Protect against Virtual Machines with Network Access Protection

  • Article

It's up on us again, MMS 2009 and I'm going to try and be there to talk about how you can enable and configure your environment to protect your network with Network Access Protection against virtual machines on virtual private networks that have connectivity to the physical network. The presentation I plan to give will show how to enabled a protected network from virtual environments.

I will show you how to automate a complete solution, enabling you to deploy virtual machines with WDS using SCVMM 2008, Hyper V and SCCM 2007 on a Windows Server 2008 Active Directory Network with Network Access Protection (NAP) enabled. I will show a demo on an automated provisioning process that will allow deployed virtual machines to receive the System Center Configuration Manager client using Active Directory Group Policy and WMI filtering as the discovery method. This allows targeting of virtual machines with specific group policies to allow Windows Software Updates Services (WSUS) & ConfigMgr Software Update Point (SUP) client installation configurations to automate the client installation.  

As we all know virtual machines can be configured with a private internal network adapter which does not allow the virtual machine to connect to the physical network, and wouldn't matter if the virtual machines are unhealthy, or with a externally facing network adapter that is connected to the physical network and if joined to the corporate domain those virtual machines will have access to the physical network and resources the Hyper V host is sitting on. In the event when a administrator deploys his/her virtual machine that is connected to the physical network, this solution can automate discovery of virtual machines and protect your network from virtual machines that may be un-patched or un healthy.

I will show the virtual machines go in quarantine soon after a WDS deployment and how the virtual machine will automatically receive the System Center Configuration Manager client, following the client installation, all required software updates are installed as well which will be followed by a post configuration custom software update developed with System Center Custom Update Publishing Tool. 

This solution addresses the possibility of un-patched virtual machines being deployed to a corporate enterprise network. This solution integrates software updates management, automated client deployment for the Configuration Manager client, WDS for operating system deployments, Active Directory Group Policy as the targeting method, custom software updates with SCUP, and Network Access Protection for systems health validation. This solution also has the potential of reaching 99% client coverage within an enterprise, provided standards and standard configurations are put in place and adhered to.

Getting to 99% coverage on client deployments was not possible until the introduction of System Center Configuration Manager 2007 and its newest feature, WSUS/Software Update Point Client Installation, in my opinion. I wrote a article for this solution, You can find it Here!.

Network Access Protection (NAP) is a new set of operating system components in Windows Server 2008, Windows Vista, and Windows XP Service Pack 3 that provides a platform for system health validated access to private networks. This solution will show how to extend the platform to also validate virtual machines deployed on virtual networks that inter-connect with the physical network. 

The NAP platform provides an integrated way of validating the health state of a network client that is attempting to connect to or communicate on a network and limiting the access of the network client until the health policy requirements have been met. These policy requirements can also be extended to include virtual private networks for network environments that allow administrators to deploy and manage their own virtual machines that will have access to the corporate physical network.

I see the requirements as to validate access to a network based on virtual machines system health, a network infrastructure needs to provide the following areas of functionality:

· Health state validation

· Network access limitation 

· Automatic remediation 

· Ongoing compliance 

· Virtual machine discovery - how is this done? I will have more on this at MMS 2009 in Las Vegas and on my blog soon after.

I'll let you know if and when its official that I'll be there at MMS in 2009...