NAP PWG Discussion August 17 2009 NAP Deployment

  • Slides: 7
Download presentation
NAP / PWG Discussion August 17, 2009

NAP / PWG Discussion August 17, 2009

NAP Deployment Overview No Corpnet Connectivity Corpnet Various Computing Resources (Application, Infrastructure, Remediation Servers,

NAP Deployment Overview No Corpnet Connectivity Corpnet Various Computing Resources (Application, Infrastructure, Remediation Servers, Other healthy devices, etc). Network Access Servers Network Clients Laptop cket k Pa Flow or w Net Desktop PC Media-specific Protocol 802. 1 x Switch LDAP AD RADIUS OLEDB/ ODBC Virtual Circuit Mac PDA Smartphone Vo. IP Phone 802. 1 x Wireless AP Net wo rk P ack et F low NAP Server (“NPS”) Remediation Network SQL Remediation Servers 2

NAP Architecture Health Remediation Servers Configuration/ Compliance Validation Updates Other SCCM NAP Compliance Check

NAP Architecture Health Remediation Servers Configuration/ Compliance Validation Updates Other SCCM NAP Compliance Check States Forefront System Health Validators (SHV) Windows (Inbox) Other SCCM System Health Agents (SHA) Forefront User/Machine Authentication NAP Server NAP Client Windows (Inbox) Active Directory Health Policy Servers MS-SOH Protocol (Health Data Exchange) NAP Agent Enforcement Clients (EC) 802. 1 x IPsec TSG VPN DHCP Others Various Network Protocols Enforcement Servers (ES) (“Network Access Servers”) 802. 1 x Switch HRA VPN Srv DHCP srv … Network Access Control Protocol (RADIUS) Network Policy Server (NPS)

SCCM SHA – Health Evaluation SCCM Policy Cookies (Client and AD Reported) SCCM Policy

SCCM SHA – Health Evaluation SCCM Policy Cookies (Client and AD Reported) SCCM Policy OCookies (Client and AD Reported) H DON’T MATCH. Therefore: S Req h. Compare Client-submitted MATCH. s Therefore: wit e) ( inc uest A i “SCCM 4. Install Patches and/or s • Client is non-compliant. Policy Cookie” k e lud o compliant. ing ccess Ac y Cis Software Retrieved • Client k c with r SCC wit i l • two Client access may be restricted Po M P h SO from SCCM DP. e is provided M N • CCClient AD-reportedwith “SCCMFULL Policynetwork Cookie” olic H access t s e g • S Client asked to remediate non-compliance y. C u q ook Re cludin ie) (“Get Patched”) (in ” int? Lo AD oku -e p m xp ec ach te in d“ e SC and CM o Po btai lic n y. C oo Po etr ie. Collects ent • SCCM SHA “SCCM Policy Cookie” ve m e Pat nag from SCCM Agent a che M /So • SCCM SHA Packages s. Cookie in SCCM SOH CM Compare Client-submitted C S ftw e are “SCCM Policy Cookie” re is th he with. W 1 • Client does scan to determine what’s missing AD-reported “SCCM Policy Cookie” • Client finds its missing patch “X” kie 3. R 2. as Wh sig at ne SC d t CM oc P lie oli nt cy ? is Client Requesting Network Access [Client Non-Compliant] Now Compliant] NAP Remediation Network [Client Access is Restricted] 4

Windows SHA – Health Evaluation WSHA checks MATCH WSHV checks? • Client given FULL

Windows SHA – Health Evaluation WSHA checks MATCH WSHV checks? • Client given FULL ACCESS WSHA Check States MATCH WSHV-Defined Check States? H SO ith w s) s ces State c A rk heck o C tw Ne SHA t s e g. W qu Re cludin (in • WSHA Collects “Check States” from Windows Action Center (AV, Patch, Firewall) • WSHA Packages Checks in WSHA SOH WSHA checks DO NOT MATCH WSHV Checks? • Client given RESTRICTED ACCESS • Client Remediates • Tries Again Req (inc uest lud Acc ing ess WS wit HA h SO Che H ck Sta t es) 5

QA

QA

Appendix

Appendix

PWG Imaging Device Security IDS Working Group PWGPWG Imaging Device Security IDS Working Group PWG
PWG Patent Statement PWG standards may include thePWG Patent Statement PWG standards may include the
PWG 1 MPD PWG 1 Global observables andPWG 1 MPD PWG 1 Global observables and
IEEEISTO PWG WIMS DMTFCIM PWG Realignment WIMS CIMIEEEISTO PWG WIMS DMTFCIM PWG Realignment WIMS CIM
PWG Plenary PWG Last Call Imaging State CounterPWG Plenary PWG Last Call Imaging State Counter
PWG Imaging Device Security IDS Working Group PWGPWG Imaging Device Security IDS Working Group PWG