svr302 网络安全基础架构服务 nap 概览. 课程内容安排 下一代 windows 服务器...
Post on 21-Dec-2015
286 views
TRANSCRIPT
SVR302SVR302网络安全基础架构服务网络安全基础架构服务 NAPNAP 概览 概览
课程内容安排课程内容安排
下一代下一代 WindowsWindows 服务器服务器 -Longhorn Server-Longhorn Server
网络接入保护网络接入保护 NAPNAP 功能功能 // 结构概述结构概述演示演示问题交流问题交流
下一代下一代 WindowsWindows 服务器服务器LonghornLonghorn
Server CoreComposable Roles
Solution SKUsIIS 7.0
Workflow FoundationWCF (“Indigo”)
Federated IdentityNetwork Access Protection
Terminal Services
SMB 2.0Storage Management
Transactional FS
Self-Healing NTFSHot-Pluggable Subsystems
Dynamic Partitioning
Code Name “Longhorn”Code Name “Longhorn”Code Name “Longhorn”Code Name “Longhorn”
下一代下一代 WindowsWindows 服务器服务器 Longhorn ServerLonghorn Server
Windows Storage Server R2 Windows Storage Server R2 Windows Server 2003 R2 Windows Server 2003 R2 Windows Server “Longhorn” Beta 1 Windows Server Update Services Windows Server Update Services Windows Server 2003 x64 Editions Windows Server 2003 x64 Editions Windows Server 2003 Service Pack 1Windows Server 2003 Service Pack 1
Windows Server “Longhorn”
Windows Server “Longhorn” R2
20092009
20020077
20020055
Windows Server 2003 Compute Cluster EditionWindows Server 2003 Compute Cluster EditionWindows Small Business Server 2003 R2Windows Small Business Server 2003 R2Windows Server “Longhorn” Beta 2
20062006
Windows Server Windows Server 演变演变
网络接入保护网络接入保护 NAPNAP 功能功能 // 结构概结构概述述
为什么需要为什么需要 NAPNAP-Network Access -Network Access
Protection?Protection? 用户环境用户环境
病毒、蠕虫、恶意软件、木马带来的危害病毒、蠕虫、恶意软件、木马带来的危害来自多区域、多设备通过公共网络的连接来自多区域、多设备通过公共网络的连接不充分不充分 // 被动的防御被动的防御
用户需求用户需求降低业务与服务的风险降低业务与服务的风险满足强制的法律要求满足强制的法律要求 (Sarbanes-Oxley, HIPPA...)(Sarbanes-Oxley, HIPPA...)
异构体系架构环境的集成异构体系架构环境的集成控制集中的管理策略控制集中的管理策略
NAPNAP 解决方案概览解决方案概览
策略确认 策略确认 鉴别计算机是否满足公司的安全策略。满足的电脑被认为是鉴别计算机是否满足公司的安全策略。满足的电脑被认为是“健康的。”“健康的。”
网络限制网络限制根据计算机的健康状态限制对网络的访问。根据计算机的健康状态限制对网络的访问。
实施补救实施补救提供必要的更新使计算机能够 “实现健康。” 一旦恢复健康,提供必要的更新使计算机能够 “实现健康。” 一旦恢复健康,网络限制被解除。网络限制被解除。
变化的要求变化的要求公司安全策略的变更或者计算机的健康状态可以动态的作用公司安全策略的变更或者计算机的健康状态可以动态的作用在网络限制上。在网络限制上。
Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.
Quarantine Agent (QA) = Reports client health status, coordinates between SHA and NAD.Quarantine Agent (QA) = Reports client health status, coordinates between SHA and NAD.
NAPNAP 构成构成
IAS ServerIAS Server
Quarantine Server (QS)Quarantine Server (QS)
SystemSystemHealth ValidatorsHealth Validators
ClientClient
System Health AgentsSystem Health Agents
Quarantine Agent (QA)Quarantine Agent (QA)
Enforcement ClientsEnforcement ClientsIPsec, 802.1X, DHCP, VPNIPsec, 802.1X, DHCP, VPN
Client health validationClient health validationPolicy and updatesPolicy and updates
HealthHealthStatementsStatements
NetworkNetworkAccessAccess
RequestsRequests
System Health Servers System Health Servers Remediation Servers Remediation Servers
Health ComponentsHealth ComponentsSystem Health Agent (SHA) = Declares health (patch state, virus signature, system System Health Agent (SHA) = Declares health (patch state, virus signature, system configuration, etc.).configuration, etc.).System Health Validator (SHV) = Certifies declarations made by health agents.System Health Validator (SHV) = Certifies declarations made by health agents.
Remediation Server = Installs necessary patches, configurations, Remediation Server = Installs necessary patches, configurations, applications. Brings client to healthy state.applications. Brings client to healthy state.
Enforcement ComponentsEnforcement ComponentsEnforcement Client = Negotiates access with network access device(s).Enforcement Client = Negotiates access with network access device(s).
Health Registration Authority = Issues certificates to clients that pass health checks.Health Registration Authority = Issues certificates to clients that pass health checks.
Platform ComponentsPlatform Components
System Health Server = Defines health requirements for system components on the client.System Health Server = Defines health requirements for system components on the client.QA/QSQA/QS= Windows components= Windows components
HealthHealthCertificateCertificate
Network Access Device &Network Access Device &Health Registration Authority Health Registration Authority
NAD NAD
HRA HRA
Network Access Device = Provides network access to healthy endpoints.Network Access Device = Provides network access to healthy endpoints.
NAPNAP 实施选择实施选择
Enforcement Healthy Client Unhealthy Client
DHCP Full IP address given, full access Restricted set of routes
VPN (MS and 3rd Party) Full access Restricted VLAN
802.1X Full access Restricted VLAN
IPsec
Can communicate with any trusted peer
Healthy peers reject connection requests from unhealthy systems
Complements layer 2 protectionWorks with existing servers and infrastructureFlexible isolation
灵活的强制选项灵活的强制选项
DHCPDHCP VPNVPN 802.1802.1XX IPsecIPsec
LAN or RemoteLAN or Remote LANLAN RemoteRemote LANLAN LAN/LAN/
WANWAN
Enables application Enables application isolationisolation
NoNo NoNo NoNo YesYes
Use of existing serversUse of existing servers NoNo NoNo YesYes YesYes
Use of existing network Use of existing network infrastructureinfrastructure
YesYes YesYes NoNo YesYes
Protects against static Protects against static configurationconfiguration
NoNo YesYes YesYes YesYes
Protects against rogue Protects against rogue gatewaygateway
NoNo NoNo NoNo YesYes
Protects against virtual PCProtects against virtual PC NoNo NoNo NoNo YesYes
IASIASPolicy ServerPolicy Server
ClientClient
Network Access DeviceNetwork Access Device(DHCP, VPN, SSL app proxy(DHCP, VPN, SSL app proxy
802.1x)802.1x)
Can I get on the network?Can I get on the network?Here is my health.Here is my health.
Can I have Can I have updates?updates?
Here you go.Here you go.
Corporate NetworkCorporate Network
Restricted NetworkRestricted Network
System Health System Health Servers Servers
Health Health Registration AuthorityRegistration Authority
Here you go.Here you go.
Full access granted.Full access granted.Health certificate is re-usedHealth certificate is re-usedFor subsequent access requests.For subsequent access requests.
Remediation Remediation Server Server
No. I’m putting you on No. I’m putting you on a restricted VLAN. Get a restricted VLAN. Get a health certificate.a health certificate.
Can I have a health Can I have a health certificate?certificate?
No, you need fix up.No, you need fix up.
Can I have a health Can I have a health certificate? I’ve certificate? I’ve been updated.been updated.
Can I get on the network now?Can I get on the network now?Here is my health certificate.Here is my health certificate.
NAD validates with IAS. NAD validates with IAS.
HRA validates with IAS. HRA validates with IAS.
Ongoing policy updates Ongoing policy updates to IAS Policy Server to IAS Policy Server
NAPNAP 流程流程非健康状态客户端非健康状态客户端 – – 802.1X 802.1X 场景场景
NAPNAP 流程流程健康客户端场景健康客户端场景
IASIASPolicy ServerPolicy Server
ClientClient
Network Access DeviceNetwork Access Device(DHCP, VPN, SSL app proxy(DHCP, VPN, SSL app proxy
802.1x)802.1x)
Can I get on the network?Can I get on the network?Here is my identity.Here is my identity.
Corporate NetworkCorporate Network
System Health System Health Servers Servers
Health RegistrationHealth RegistrationAuthorityAuthority
Full access granted.Full access granted.
Remediation Remediation Servers Servers
Validates with IAS. Validates with IAS. Client is healthy. Client is healthy.
IPsec NAP IPsec NAP 功能特点功能特点使用使用 IPsecIPsec 隔离非健康客户端隔离非健康客户端安全强化安全强化
重新配置的客户端不能通过重新配置的客户端不能通过或者通过使用或者通过使用 hubs / virtual PC hubs / virtual PC 技术技术
非基础架构升级非基础架构升级工作在今天的交换机工作在今天的交换机 // 路由器环境路由器环境不需要替换不需要替换 // 升级升级 DHCP, VPN, etc.DHCP, VPN, etc.
灵活的隔离灵活的隔离健康的系统能够连接到被隔离的系统,相反则拒绝访问健康的系统能够连接到被隔离的系统,相反则拒绝访问隔离模式通过策略定制隔离模式通过策略定制
IPsec NAP IPsec NAP 隔离模式隔离模式
BLOCKEDBLOCKED
QuarantineZone
BoundaryZone
ProtectedZoneALLOWEDALLOWED
ALLOWEALLOWEDD
ALLOWEALLOWEDD
Policy Definitions
Protected
Zone
All systems possess a Health Certificate
Authentication required to connect into a system
Boundary
Zone
All systems possess a Health Certificate
Authentication requested but not required to connect into a system
Quarantine
Zone
No Health Certificates
No IPsec policies
Accessing the networkX
DHCP
Remediation Server
IAS
May I have a DHCP address?
Here you go.
HealthRegistration
Authority
May I have a health certificate? Here’s my SoH. Client ok?
No. Needs fix-up.
You don’t get a health certificate. Go fix up.
I need updates.
Here you go.
Yes. Issue health certificate.
Here’s your health certificate.
Client
IPsec NAP IPsec NAP 场景场景Quarantine
ZoneBoundary
Zone
ProtectedZone
1.1. SMS SMS 管理的客户端能够保证健康状态管理的客户端能够保证健康状态移动客户端返回公司网络时得到更新移动客户端返回公司网络时得到更新连接的桌面机通过例行检查保证健康状态连接的桌面机通过例行检查保证健康状态健康声明基于健康声明基于 MSRCMSRC 公告板公告板自动的补救自动的补救丰富的满足策略报表丰富的满足策略报表
2.2. SMS-NAP SMS-NAP 协同工作保证没有风险暴露协同工作保证没有风险暴露3.3. SMS SMS 促进 促进 NAP NAP 架构计划与部署 架构计划与部署
分布式的结构分布式的结构客户端安装与更新客户端安装与更新
SMS SMS 与 与 NAPNAP
Periodically plumbs policy Periodically plumbs policy reference to IAS Policy reference to IAS Policy
Server.Server.
IAS IAS Policy ServerPolicy Server
ClientClient
Network Network Access Access DeviceDevice(DHCP, (DHCP,
VPN)VPN)
SMS Site ServerSMS Site Server
May I have access?May I have access?Here’s my current Here’s my current health status. health status.
Should this client be granted Should this client be granted access based on it’s health? access based on it’s health?
Can you validate this Can you validate this client? client?
Is it up to date? Is it up to date?
I can validate this client. I can validate this client. It’s not up to date. Tell it It’s not up to date. Tell it
to update. to update.
You are being given You are being given restricted access until restricted access until fix-up.fix-up.
Requesting updates. Requesting updates.
Here are your updates.Here are your updates.
Requesting access. Here’sRequesting access. Here’smy new health status with my new health status with required security updates.required security updates.
Restrict client, requestRestrict client, requestit to update.it to update.
Corporate NetworkCorporate Network
Restricted NetworkRestricted Network
I can validate I can validate client’s health. client’s health.
Yes, meets Yes, meets policy.policy.
Grant access. Grant access.
Client is granted access to full intranet. Client is granted access to full intranet.
Quarantine Server (QS)Quarantine Server (QS)
SMS Health ValidatorSMS Health Validator
ADAD
SMS RemediationSMS Remediation ServersServers
Distribution PointDistribution Point
Management PointManagement Point
Sends MSRC bulletin. Sends MSRC bulletin.
MS MS Download Download
CenterCenter
Distributes policy and Distributes policy and security updates.security updates.
Publishes policy Publishes policy reference.reference.
Tests and Tests and authorizes security authorizes security update.update.
Defines enforcement Defines enforcement policy.policy.
SMS SMS 与 与 NAPNAP
NAPNAP 集成集成
Cisco Cisco ACSACS
ClientClient
System Health AgentSystem Health Agent
Quarantine Agent (QA)Quarantine Agent (QA)
33rdrd Party PartyVPN / 802.1xVPN / 802.1xEnforcementEnforcement
DHCP/VPNDHCP/VPNQuarantineQuarantine
EnforcementEnforcement
MS IASMS IASPolicy ServerPolicy Server
33rdrd Party Party AV, Patch, FWAV, Patch, FW
Active Active DirectoryDirectory
Network InfrastructureNetwork Infrastructure(Cisco or 3(Cisco or 3rdrd party, etc.) party, etc.)
Other Other CSCS
Health Registration AuthorityHealth Registration Authority
好处好处• 深入防御体系的多层次集成深入防御体系的多层次集成 ..• 为健康客户端提供快速访问为健康客户端提供快速访问 ..• 网络厂商提供创新的价值网络厂商提供创新的价值 ..• 客户选择客户选择 –– 能够保护网络访问、主机访问、应用访问,并且按照相应的需要能够保护网络访问、主机访问、应用访问,并且按照相应的需要
灵活的集成。灵活的集成。
好处好处• 深入防御体系的多层次集成深入防御体系的多层次集成 ..• 为健康客户端提供快速访问为健康客户端提供快速访问 ..• 网络厂商提供创新的价值网络厂商提供创新的价值 ..• 客户选择客户选择 –– 能够保护网络访问、主机访问、应用访问,并且按照相应的需要能够保护网络访问、主机访问、应用访问,并且按照相应的需要
灵活的集成。灵活的集成。
NAPNAP 合作伙伴合作伙伴
NetworkingNetworking
Anti-VirusAnti-Virus
Endpoint SecurityEndpoint Security
Update/ManagementUpdate/Management
Ecosystem PartnersEcosystem Partners
Microsoft IntegrationMicrosoft Integration
Systems IntegratorsSystems Integrators
成功的部署途径成功的部署途径
架构预览架构预览 开发一个计划与开发一个计划与预算 预算 定义策略与流程定义策略与流程 计划计划 / / 设计运维设计运维
架构架构
试点部署试点部署 正式部署 正式部署
准备准备
部署部署
部署底层架构部署底层架构 测试测试
Preparing for NAP is going to take effort and timePreparing for NAP is going to take effort and time
Take advantage of the time to prepare your Take advantage of the time to prepare your networks for the new modelnetworks for the new model
Deployment preparation tasks:Deployment preparation tasks:Health Modeling Health Modeling
Health Policy Zoning Health Policy Zoning
Secure Network Infrastructure AnalysisSecure Network Infrastructure Analysis
IAS (RADIUS) DeploymentIAS (RADIUS) Deployment
Zone Enforcement SelectionZone Enforcement Selection
Exemption AnalysisExemption Analysis
Rollout Planning and Change Process ControlRollout Planning and Change Process Control
Success Matrices and MeasuresSuccess Matrices and Measures
Ensure NAP readiness across your IT organizationEnsure NAP readiness across your IT organization
NAPNAP 部署准备部署准备
立刻行动!立刻行动!测试测试 //试点部署试点部署 -Longhorn Beta 2-Longhorn Beta 2
从简单开始从简单开始使用使用 DHCPDHCP 部署管理部署管理 // 升级到升级到 IPsecIPsec
根据风险评估分阶段实施根据风险评估分阶段实施Step 1 – Observation mode onlyStep 1 – Observation mode only
Step 2 – Grant grace period, enforce laterStep 2 – Grant grace period, enforce later
Step 3 – Enforce nowStep 3 – Enforce now
给我们反馈给我们反馈
Web site and whitepapers: Web site and whitepapers: www.microsoft.com/napwww.microsoft.com/nap
Information on SDK distribution: Information on SDK distribution: [email protected]@microsoft.com
Questions or feedback: Questions or feedback: [email protected]@microsoft.com
Network Access Protection Network Access Protection ComponentsComponents
IASIASPolicy ServerPolicy Server
Quarantine Server (QS)Quarantine Server (QS)
System Health ValidatorsSystem Health ValidatorsMicrosoft and 3Microsoft and 3rdrd Party Party
ClientClient
System Health AgentsSystem Health AgentsMicrosoft and 3Microsoft and 3rdrd Party Party(AV/Patch/FW/Other)(AV/Patch/FW/Other)
Quarantine Agent (QA)Quarantine Agent (QA)
Quarantine Enforcement ClientQuarantine Enforcement ClientMicrosoft and 3Microsoft and 3rdrd Party Party
DHCP/VPN/1X/IPsecDHCP/VPN/1X/IPsec
Network Access DeviceNetwork Access Device(Microsoft and 3rd party DHCP, VPN Servers, (Microsoft and 3rd party DHCP, VPN Servers, SSL app proxy, Health Registration Authority)SSL app proxy, Health Registration Authority)
Client health validationClient health validationPolicy, health checks, updatesPolicy, health checks, updates
StatementsStatementsof Healthof Health
(SoHs)(SoHs)
Network Network AccessAccess
Requests /Requests /ResponsesResponses
System Health ServersSystem Health Servers (Anti-virus, Patch, System Mgt, etc.)(Anti-virus, Patch, System Mgt, etc.)
Remediation ServersRemediation Servers (Anti-virus, Patch, System Mgt, etc.)(Anti-virus, Patch, System Mgt, etc.)
SHASHA System Health Agent = Declares health (patch state, virus signature, system configuration, etc.)System Health Agent = Declares health (patch state, virus signature, system configuration, etc.)
QECQEC Quarantine Enforcement Client = Negotiates access with specific network access devicesQuarantine Enforcement Client = Negotiates access with specific network access devices
NADNAD Network Access Device = Facilitates health reporting, enforces network restrictions Network Access Device = Facilitates health reporting, enforces network restrictions
SHVSHV System Health Validator = Certifies declarations made by health agentsSystem Health Validator = Certifies declarations made by health agents
Quarantine Server = Restricts client’s network access based on what SHV certifiesQuarantine Server = Restricts client’s network access based on what SHV certifiesQSQS
QAQAQuarantine Agent = Reports client health status, coordinates between SHA and Quarantine EnforcementQuarantine Agent = Reports client health status, coordinates between SHA and Quarantine EnforcementServer (QES), which is on the NADServer (QES), which is on the NAD
System Health Server = Defines health requirements for system components on the clientSystem Health Server = Defines health requirements for system components on the clientSHSSHS
Remediation Server = Installs necessary patches, configurations, applications; brings client to healthy stateRemediation Server = Installs necessary patches, configurations, applications; brings client to healthy stateRSRS