providing 802.1x enforcement for network access protection mudit goel development manager windows...
Post on 18-Dec-2015
216 views
TRANSCRIPT
Providing 802.1X Providing 802.1X Enforcement For Network Enforcement For Network Access ProtectionAccess Protection
Mudit GoelMudit GoelDevelopment ManagerDevelopment ManagerWindows Enterprise NetworkingWindows Enterprise NetworkingMicrosoft CorporationMicrosoft Corporation
GoalsGoals
OverviewOverviewNetwork Access Protection (NAP) – Network Access Protection (NAP) – architecture and extensibilityarchitecture and extensibility
Demonstrate 802.1x NAPDemonstrate 802.1x NAP
Target audienceTarget audienceHardware Vendors (e.g.: 1x hardware)Hardware Vendors (e.g.: 1x hardware)
Connectivity software (1x supplicant, Connectivity software (1x supplicant, EAP methods)EAP methods)
What Is In It For You?What Is In It For You?
Add value to your hardware based Add value to your hardware based products or solutionsproducts or solutions
Demonstrated interoperability with NAP Demonstrated interoperability with NAP
Easy configuration of 1x Hardware for NAPEasy configuration of 1x Hardware for NAP
Unique value that you can add to your deviceUnique value that you can add to your device
Easier to develop EAP related softwareEasier to develop EAP related softwareEAP extensibility model EAP extensibility model
Client: Supplicants and MethodsClient: Supplicants and Methods
Server: MethodsServer: Methods
More satisfied customersMore satisfied customers
InternetInternet
IntranetIntranet
`
Remote Remote EmployeesEmployees
Remote Access Remote Access GatewayGateway
Web ServerWeb Server
CustomersCustomers
PerimeterPerimeter
XX Infrastructure Infrastructure ServersServersExtranet Extranet
ServerServerBusiness Business PartnersPartners
`
Life In A Highly-Connected WorldLife In A Highly-Connected World
Interconnected networksInterconnected networks
Distributed dataDistributed data
Mobile workersMobile workers
Business extranetsBusiness extranets
Remote access Remote access
Web servicesWeb services
WirelessWireless
Mobile smart devicesMobile smart devices
ProblemProblem
Very little isolation in networkVery little isolation in network
Customers control very small Customers control very small percent of endpointspercent of endpoints
De-perimeterization of devices De-perimeterization of devices happening nowhappening now
Customers have little or no way of Customers have little or no way of enforcing or even validating security enforcing or even validating security policy compliancepolicy compliance
Need for security at multiple layersNeed for security at multiple layers
Network Access Protection Network Access Protection (NAP) Solution Overview(NAP) Solution Overview
Policy ValidationPolicy Validation Are computers “healthy” – compliant with company’s Are computers “healthy” – compliant with company’s security policysecurity policy
Network RestrictionNetwork RestrictionRestrict network access based on their healthRestrict network access based on their health
RemediationRemediationProvides necessary updates to become healthyProvides necessary updates to become healthy
Once healthy, the network restrictions are removedOnce healthy, the network restrictions are removed
Ongoing ComplianceOngoing ComplianceChanges in computers’ health may dynamically Changes in computers’ health may dynamically result in network restrictionsresult in network restrictions
Requesting Requesting access. Here’s access. Here’s
my new my new health statushealth status
Network Access Protection Walk-ThroughNetwork Access Protection Walk-Through
MicrosoftMicrosoftnetworknetwork
policy serverpolicy serverClientClient802.1x802.1xSwitch Switch
/ AP/ AP
Remediation Remediation servers servers
May I have access?May I have access?Here’s my current Here’s my current health statushealth status
Should this client be Should this client be restricted basedrestricted basedon its health? on its health?
Ongoing policy updates Ongoing policy updates to NPS Policy Server to NPS Policy Server
You are given You are given restricted accessrestricted accessuntil fix-upuntil fix-up
Can I have Can I have updates?updates?
Here you goHere you go
According to policy, According to policy, the client is not up to the client is not up to date. Quarantine date. Quarantine client, request it to client, request it to updateupdate
Corporate NetworkCorporate Network
Restricted NetworkRestricted Network
Client is granted access to full intranet Client is granted access to full intranet
System health System health servers servers
According to policy, According to policy, the client is up to the client is up to date date
Grant accessGrant access
Microsoft Network Microsoft Network Policy Server Policy Server (NPS)(NPS)
NAP Server (QS)
ClientClient
NAP Agent (QA)
Health policyHealth policyUpdatesUpdates
HealthHealthStatementsStatements
NetworkNetworkAccessAccess
RequestsRequests
System Health Servers
Remediation Servers
HealthHealthCertificateCertificate
Network Access Devices Network Access Devices and Serversand Servers
System Health Agent (SHA)MS and 3rd Parties
Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)
NAP Architecture OverviewNAP Architecture Overview
ClientClientSHA – health agents check client stateSHA – health agents check client stateQA – coordinates SHA/ECQA – coordinates SHA/ECEC – method of enforcementEC – method of enforcement
Remediation serverRemediation serverServes up patches, AV signatures, etc.Serves up patches, AV signatures, etc.
Network access devices and serverNetwork access devices and serverAccess points, switches, VPN servers, HRAAccess points, switches, VPN servers, HRA
Network Policy ServerNetwork Policy ServerQS – coordinates SHV QS – coordinates SHV SHV – validates client healthSHV – validates client health
System health serverSystem health serverProvides client Provides client compliance policiescompliance policies
System Health Validator (SHV)MS and 3rd Parties
Extending NAPExtending NAP
Published APIsPublished APIsSHA APISHA API
QEC APIQEC API
SHV APISHV API
EAP Host SupplicantEAP Host Supplicant
EAP Host Method (Peer and Authenticator)EAP Host Method (Peer and Authenticator)
802.1x client extensibility802.1x client extensibility
Licensed ProtocolsLicensed ProtocolsSoH / SoHRSoH / SoHRRADIUS extensionsRADIUS extensionsEAP TLVsEAP TLVsHealth Certificate Health Certificate Enrollment ProtocolEnrollment Protocol
Health policyHealth policyUpdatesUpdates
System Health Servers
HealthHealthStatementsStatements
NetworkNetworkAccessAccess
RequestsRequests
HealthHealthCertificateCertificate
Network Access Devices Network Access Devices and Serversand Servers
Remediation Servers
Microsoft Network Microsoft Network Policy ServerPolicy Server
NAP Server (QS)
System Health Validator (SHV)Microsoft and 3rd Parties
3rd party EAP methods
PEAP
EapHost
ClientClient
3rd party EAP methods
3rd party EAP supplicants
NAP Agent (QA)
System Health Agent (SHA)Microsoft and 3rd Parties
EapHost
802.1x supplicant
PEAP
EapQEC 3rd Party QEC
RADIUS Attributes For NAPRADIUS Attributes For NAP
Microsoft-Quarantine-State Microsoft-Quarantine-State Machine access should beMachine access should be
Full AccessFull Access
QuarantinedQuarantined
Probation until a certain timeProbation until a certain time
Microsoft-Quarantine-Grace-Time Microsoft-Quarantine-Grace-Time Specified date and time for probationSpecified date and time for probation
Microsoft-IPv4-Remediation-ServersMicrosoft-IPv4-Remediation-ServersCollection of IPv4 addresses of fixup serversCollection of IPv4 addresses of fixup servers
Microsoft-IPv6-Remediation-ServersMicrosoft-IPv6-Remediation-ServersCollection of IPv6 addresses of fixup serversCollection of IPv6 addresses of fixup servers
Microsoft-Attribute-Not-Quarantine-CapableMicrosoft-Attribute-Not-Quarantine-CapableMachine requesting access is not participating in NAPMachine requesting access is not participating in NAP
EAP ExtensibilityEAP Extensibility
Supplicant APISupplicant API33rdrd party EAP supplicants can plug-in party EAP supplicants can plug-in e.g. 802.x, IKEv2, VPNe.g. 802.x, IKEv2, VPNSupplicants can become NAP aware by using EapHostSupplicants can become NAP aware by using EapHost
Method APIMethod APIEnables 3Enables 3rdrd party methods to plug-in party methods to plug-in e.g. EAP-TTLS, EAP-SIM, EAP-FASTe.g. EAP-TTLS, EAP-SIM, EAP-FAST
802.1x (EAP)802.1x (EAP) RADIUS (EAP)RADIUS (EAP)
802.1x AP / Controller802.1x AP / Controller
Microsoft Network Microsoft Network Policy ServerPolicy Server
Quarantine Server (QS)
System Health Validator
3rd PartyEAP Methods
PEAP
EapHost
ClientClient
3rd PartyEAP Methods
3rd Party EAPSupplicants
NAP Agent (QA)
System Health Agent (SHA)Microsoft and 3rd Parties
EapHost
802.1x supplicant
PEAP
EapQEC 3rd Party QEC
Network Access Network Access Protection DemoProtection Demo
Chandra NakulaChandra NakulaTest LeadTest LeadWindows Enterprise NetworkingWindows Enterprise Networking
Demo SetupDemo Setup
NPS Server (Radius)NPS Server (Radius)
Vista ClientVista Client
DHCP ServerDHCP Server
HP Pro-curve SwitchHP Pro-curve Switch
802.1x Wired NAP802.1x Wired NAP
Restricted VLANRestricted VLAN
Full Access VLANFull Access VLAN??
??
EAPEAP
PEAPPEAP
RadiusRadiusClientClient
NPS Server (Radius)NPS Server (Radius)
SwitchSwitch
Call To ActionCall To ActionNAS Devices (1x APs / Controllers)NAS Devices (1x APs / Controllers)
Ensure that your device works with NAPEnsure that your device works with NAPValue: Device is NAP capable and hence Value: Device is NAP capable and hence more attractive to customersmore attractive to customers
Use the NAP related RADIUS attributes to Use the NAP related RADIUS attributes to make your configuration for NAP easiermake your configuration for NAP easier
Value: Customers would find it easier to Value: Customers would find it easier to configure your device from NPS for NAPconfigure your device from NPS for NAP
Extend NAP to deliver value to Extend NAP to deliver value to the customerthe customer
On the client, switch, or end to endOn the client, switch, or end to end
Call To ActionCall To ActionNICs, EAP Supplicants, EAP methodsNICs, EAP Supplicants, EAP methods
Test NAP interoperability with your hardwareTest NAP interoperability with your hardwareExtend NAP to deliver value to the customer Extend NAP to deliver value to the customer (Adopt EAPHost and NAP)(Adopt EAPHost and NAP)
Write EAP methods to EaphostWrite EAP methods to EaphostLeverage NAP in hardware, supplicants and Leverage NAP in hardware, supplicants and EAP methodsEAP methodsUse EAPHost extensibility to build your supplicantsUse EAPHost extensibility to build your supplicants
Work with us to address 802.x challengesWork with us to address 802.x challengesMulti-MACMulti-MACHeterogeneous environmentsHeterogeneous environmentsBootstrappingBootstrappingTiming issuesTiming issues
Additional ResourcesAdditional Resources
Web ResourcesWeb ResourcesNAP: NAP: http://www.microsoft.com/NAPhttp://www.microsoft.com/NAP
EAP: EAP: http://www.microsoft.com/EAPhttp://www.microsoft.com/EAP
Additional ResourcesAdditional ResourcesInformation on NAP SDK distribution Information on NAP SDK distribution
WDK – actual working sample EAP Methods and SupplicantWDK – actual working sample EAP Methods and Supplicant
MSDN – EH Documentation and API referencesMSDN – EH Documentation and API references
E-mailsE-mailsQuestions or feedback Questions or feedback
NAP: NAP:
EAP:EAP:
napsdk @ microsoft.comnapsdk @ microsoft.com
asknap @ microsoft.comasknap @ microsoft.com
eapqa @ microsoft.comeapqa @ microsoft.com
Q&AQ&A
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.