Selecting the Right Network Access Protection Architecture Infrastructure Planning and Design...
-
Upload
kelley-sullivan -
Category
Documents
-
view
216 -
download
2
Transcript of Selecting the Right Network Access Protection Architecture Infrastructure Planning and Design...
What Is Infrastructure Planning and Design?
Guidance that aims to clarify and streamline the planning and design process for Microsoft® infrastructure technologies
IPD…in 50 pages:
Defines decision flow
Describes decisions to
be made
Relates decisions and options for the business
Frames additional questions for business understanding
Replaces Windows Server System™ Reference Architecture (WSSRA)
Page 2 |
Purpose and Agenda
PurposeTo assist in the decision-making process regarding which enforcement methods to use in conjunction with Network Access Protection (NAP) to meet business and technical requirements
AgendaDetermine which components to use in a NAP architecture
Page 4 |
What Is NAP?
Network Access Protection is a policy-based solution that:
Validates whether computers meet health policiesCan limit access for noncompliant computersAutomatically remediates noncompliant computers Continuously updates compliant computers to maintain
health stateOffers administrators a wide range of choice and deployment
flexibility to better secure their Windows networks
Page 5 |
Why Implement NAP?
Controlled access for guests, vendors, partnersImproved resilience to malware as network health increasesMore robust update infrastructureManaged compliance
Page 7 |
Key Messages for NAP
Page 8 |
The NAP client can be Windows Server® 2008, Windows Vista®, Windows® XP SP3, or third-party (Linux + Macintosh)NAP is built into Windows that you enable via GP/scriptNAP requires a minimum of one Windows Server 2008 machine to get started
NAP Enforcement OptionsEnforcement options Capabilities
IPsec – implemented at host layer
Restricts client device communication to a limited number of servers until compliance is demonstrated
802.1X – implemented at network layer
Client device’s access is restricted by network infrastructure devices. Client access is restricted until device has demonstrated compliance
VPN – Microsoft VPN VPN server restricts client device’s access by using IP filters until client device has demonstrated compliance
DHCP – implemented at network layer
DHCP client is restricted by providing a 32-bit netmask and removing the default gateway
Page 10 |
Decision Flow
Determine the client connectivity
Determine enforcement layer
If enforcement is at network layer,
select enforcement options
Type of network connectivity dictates appropriate
enforcement methods. Client devices connect two
ways:
Locally—via wired or wireless
Remotely—such as VPN
Page 11 |
Determine Client Connectivity
Determine VPN Platform
Page 12 |
Will the VPN platform be Microsoft or third-party?
Microsoft VPN selected:
If IT selects RRAS to provide remote access, VPN server
must run Windows Server 2008
Low level of complexity and cost to implement
Third-party VPN selected:
If IT selects a third-party VPN, IPsec can be used to restrict
client device access
High level of complexity and medium cost to implement
Enforcement Layer Decision
Page 13 |
Enforce NAP restrictions at each host or enforce
on network?
Enforce restrictions at hosts selected:
Using IPsec provides robust security
High level of complexity and medium cost to implement
Enforce restrictions on network selected:
Depending on specific network-based enforcement
method, security level less robust than IPsec
Medium level of complexity and high cost to implement
NAP Restrictions – Host vs. Network Enforcement
Use the table below to select between:IPsec – host-based802.1X – network-basedDHCP – network-based
Page 14 |
Method Security Level Complexity Cost
IPsec High High Medium
8021.1X High Medium High
DHCP Low Low Low
Additional Considerations for NAP
Determine system compliance requirementsCombining NAP technologiesDependencies
Page 15 |
Summary and Conclusion
NAP flexibility provides choice
NAP is deployment ready
Provide feedback to [email protected]
Page 16 |
Find More Information
Download the full document and other IPD guides:
http:/www.microsoft.com/ipd
Contact the IPD team:[email protected]
The Microsoft Solution Accelerators Web site:http://www.microsoft.com/technet/SolutionAccelerators
Page 17 |