Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Unleashing the Power of Unleashing the Power of Ubiquitous Connectivity with Ubiquitous Connectivity with IPv6IPv6Bram VeenhofMicrosoft [email protected]/bramveen
AgendaAgenda
The Connectivity Imperative
IPv6 Product Report Card
• The power of IPv6 andWindows networking
IPv6 now infra later and Direct Acccess
2
3
The Connectivity The Connectivity ImperativeImperative
Seamless Applications Seamless Applications ImpactImpact
The Future of Business ComputingThe Future of Business Computing• Dynamic DatacenterDynamic Datacenter• Focus on Security, Productivity, and ImpactFocus on Security, Productivity, and Impact• Providing a unique “customer experience”Providing a unique “customer experience”
The Future of Personal ComputingThe Future of Personal Computing• From personal computer to personal computingFrom personal computer to personal computing• Across multiple PCs and devicesAcross multiple PCs and devices• Blurring of digital workstyle and lifestyleBlurring of digital workstyle and lifestyle• Individual in control of their digital worldIndividual in control of their digital world
4
IPv6 is a Key Building IPv6 is a Key Building BlockBlock
Continued seamless connectivity demands a new paradigm
SecurityScalabilityFlexibility
5
IPv6 is required to support the new network and Internet
Windows Vista
Windows Server 2008
SQL Server 2008
SQL Server 2005
Exchange Server 2007 SP1
Host Integration Server 2007
Biztalk Server 2006
Office Sharepoint Server 2007
SMS/SCCM 2007
MOM/SCOM 2007 System Center Virtual Machine Manager
Office 2007
Active Directory/DNS/DHCPv6
Groove Coming Soon!
ISA Server Coming Soon!
IPv6 Report CardIPv6 Report Card
6
Windows Vista
Windows Server 2008
SQL Server 2008
SQL Server 2005
Exchange Server 2007 SP1
Host Integration Server 2007
Biztalk Server 2006
Office Sharepoint Server 2007
SMS/SCCM 2007
MOM/SCOM 2007 System Center Virtual Machine Manager
Office 2007
Active Directory/DNS/DHCPv6
Groove Coming Soon!
ISA Server Coming Soon!
IPv6 Report CardIPv6 Report Card
7
More Than the Stack…More Than the Stack…
All standard Windows Server 2008 components are IPv6 capableIPv6 is on by default, and preferredControllable via Group PolicyAll Enterprise-class products currently in production are IPv6 capableGUI-based configurationFull support for IPsec
8
• On by default• Server Roles plumb firewall
rules• Stateful IP filtering inbound
and outbound• Full support for IPv6/ICMPv6• Location-aware policy profiles
Domain, Public, Private• Service Hardening
• Prevent critical Windows services from being used for malicious activity
• Enabled by default, and applies to inbound and outbound traffic
Windows Firewall Windows Firewall FeaturesFeatures
10
IPv6 IPv6 DeploymeDeployment at nt at MicrosoftMicrosoft
ISATAP available in all buildings world-wide Native v6 connectivity in all development buildings world-wide
Where do we need native v6?•That is where we concentrate upgrades
Everywhere else gets ISATAP connections
IPv6 Now – Infrastructure IPv6 Now – Infrastructure LaterLater• Transition Technologies
let enterprises deploy IPv6 before infrastructure supports it
Phased deploymentsManaged rollout out native IPv6
Native IPv6ISATAP tunnel (IPv6 in IPv4)Native IPv4
IPv4
IPv6
ISATAPRouter
11
ISATAP (RFC 4214) works well inside the network
Single box can enable IPv6 in the enterpriseSecure tunneling of IPv6 over IPv4
IPv6 Now – Infrastructure IPv6 Now – Infrastructure LaterLater
IPv4 Internet
Restricted NAT
Restricted NAT
Teredo Server
Bubble Packets
Teredo works well for unmanaged/home users
Works through a NATProtocol of last resortAutomatically disables in a managed environment
• Transition Technologies let consumers deploy IPv6 before infrastructure supports it
Phased deploymentsTransition to managed infrastructure
Direct Access Direct Access OverviewOverview
Simultaneous corpnet and Internet Access
If user’s machine is connected to internet, it is connected to corporate network
Remote ManagementUser’s machine is maintainable whenever connected to corporate network over internet
Secure remote connectivityCommunication between user’s machine and corporate resources is secure
What is Direct Access?What is Direct Access?
Ideal VisionIdeal Vision
CorpnetServer Resources
Websites
Internet
End-user goalsSame experience accessing corporate resources anywhere (Intranet or Internet or any remote location)
IT-Administrator goalsLower TCO than VPNBetter management of remotely connected devicesEnd-to-end security
Microsoft goalsReduced need for classic thick edgeImprove customer (end-user and IT-admin) experience
• Be the industry leader in remote access and network security
Why are we doing it?Why are we doing it?
How does Direct Access How does Direct Access work?work?
The Direct Access Server
The network of the FutureThe network of the Future
DNSDAS Corpnet
Server Resources
IPv6 InternetIPv6
Corpnet
Client tries to access *.corpnet.comLooks in provisioned list for DNS server(s) associated with corpnet.com suffixConnects with DNS server (using IPsec)
IPv6 route is thru DASGet target address from DNS serverRegisters its own address with DNS
Client tries to connect to targetIPv6 route again thru DASIPsec is required
What happens at ClientWhat happens at Client
DAS lets thru AuthIP packets from client to DNSIPsec DOS Protection
After negotiation, DAS lets ESP packets thru between client and DNS
DNS returns target address information to clientDNS registers clients current address information
DAS lets thru AuthIP packets from client to targetAfter negotiation, DAS lets ESP packets thru between client and target
What happens at What happens at DAS/DNSDAS/DNS
ClientReceives configuration while directly connected to corpnet (provisioning) via Group PolicyNAP used to check configuration and health when remotely connected
ServerDirect Access wizard to set up Direct Access Server(s)Policies controlled via Group Policy
Configuring for Direct Configuring for Direct AccessAccess
Internet not yet IPv6Client behind NAT on IPv4 internetClient directly on IPv4 internet
• Client behind 3rd party firewall (and probably NAT)
Corpnet not yet IPv6 with IPsecIPv6 capable, but not all machines have IPsec enabledIPv4 network, machines are dual-stack (Vista+)IPv4 only machines may be on network
Now to the real worldNow to the real world
Client directly on IPv4 Client directly on IPv4 InternetInternet
DAS(6to4relay)
6to4 Tunnel BetweenClient and DAS
IPv4-only Internet
IPv4-only Internet
Client behind NAT on IPv4 Client behind NAT on IPv4 InternetInternet
DAS(Teredo Relay)
Teredo Server
Teredo Tunnel between clientand Teredo Server and DAS
Client behind 3Client behind 3rdrd party party firewall on IPv4 Internetfirewall on IPv4 Internet
IP-TLS tunnelBetween clientAnd DAS
IPv4-only Internet
DAS(IP-TLS relay)
IPv6+IPsec capable IPv6+IPsec capable resource, on IPv4 networkresource, on IPv4 network
CorpnetResource
SupportingIPv6+IPsec
DAS
To InternetIPv4-only Corpnet
ISATAP tunnel
IPv6 capable resource, but IPv6 capable resource, but no encryptionno encryption
Dynamic Tunnel Endpoint
DAS
To Internet IPv4-only Corpnet
ISATAP tunnel
CorpnetResourceSupportingIPv6 withNo encryption
IPv4-Only ResourceIPv4-Only Resource
NAT-PT
DAS
To Internet
DTE
IPv4-only Corpnet
IPv4-onlyCorpnetResource
Server and Domain Server and Domain IsolationIsolation
LabsLabsUnmanaged Unmanaged guestsguests
Protect managed computers from Protect managed computers from unmanaged unmanaged or rogue computers and usersor rogue computers and users
Protect specific high-value servers and Protect specific high-value servers and datadata
Server Server IsolationIsolation
Domain Domain IsolationIsolation
Dynamically Dynamically segment your segment your
Windows Windows environment into environment into more secure and more secure and isolated logical isolated logical
networksnetworksbased on policybased on policy
29
Policy-Based Network Policy-Based Network Access ProtectionAccess Protection
Network Access ProtectionNetwork Access ProtectionPolicy-based solution that• Validates whether computers meet
health policies• Limits access for noncompliant
computers• Automatically remediates
noncompliant computers • Continuously updates compliant
computers to maintain health state
Solution HighlightsSolution Highlights• Standards-based• Plug and Play• Works with most devices• Supports multiple antivirus solutions• Has become the standard for Network Access
Control
IntranetIntranet
IPv6 ISATAP Teredowww.microsoft.com/ipv6
Free e-book on ipv6 • http://csna01.libredigital.com/?urws8un4p7
More InformationMore Information
© 2008 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.