customer insight: cso's perspective – what edge? microsoft research edgenet, june 2006 mark...
TRANSCRIPT
Customer Insight: CSO's Perspective – What Edge?Microsoft Research EdgeNet, June 2006
Mark AshidaGeneral ManagerWindows Enterprise Networking
The Evolution of Our Thinking• Industry Trends
• Consolidation of functionality vs. appliances• Mobility driving more devices, roaming users,
policies • Trust boundaries are vague - hard to define &
control
• Network Access Protection (NAP)• Defined initial requirements with customers• Early & consistent review with Microsoft IT dept• Refined functionality with feedback from pilot
programs • Technology Adoption Program (TAP), Vista Beta
Customers
What Edge?
• VLAN’s, IPsec, internal firewalls, NAC appliances
• Jericho Forum• Logical L3+
vs. L2Internet
Logical CorpNet
Restricted Zone
Non-domain joined, Non-IPSec Devices
Seamless Network Gateways
ProvisioningServers
New PC
XEmployee, Partner, Guest PC IPSec Security
Internet
DHCP, DNS, AAA
Thinking Evolution• Network Access Protection Abstraction
HealthHealthStateState
QuarantineQuarantineAgentAgent
EnforcementEnforcement802.1x, IPsec802.1x, IPsec
NetworkNetworkInfrastructureInfrastructure RADIUSRADIUS Policy storePolicy store
Thinking Evolution• Network Access Protection Abstraction
HealthHealthStateState
QuarantineQuarantineAgentAgent
EnforcementEnforcement802.1x, IPsec802.1x, IPsec
NetworkNetworkInfrastructureInfrastructure
RADIUSRADIUS Policy storePolicy store
AssetsAssets
Control PlaneControl Plane
Enforcement/Enforcement/NetworkNetwork
Thinking Evolution
HealthHealthStateState
QuarantineQuarantineAgentAgent
EnforcementEnforcement802.1x, IPsec802.1x, IPsec
RADIUSRADIUS Policy storePolicy store
Control PlaneControl Plane
MOMMOMPakPak
MOMMOMPakPak
MOMMOMPakPak
UIUIDiagDiag
MOMMOM
NetworkNetworkInfrastructureInfrastructure
AssetsAssets
Enforcement/Enforcement/NetworkNetwork
Reporting
SingleSingleDashboardDashboard
Thinking Evolution
ClientsClients
NetworkNetworkInfrastructureInfrastructure
RADIUSRADIUS Policy storePolicy store
Network StateNetwork StateDatabase (in MOM)Database (in MOM)
NAPNAP ConfigurationConfiguration HelpHelpDeskDesk SecuritySecurity PerformancePerformanceProvisioningProvisioning
DHCPDHCP
WINSWINS
DNSDNS
VM/TPMVM/TPM
What CSO’s want.• Want it soon – they want PAC not NAC• Fined grained admission per resource based upon• Fined grained based upon rich information such
as:• Identity (permanent and temporary)• Machine state (health)• Application• Entry point• Time of day, etc.
• Interoperability with current infrastructure/desktops• Multi-vendor solution• Federated trust would be nice
• Manageability
What CSO’s don’t want
• Don’t make it uneconomical for us to deploy
• Help desk• Management• Multiple solutions
• Don’t break Provisioning/Logon/SSO• Is 802.1x the right enforcement method?
• Practical deployment issues – beaconing, provisioning, multimac on single port, VM’s,
Unashamed Vista/LHS Plug
• Network Diagnostics – why can’t you connect and repair• NAP Agent – why you can’t connect/Help desk• MOM Desktop NAP Agent – events/alarms from desktop,
expanding to all networking elements on desktop (QoS, etc.)
• IPsec – giving you virtual logical groups anywhere in the world (240k desktops at MS) with much reduced deployment costs
• Adaptive NEW IP Stack – much better throughput, up to 80+Mbs on a 100Mbs port vs. 20 previously
• IP Offload – 10Ge announced now• IPv6 – on by default