Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
SVR302 网络安全基础架构服务NAP概览 课程内容安排 下一代Windows服务器-Longhorn Server 网络接入保护NAP功能/结构概述 演示 问题交流 下一代Windows服务器Longhorn 下一代Windows服务器Longhorn Server Server Core Composable Roles Solution SKUs Self-Healing NTFS Hot-Pluggable Subsystems Dynamic Partitioning IIS 7.0 Workflow Foundation WCF (“Indigo”) Code Name “Longhorn” Federated Identity Network Access Protection Terminal Services SMB 2.0 Storage Management Transactional FS Windows Server 演变 2009 2007 Windows Server “Longhorn” R2 Windows Server “Longhorn” 2006 2005 Windows Server 2003 Compute Cluster Edition Windows Small Business Server 2003 R2 Windows Server “Longhorn” Beta 2 Windows Storage Server R2 Windows Server 2003 R2 Windows Server “Longhorn” Beta 1 Windows Server Update Services Windows Server 2003 x64 Editions Windows Server 2003 Service Pack 1 网络接入保护NAP功能/结构概述 为什么需要NAP-Network Access Protection? 用户环境 病毒、蠕虫、恶意软件、木马带来的危害 来自多区域、多设备通过公共网络的连接 不充分/被动的防御 用户需求 降低业务与服务的风险 满足强制的法律要求(Sarbanes-Oxley, HIPPA...) 异构体系架构环境的集成 控制集中的管理策略 NAP解决方案概览 策略确认 鉴别计算机是否满足公司的安全策略。满足的电脑被认为是 “健康的。” 网络限制 根据计算机的健康状态限制对网络的访问。 实施补救 提供必要的更新使计算机能够 “实现健康。” 一旦恢复健康, 网络限制被解除。 变化的要求 公司安全策略的变更或者计算机的健康状态可以动态的作用在 网络限制上。 NAP构成 Enforcement Components Platform Health Components Components Enforcement Quarantine Agent Client (QA) = (SHA) Negotiates = Reports access client health with network status,state, access coordinates device(s). between SHA and NAD. System Health Agent = Declares (patch virus signature, system configuration, etc.). Network Quarantine Access Server Device (QS) == Provides Restricts network client’s network access to access healthy based endpoints. on what SHV certifies. System Health Validator (SHV) = Certifies declarations made by health agents. = Windows components QA/QSRegistration Health Authority = Issues certificates to clients that pass health checks. System Health Server = Defines health requirements for system components on the client. Remediation Server = Installs necessary patches, configurations, applications. Brings client to healthy state. System Health Servers Remediation Servers Client health validation Policy and updates Client Health Statements System Health Agents Quarantine Agent (QA) NAD Network Access Requests IAS Server System Health Validators Health Certificate HRA Quarantine Server (QS) Enforcement Clients IPsec, 802.1X, DHCP, VPN Network Access Device & Health Registration Authority NAP实施选择 Enforcement Healthy Client DHCP VPN (MS and 3rd 802.1X Full IP address given, full Restricted set of routes Full access Restricted VLAN Full access Restricted VLAN Can communicate with Healthy peers reject peer from unhealthy systems Complements layer 2 protection Works with existing servers and infrastructure Flexible isolation IPsec Unhealthy Client 灵活的强制选项 DHCP VPN 802.1X IPsec LAN or Remote LAN Remote LAN Enables application isolation Use of existing servers Use of existing network Protects against static Protects against rogue Protects against virtual PC No No Yes No No No No No Yes Yes No No No Yes No Yes No No LAN/ WAN Yes Yes Yes Yes Yes Yes NAP流程 非健康状态客户端 – 802.1X 场景 Corporate Network Restricted Network Client No. I’m putting you on aI get restricted VLAN. Get Network Access Device Can I get onon thethe network now? Can network? (DHCP, VPN, SSL app proxy certificate. Here isamy health certificate. Here ishealth my health. 802.1x) Can I have a health certificate? I’ve No, you need fix up. been updated. Here you go. Can I have updates? IAS Policy Server NAD validates with IAS. HRA validates with IAS. Health Registration Authority Here you go. Full access granted. Health certificate is re-used For subsequent access requests. Ongoing policy updates to IAS Policy Server Remediation Server System Health Servers NAP流程 健康客户端场景 Corporate Network Client Can I get on the network? Here is my identity. Network Access Device (DHCP, VPN, SSL app proxy 802.1x) IAS Policy Server Validates with IAS. Client is healthy. Health Registration Authority Full access granted. Remediation Servers System Health Servers IPsec NAP 功能特点 使用IPsec隔离非健康客户端 安全强化 重新配置的客户端不能通过 或者通过使用hubs / virtual PC 技术 非基础架构升级 工作在今天的交换机/路由器环境 不需要替换/升级 DHCP, VPN, etc. 灵活的隔离 健康的系统能够连接到被隔离的系统,相反则拒绝访问 隔离模式通过策略定制 IPsec NAP 隔离模式 Policy Definitions Protected Zone Quarantine Zone All systems Health Authentication required to into a system Boundary Zone ALLOWED ALLOWED Boundary Zone All systems Health Authentication requested but required to into a system Quarantine Zone No Health No IPsec ALLOWED BLOCKED Protected Zone IPsec NAP 场景 Quarantine Zone Boundary Zone Protected Zone May I have a DHCP address? May I have a health certificate? Here’s Here you my go. SoH. Client DHCP Client ok? Yes. No. Health Here’s your You don’t gethealth a health Issue health fix-up. Registration Needs certificate. Go fix up. certificate. certificate. I need updates. Authority Accessing the network Here you go. IAS Remediation Server SMS 与 NAP 1. SMS 管理的客户端能够保证健康状态 移动客户端返回公司网络时得到更新 连接的桌面机通过例行检查保证健康状态 健康声明基于MSRC公告板 自动的补救 丰富的满足策略报表 2. 3. SMS-NAP 协同工作保证没有风险暴露 SMS 促进 NAP 架构计划与部署 分布式的结构 客户端安装与更新 SMS 与 NAP Corporate Network Tests and authorizes security update. Distributes policy and security updates. Defines enforcement Sends MSRC bulletin. Restricted Network policy. MS Download Center SMS Site Server SMS Remediation Servers Publishes policy reference. Management Point Here are your updates. Distribution Point Requesting updates. Client Periodically plumbs policy reference to IAS Policy Server. IAS Policy Server Requesting May access. I have access? Here’s my new Here’s health mystatus current with required health security status. updates. You are being given restricted access until fix-up. AD Should this client be granted access based on it’s health? Network Access Device (DHCP, VPN) SMS Health Validator I can validate Restrict I can Can client, validate Grant you request validate access. this client. this client’s health. it toIt’s update. not up to date. Tell client? Yes, meetsit to Is it up policy. toupdate. date? Client is granted access to full intranet. Quarantine Server (QS) NAP集成 好处 • • • • 深入防御体系的多层次集成. 为健康客户端提供快速访问. 网络厂商提供创新的价值. 客户选择 – 能够保护网络访问、主机访问、应用访问,并且按照相应的需要 灵活的集成。 Client Cisco ACS System Health Agent Quarantine Agent (QA) 3rd Party VPN / 802.1x Enforcement DHCP/VPN Quarantine Enforcement Other CS Network Infrastructure (Cisco or 3rd party, etc.) Active Directory MS IAS Policy Server 3rd Party AV, Patch, FW Health Registration Authority NAP合作伙伴 Microsoft Integration Ecosystem Partners Networking Anti-Virus Endpoint Security Update/Management Systems Integrators 成功的部署途径 架构预览 开发 一个 计划 与预 算 准备 计划 /设 计运 维架 构 定义 策略 与流 程 部署 部署底层架构 测试 试点 部署 正 式 部 署 NAP部署准备 Preparing for NAP is going to take effort and time Take advantage of the time to prepare your networks for the new model Deployment preparation tasks: Health Modeling Health Policy Zoning Secure Network Infrastructure Analysis IAS (RADIUS) Deployment Zone Enforcement Selection Exemption Analysis Rollout Planning and Change Process Control Success Matrices and Measures Ensure NAP readiness across your IT organization 立刻行动! 测试/试点部署-Longhorn Beta 2 从简单开始 使用DHCP部署管理/升级到IPsec 根据风险评估分阶段实施 Step 1 – Observation mode only Step 2 – Grant grace period, enforce later Step 3 – Enforce now 给我们反馈 Web site and whitepapers: www.microsoft.com/nap Information on SDK distribution: [email protected] Questions or feedback: [email protected] Network Access Protection Components System Health Servers Remediation Servers (Anti-virus, Patch, System Mgt, etc.) (Anti-virus, Patch, System Mgt, etc.) Client health validation Policy, health checks, updates Client System Health Agents Microsoft and 3rd Party (AV/Patch/FW/Other) Statements of Health (SoHs) Network Access Requests / Responses IAS Policy Server System Health Validators Quarantine Agent (QA) Quarantine Enforcement Client 3rd Microsoft and Party DHCP/VPN/1X/IPsec Microsoft and 3rd Party Network Access Device (Microsoft and 3rd party DHCP, VPN Servers, SSL app proxy, Health Registration Authority) Quarantine Server (QS) SHA System Health Agent = Declares health (patch state, virus signature, system configuration, etc.) SHV System Health Validator = Certifies declarations made by health agents QEC Quarantine Enforcement Client = Negotiates access with specific network access devices NAD Network Access Device = Facilitates health reporting, enforces network restrictions QA Quarantine Agent = Reports client health status, coordinates between SHA and Quarantine Enforcement Server (QES), which is on the NAD QS Quarantine Server = Restricts client’s network access based on what SHV certifies SHS System Health Server = Defines health requirements for system components on the client RS Remediation Server = Installs necessary patches, configurations, applications; brings client to healthy state