authority (HRA) through the SSL tunnel.
                  Remediation                    Network
                    Server                     Policy Server


                                                               Protected Network


                                                                  Boundary Network

                                        Health
                                      Registration
                                       Authority


                            Quarantine Restricted
                                  Network



4. HCS forwards the client identity and health status information to the Network
Policy Server (NPS) based on its NPS proxy configuration for validation using
RADIUS Access-Request message.
                 Remediation                 Network
                   Server                  Policy Server


                                                           Protected Network


                                                              Boundary Network

                                    Health
                                  Registration
                                   Authority


                          Quarantine Restricted
5. NAP Administration           the Network Policy
                      Server on Network              Server passes the SoHs
(Statement of Health) to their System Health Validators (SHV).
6. SHVs evaluate the SoHs and respond with SoH Responses (SoHR).
7. NPS evaluates the SoHRs against policy settings and makes a
limited/unlimited network access decision.
                 Remediation                    Network
                   Server                     Policy Server


                                                              Protected Network


                                                                 Boundary Network

                                       Health
                                     Registration
                                      Authority


                           Quarantine Restricted
                                 Network



8. Network Policy Server sends a RADIUS Access-Accept message that
contains the System SoHR (Statement of Health Response) and the list of
SoHRs to the Health Registration Authority.
                 Remediation                    Network
                   Server                     Policy Server


                                                              Protected Network


                                                                 Boundary Network

                                       Health
                                     Registration
                                      Authority


                           Quarantine Restricted
                                 Network



9. The Health Registration Authority sends the System State of Health
Responses (SoHRs )and the list of SoHRs through the SSL tunnel to the client.
                  Remediation                    Network
                    Server                     Policy Server


                                                               Protected Network


                                                                     Boundary Network

                                        Health
                                      Registration     Health
                                       Authority     Certification
                                                      Authority

                            Quarantine Restricted
                                  Network



10 a. If compliant, the Health Registration authority sends the client’s PKCS#10
request to the Health certification authority and finally sends the health
certificate through the SSL tunnel to the client.
                 Remediation                    Network
                   Server                     Policy Server


                                                              Protected Network


                                                                 Boundary Network

                                       Health
                                     Registration
                                      Authority


                           Quarantine Restricted
                                 Network



10 b. The NAP Agent passes the State of Health Responses to the System
Health Agents that are installed on the client.
                 Remediation                    Network
                   Server                     Policy Server


                                                              Protected Network


                                                                 Boundary Network

                                       Health
                                     Registration
                                      Authority


                           Quarantine Restricted
                                 Network



11. System Health Agents perform remediation and pass updated Statement of
Health (SoH) to the NAP Agent..
                 Remediation                    Network
                   Server                     Policy Server


                                                              Protected Network


                                                                 Boundary Network

                                       Health
                                     Registration
                                      Authority


                           Quarantine Restricted
                                 Network



12. Client creates a new HTTPS channel with the Health Registration Authority
                  Remediation                    Network
                    Server                     Policy Server


                                                               Protected Network


                                                                  Boundary Network

                                        Health
                                      Registration
                                       Authority


                            Quarantine Restricted
                                  Network



13. Client sends its credentials, a new PKCS#10 request and its updates list of
State of Health’s (SoHs) to the Health Registration Authority
                  Remediation                    Network
                    Server                     Policy Server


                                                               Protected Network


                                                                     Boundary Network

                                        Health
                                      Registration     Health
                                       Authority     Certification
                                                      Authority

                            Quarantine Restricted
                                  Network



14. Health Registration Authority validates the credentials and the new list of
SoHs with the Network Policy Server and obtains a health certificate for the
client.
Introduction
NAP Overview
NAP platform architecture
NAP enforcement methods
Demo NAP IPSec enforcement
SDI Overview
Requires PKI to be deployed
Only works in a managed environment
(machines must be domain joined)
Certificates are the only supported
credential (compared to IPsec server and
domain isolation)
Requires and additional role to be deployed
on the network (HRA)
Protects you in a virtual environment
Near real/time operation
Unhealthy clients are truly isolated
(credential automatically revoked by the
NAP agent)
Offers authentication AND encryption
(encryption is optional, not required)
Works with any switch, router or AP
Technologies are built into Windows (client
and server platforms)
For noncompliant computers, prevents
unlimited access to a network through an
802.1X-authenticated connection
Restricted Network
                                 Remediation                               System Health
                                   Servers                                    Servers



                Here you go.

      Can I have
      updates?                                      Ongoing policy updates
                                                   to Network Policy Server
          May I have access.
          Requesting access?                       Should this client be
          Here’s my current
               Here’s my new                       restricted based
                 status.
          healthhealth status.                     on its health?

                                                   According to policy,
                                                According to policy,
 Client     You are given                          the client is not up to
            restricted access                   the client is up to
                                                   date. Quarantine         MS NPS
                                  802.1x        date.
            until fix-up.                          client, request it to
                                  Switch
                                               Client is granted access to full intranet.
                                                   update.
                                                Grant access.
Requires compatible hardware
Bootstrapping clients with credentials is
challenging
Dynamic VLAN switching during the boot
process can be problematic
Requires designing multiple VLAN’s based
on health state
Requires Windows supplicant to be used
Industry standard protocol supported by all
switch and AP vendors
Supplicant is built into Windows
Supports password based or certificates as
the credential
Can be deployed in conjunction with DHCP
or IPsec enforcements
Reporting Mode
  Allows you to gather information as to what is
  on your network
Deferred Enforcement
  Introduces NAP to your use population and
  allows them to police themselves



Full Enforcement
  Non-complaint machines will be quarantined
  and auto remediated
Introduction
NAP Overview
NAP platform architecture
NAP enforcement methods
Demo NAP IPSec enforcement
SDI Overview
                                       Labs
                                       Unmanaged   guests
                                       Malicious users




Domain Isolation   Protects trusted systems from untrusted or
                   malicious computers
  IPsec authentication required for all incoming
  connections
       IPsec used to authenticate remote host
       Connection request refused if authentication fails
  IPsec ensures data integrity for all connections
       And optionally encryption
  Works in the network layer
       Regardless of the underlying physical layer (hubs,
       switches, wireless)



2/4/2011                                       51
  IPsec policy determines computer behavior
      Requires authentication for inbound connections
      Ensures data integrity
      Adds encryption if necessary
  Group Policies used to distribute IPsec policy to
  hosts
  Kerberos (AD) or digital certificates used for
  authentication




2/4/2011                                    52
                                           Active Directory
                                          Domain Controller
           Corporate       Trusted File
            Network          Server


                   X
                                                       HR Workstation Servers with
                                                                      Sensitive Data
 Unmanaged/Rogue
    Computer



                                                Managed        Trusted
                           Managed
                           Computer
                                                Computer      Computers
       Network Printer


               Untrusted

2/4/2011                                                           53
                                            Active Directory
                                           Domain Controller
            Corporate
             Network    Trusted Resource
                             Server



                   X
                                                            Developer           Source Code
                                                            Workstation           Servers

                                                        X
                                                                      Server
                                                                     Isolation
                                                Managed
       Untrusted            Managed             Computer
                            Computer
                                                                Domain
                                                               Isolation



Server Isolation        Protect specific high-valued hosts and data
 2/4/2011                                                                  54
  Adds a layer of authorization on top of the
  authentication performed by IPsec
       After authentication, Windows evaluates if remote
       host has access permissions
       Access is granted if AD computer account has Access
       to this computer from the network privilege
  To configure Server Isolation, remove
  Authenticated Users from this privilege
  Grant access to Domain Users, and to the
  appropriate computer accounts


2/4/2011                                   55
SDI Introduction
  http://technet.microsoft.com/en-
  us/library/cc725770.aspx
Windows Firewall Advanced Security and
IPSec
  http://technet.microsoft.com/en-
  us/library/cc732283.aspx
http://technet.microsoft.com/en-
us/network/bb545879.aspx

  Design Guides
  Virtual Labs
  Step-by-step Guides
  Webcasts
Cisco NAC Interoperability Whitepaper
  http://download.microsoft.com/download/d/0/8/
  d08df717-d752-4fa2-a77a-
  ab29f0b29266/NAC-NAP_Whitepaper.pdf
UNET provides:
  NAP agent for Linux
  NAP agent for Mac OS X
  http://unet.co.kr/nap/index.html
Avenda provides
  NAP agent for Linux
  http://www.avendasys.com/products/technologi
  es.php
check out these websites, blogs & more!
Presentations
   TechDays: www.techdays.ch
   MSDN Events: http://www.microsoft.com/switzerland/msdn/de/presentationfinder.mspx
   MSDN Webcasts: http://www.microsoft.com/switzerland/msdn/de/finder/default.mspx
MSDN Events
   MSDN Events: http://www.microsoft.com/switzerland/msdn/de/events/default.mspx
   Save the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin
MSDN Flash (our by weekly newsletter)
   Subscribe: http://www.microsoft.com/switzerland/msdn/de/flash.mspx
MSDN Team Blog
   RSS: http://blogs.msdn.com/swiss_dpe_team/Default.aspx
Developer User Groups & Communities
   Mobile Devices: http://www.pocketpc.ch/
   Microsoft Solutions User Group Switzerland: www.msugs.ch
   .NET Managed User Group of Switzerland: www.dotmugs.ch
   FoxPro User Group Switzerland: www.fugs.ch
check out these websites, blogs & more!
Presentations
   TechDays: www.techdays.ch
TechNet Events
   TechNet Events: http://technet.microsoft.com/de-ch/bb291010.aspx
    Save the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin
TechNet Flash (our by weekly newsletter)
   Subscribe: http://technet.microsoft.com/de-ch/bb898852.aspx
Schweizer IT Professional und TechNet Blog
   RSS: http://blogs.technet.com/chitpro-de/
IT Professional User Groups & Communities
   SwissITPro User Group: www.swissitpro.ch
   NT Anwendergruppe Schweiz: www.nt-ag.ch
   PASS (Professional Association for SQL Server): www.sqlpass.ch
7. – 8. April 2010
Congress Center Basel
Premium Sponsoring Partners



Classic Sponsoring Partners




Media Partner

								
To top