WindowsLonghorn WindowsLonghorn Server SelfHealing NTFS HotPluggable Subsystems Dynamic

下一代Windows服务器Longhorn

下一代Windows服务器Longhorn Server Self-Healing NTFS Hot-Pluggable Subsystems Dynamic Partitioning Server Core Composable Roles Solution SKUs IIS 7. 0 Workflow Foundation WCF (“Indigo”) Code Name “Longhorn” Federated Identity Network Access Protection Terminal Services SMB 2. 0 Storage Management Transactional FS

Windows Server 演变 2009 2007 2006 2005 Windows Server “Longhorn” R 2 Windows Server “Longhorn” Windows Server 2003 Compute Cluster Edition Windows Small Business Server 2003 R 2 Windows Server “Longhorn” Beta 2 Windows Storage Server R 2 Windows Server 2003 R 2 Windows Server “Longhorn” Beta 1 Windows Server Update Services Windows Server 2003 x 64 Editions Windows Server 2003 Service Pack 1

NAP构成 Enforcement Components Platform Health Components Enforcement Quarantine Agent Client (QA) = Negotiates = Reports access client health with network status, access coordinates device(s between ). SHA and NAD. System Health Agent (SHA) = Declares (patch state, virus signature, system configuration, etc. ). Network Quarantine Access Server Device (QS) == Provides Restricts network client’s network access to access healthy based endpoints. on what SHV certifies. System Health Validator (SHV) = Certifies declarations made by health agents. = Windows. Authority components QA/QSRegistration Health = Issues certificates to clients that pass health checks. System Health Server = Defines health requirements for system components on the client. Remediation Server = Installs necessary patches, configurations, applications. Brings client to healthy state. System Health Servers Remediation Servers Client health validation Policy and updates Client Health Statements System Health Agents Quarantine Agent (QA) Enforcement Clients IPsec, 802. 1 X, DHCP, VPN NAD Network Access Requests IAS Server System Health Validators Health Certificate HRA Network Access Device & Health Registration Authority Quarantine Server (QS)

NAP实施选择 Enforcement Healthy Client DHCP VPN (MS and 3 rd Party) 802. 1 X Full IP address given, full access Full access IPsec Unhealthy Client Restricted set of routes Restricted VLAN Healthy peers reject connection requests from Can communicate with any trusted peer unhealthy systems Complements layer 2 protection Works with existing servers and infrastructure Flexible isolation

灵活的强制选项 DHCP VPN 802. 1 X IPsec LAN or Remote LAN Enables application isolation Use of existing servers Use of existing network infrastructure Protects against static configuration Protects against rogue gateway Protects against virtual PC No No Yes No No No Yes No No LAN/ WAN Yes Yes Yes

NAP流程 非健康状态客户端 – 802. 1 X 场景 Corporate Network Restricted Network Client No. I’m putting you on a. I get restricted VLAN. Get Network Access Device Can I get onon thethe network now? Can network? (DHCP, VPN, SSL app proxy certificate. Here isamy health certificate. Here ishealth my health. 802. 1 x) Can I have a health certificate? I’ve No, you need fix up. been updated. Here you go. Can I have updates? IAS Policy Server NAD validates with IAS. HRA validates with IAS. Health Registration Authority Here you go. Full access granted. Health certificate is re-used For subsequent access requests. Ongoing policy updates to IAS Policy Server Remediation Server System Health Servers

NAP流程 健康客户端场景 Corporate Network Client Can I get on the network? Here is my identity. Network Access Device (DHCP, VPN, SSL app proxy 802. 1 x) IAS Policy Server Validates with IAS. Client is healthy. Health Registration Authority Full access granted. Remediation Servers System Health Servers

IPsec NAP 隔离模式 Policy Definitions Protected Zone Quarantine Zone • All systems possess a Boundary Zone Health Certificate • Authentication required to connect into a system ALLOWED Boundary Zone • All systems possess a Quarantine Zone • No Health Certificates Health Certificate • Authentication requested but not required to connect into a system • No IPsec policies ALLOWED BLOCKED Protected Zone

IPsec NAP 场景 Quarantine Zone Boundary Zone Protected Zone May I have a DHCP address? May I have a health certificate? Here’s Here you my go. So. H. Client DHCP Client ok? Yes. No. Health Here’s your You don’t gethealth a health Issue health fix-up. Registration Needs certificate. Go fix up. certificate. I need updates. Authority Accessing the network Here you go. X IAS Remediation Server

MS Download Center Corporate Network Here are your updates. IAS Policy Server SMS Remediation Servers Management Point Distribution Point Client You are being given restricted access until fix-up. SMS Site Server Periodically plumbs policy reference to IAS Policy Server. Requesting updates. Requesting May access. I have access? Here’s my new Here’s health mystatus current with required health security status. updates. SMS 与 NAP Sends MSRC bulletin. Restricted Network Access Device (DHCP, VPN) Should this client be granted access based on it’s health? I can validate Restrict I can Can client, validate Grant you request validate access. this client’s health. it to It’supdate. not. Yes, up tomeets date. policy. Tell client? it to Is it up toupdate? Te se Distr Dist secu De po Client is granted access to full intranet.

NAP集成 好处 • • 深入防御体系的多层次集成. 为健康客户端提供快速访问. 网络厂商提供创新的价值. 客户选择 – 能够保护网络访问、主机访问、应用访问，并且按照相应的需要 灵活的集成。 Client Cisco ACS System Health Agent Quarantine Agent (QA) 3 rd Party VPN / 802. 1 x Enforcement DHCP/VPN Quarantine Enforcement Other CS Network Infrastructure (Cisco or 3 rd party, etc. ) MS IAS Policy Server Active Directory 3 rd Party AV, Patch, FW Health Registration Authority

NAP合作伙伴 Microsoft Integration Ecosystem Partners Networking Anti-Virus Endpoint Security Update/Management Systems Integrators

NAP部署准备 Preparing for NAP is going to take effort and time Take advantage of the time to prepare your networks for the new model Deployment preparation tasks: Health Modeling Health Policy Zoning Secure Network Infrastructure Analysis IAS (RADIUS) Deployment Zone Enforcement Selection Exemption Analysis Rollout Planning and Change Process Control Success Matrices and Measures Ensure NAP readiness across your IT organization

立刻行动！ 测试/试点部署-Longhorn Beta 2 从简单开始 使用DHCP部署管理/升级到IPsec 根据风险评估分阶段实施 Step 1 – Observation mode only Step 2 – Grant grace period, enforce later Step 3 – Enforce now 给我们反馈

Web site and whitepapers: www. microsoft. com/nap Information on SDK distribution: napsdk@microsoft. com Questions or feedback: asknap@microsoft. com

Network Access Protection Components System Health Servers Remediation Servers (Anti-virus, Patch, System Mgt, etc. ) Client health validation Policy, health checks, updates Client System Health Agents Microsoft and 3 rd Party (AV/Patch/FW/Other) Statements of Health (So. Hs) Network Access Requests / Responses System Health Validators Quarantine Agent (QA) Quarantine Enforcement Client 3 rd Microsoft and Party DHCP/VPN/1 X/IPsec IAS Policy Server Microsoft and 3 rd Party Network Access Device (Microsoft and 3 rd party DHCP, VPN Servers, SSL app proxy, Health Registration Authority) Quarantine Server (QS) SHA System Health Agent = Declares health (patch state, virus signature, system configuration, etc. ) SHV System Health Validator = Certifies declarations made by health agents QEC Quarantine Enforcement Client = Negotiates access with specific network access devices NAD Network Access Device = Facilitates health reporting, enforces network restrictions QA Quarantine Agent = Reports client health status, coordinates between SHA and Quarantine Enforcement Server (QES), which is on the NAD QS Quarantine Server = Restricts client’s network access based on what SHV certifies SHS RS System Health Server = Defines health requirements for system components on the client Remediation Server = Installs necessary patches, configurations, applications; brings client to healthy state