+ All Categories
Home > Documents > Selecting the Right Network Access Protection Architecture

Selecting the Right Network Access Protection Architecture

Date post: 23-Feb-2016
Category:
Upload: dayo
View: 46 times
Download: 0 times
Share this document with a friend
Description:
Selecting the Right Network Access Protection Architecture. Infrastructure Planning and Design Series. What Is IPD?. Guidance that aims to clarify and streamline the planning and design process for Microsoft ® infrastructure technologies IPD…in 50 pages: Defines decision flow - PowerPoint PPT Presentation
Popular Tags:
17
Selecting the Right Network Access Protection Architecture Infrastructure Planning and Design Series
Transcript
Page 1: Selecting the Right Network Access Protection Architecture

Selecting the Right Network Access Protection ArchitectureInfrastructure Planning and Design Series

Page 2: Selecting the Right Network Access Protection Architecture

What Is IPD?Guidance that aims to clarify and streamline the planning and design process for Microsoft® infrastructure technologies

IPD…in 50 pages: Defines decision flow Describes decisions to be made Relates decisions and options for the business Frames additional questions for business understanding Replaces Windows Server System™ Reference Architecture (WSSRA)

Page 2 |

Download the IPD Guides atwww.microsoft.com/ipd

Page 3: Selecting the Right Network Access Protection Architecture

SELECTING THE RIGHT NAP ARCHITECTURE

Getting Started

Page 3 |

Page 4: Selecting the Right Network Access Protection Architecture

Purpose and AgendaPurpose

To assist in the decision-making process regarding which enforcement methods to use in conjunction with Network Access Protection (NAP) to meet business and technical requirements

AgendaDetermine which components to use in a NAP architecture

Page 4 |

Page 5: Selecting the Right Network Access Protection Architecture

What Is NAP?Network Access Protection is a policy-based solution that:

Validates whether computers meet health policiesCan limit access for noncompliant computersAutomatically remediates noncompliant computers Continuously updates compliant computers to maintain health stateOffers administrators a wide range of choice and deployment flexibility to better secure their Windows networks

Page 5 |

Page 6: Selecting the Right Network Access Protection Architecture

NAP Architecture

Page 7: Selecting the Right Network Access Protection Architecture

Why Implement NAP?

Controlled access for guests, vendors, partnersImproved resilience to malware as network health increasesMore robust update infrastructureManaged compliance

Page 7 |

Page 8: Selecting the Right Network Access Protection Architecture

Key Messages for NAP

Page 8 |

The NAP client can be Windows Server® 2008, Windows Vista®, Windows® XP SP3, or third-party (Linux + Macintosh)NAP is built into Windows that you enable via GP/scriptNAP requires a minimum of one Windows Server 2008 machine to get started

Page 9: Selecting the Right Network Access Protection Architecture

NAP Enforcement OptionsEnforcement options CapabilitiesIPsec – implemented at host layer

Restricts client device communication to a limited number of servers until compliance is demonstrated

802.1X – implemented at network layer

Client device’s access is restricted by network infrastructure devices. Client access is restricted until device has demonstrated compliance

VPN – Microsoft VPN VPN server restricts client device’s access by using IP filters until client device has demonstrated compliance

DHCP – implemented at network layer

DHCP client is restricted by providing a 32-bit netmask and removing the default gateway

Page 10: Selecting the Right Network Access Protection Architecture

Page 10 |

Decision Flow

Determine the client connectivityDetermine enforcement layerIf enforcement is at network layer, select enforcement options

Page 11: Selecting the Right Network Access Protection Architecture

Type of network connectivity dictates appropriate enforcement methods. Client devices connect two ways:

Locally—via wired or wirelessRemotely—such as VPN

Page 11 |

Determine Client Connectivity

Page 12: Selecting the Right Network Access Protection Architecture

Determine VPN Platform

Page 12 |

Will the VPN platform be Microsoft or third-party? Microsoft VPN selected:

If IT selects RRAS to provide remote access, VPN server must run Windows Server 2008Low level of complexity and cost to implement

Third-party VPN selected:If IT selects a third-party VPN, IPsec can be used to restrict client device accessHigh level of complexity and medium cost to implement

Page 13: Selecting the Right Network Access Protection Architecture

Enforcement Layer Decision

Page 13 |

Enforce NAP restrictions at each host or enforce on network?

Enforce restrictions at hosts selected:Using IPsec provides robust securityHigh level of complexity and medium cost to implement

Enforce restrictions on network selected:Depending on specific network-based enforcement method, security level less robust than IPsecMedium level of complexity and high cost to implement

Page 14: Selecting the Right Network Access Protection Architecture

NAP Restrictions – Host vs. Network Enforcement

Use the table below to select between:IPsec – host-based802.1X – network-basedDHCP – network-based

Page 14 |

Method Security Level Complexity Cost

IPsec High High Medium

8021.1X High Medium High

DHCP Low Low Low

Page 15: Selecting the Right Network Access Protection Architecture

Additional Considerations for NAP

Determine system compliance requirementsCombining NAP technologiesDependencies

Page 15 |

Page 16: Selecting the Right Network Access Protection Architecture

Summary and Conclusion

NAP flexibility provides choiceNAP is deployment ready

Provide feedback to [email protected]

Page 16 |

Page 17: Selecting the Right Network Access Protection Architecture

Find More Information

Download the full document and other IPD guides:

www.microsoft.com/ipd

Contact the IPD team:[email protected]

Visit the Microsoft Solution Accelerators Web site:www.microsoft.com/technet/SolutionAccelerators

Page 17 |


Recommended