selecting the right network access protection architecture
DESCRIPTION
Selecting the Right Network Access Protection Architecture. Infrastructure Planning and Design Series. What Is IPD?. Guidance that aims to clarify and streamline the planning and design process for Microsoft ® infrastructure technologies IPD…in 50 pages: Defines decision flow - PowerPoint PPT PresentationTRANSCRIPT
Selecting the Right Network Access Protection ArchitectureInfrastructure Planning and Design Series
What Is IPD?Guidance that aims to clarify and streamline the planning and design process for Microsoft® infrastructure technologies
IPD…in 50 pages: Defines decision flow Describes decisions to be made Relates decisions and options for the business Frames additional questions for business understanding Replaces Windows Server System™ Reference Architecture (WSSRA)
Page 2 |
Download the IPD Guides atwww.microsoft.com/ipd
SELECTING THE RIGHT NAP ARCHITECTURE
Getting Started
Page 3 |
Purpose and AgendaPurpose
To assist in the decision-making process regarding which enforcement methods to use in conjunction with Network Access Protection (NAP) to meet business and technical requirements
AgendaDetermine which components to use in a NAP architecture
Page 4 |
What Is NAP?Network Access Protection is a policy-based solution that:
Validates whether computers meet health policiesCan limit access for noncompliant computersAutomatically remediates noncompliant computers Continuously updates compliant computers to maintain health stateOffers administrators a wide range of choice and deployment flexibility to better secure their Windows networks
Page 5 |
NAP Architecture
Why Implement NAP?
Controlled access for guests, vendors, partnersImproved resilience to malware as network health increasesMore robust update infrastructureManaged compliance
Page 7 |
Key Messages for NAP
Page 8 |
The NAP client can be Windows Server® 2008, Windows Vista®, Windows® XP SP3, or third-party (Linux + Macintosh)NAP is built into Windows that you enable via GP/scriptNAP requires a minimum of one Windows Server 2008 machine to get started
NAP Enforcement OptionsEnforcement options CapabilitiesIPsec – implemented at host layer
Restricts client device communication to a limited number of servers until compliance is demonstrated
802.1X – implemented at network layer
Client device’s access is restricted by network infrastructure devices. Client access is restricted until device has demonstrated compliance
VPN – Microsoft VPN VPN server restricts client device’s access by using IP filters until client device has demonstrated compliance
DHCP – implemented at network layer
DHCP client is restricted by providing a 32-bit netmask and removing the default gateway
Page 10 |
Decision Flow
Determine the client connectivityDetermine enforcement layerIf enforcement is at network layer, select enforcement options
Type of network connectivity dictates appropriate enforcement methods. Client devices connect two ways:
Locally—via wired or wirelessRemotely—such as VPN
Page 11 |
Determine Client Connectivity
Determine VPN Platform
Page 12 |
Will the VPN platform be Microsoft or third-party? Microsoft VPN selected:
If IT selects RRAS to provide remote access, VPN server must run Windows Server 2008Low level of complexity and cost to implement
Third-party VPN selected:If IT selects a third-party VPN, IPsec can be used to restrict client device accessHigh level of complexity and medium cost to implement
Enforcement Layer Decision
Page 13 |
Enforce NAP restrictions at each host or enforce on network?
Enforce restrictions at hosts selected:Using IPsec provides robust securityHigh level of complexity and medium cost to implement
Enforce restrictions on network selected:Depending on specific network-based enforcement method, security level less robust than IPsecMedium level of complexity and high cost to implement
NAP Restrictions – Host vs. Network Enforcement
Use the table below to select between:IPsec – host-based802.1X – network-basedDHCP – network-based
Page 14 |
Method Security Level Complexity Cost
IPsec High High Medium
8021.1X High Medium High
DHCP Low Low Low
Additional Considerations for NAP
Determine system compliance requirementsCombining NAP technologiesDependencies
Page 15 |
Summary and Conclusion
NAP flexibility provides choiceNAP is deployment ready
Provide feedback to [email protected]
Page 16 |
Find More Information
Download the full document and other IPD guides:
www.microsoft.com/ipd
Contact the IPD team:[email protected]
Visit the Microsoft Solution Accelerators Web site:www.microsoft.com/technet/SolutionAccelerators
Page 17 |