copyright© 2005-2006 trusted computing group - other names and brands are properties of their...
TRANSCRIPT
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1
Trusted Network Connect:Open Standards for NAC
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #2
Trusted Network Connect (TNC)• Open Architecture for Network Access Control
– Strong security through trusted computing
• Open Standards for Network Access Control– Full set of specifications– Products shipping for more than two years
• Work Group of Trusted Computing Group– Industry standards group– About 175 TCG member organizations, 75 in TNC-WG– More joining every week
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #3
Problem: Reduce Endpoint Attacks
• Increasingly Sophisticated and Serious Attacks– Malware = Viruses, Worms, Spyware, Rootkits, Back Doors, Botnets– Zero-Day Exploits– Targeted Attacks– Rapid Infection Speed
• Exponential Growth in Malware– >40,000,000 Infected Machines– >35,000 Malware Varieties
• Motivated Attackers– Extortion, Identity Theft, Bank Fraud, Corporate Espionage
• Dissolving Network Boundaries– Mobile workforce, partners, contractors, outsourcing
• Regulatory Requirements– Mandatory Policy Compliance
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #4
Solution: Network Access Control
• Create Network Access Control Policy
• Require Compliance for Network Access(or Log and Advise)
• Isolate and Repair Non-Compliant Endpoints
• Optional Integration with TPM to– Identify Users– Thwart Root Kits
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #5
Sample Network Access Control Policy
• Machine Health– Anti-Virus software running and properly configured– Recent scan shows no malware– Personal Firewall running and properly configured– Patches up-to-date– No unauthorized software
• Machine Behavior– No port scanning, sending spam, etc.
• Other Organization-Defined Requirements
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #6
TNC Architecture
Networkperimeter
Access Requestor
(AR)
PolicyEnforcement
Point(PEP)
PolicyDecision
Point(PDP)
wireless
wired
VPN
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #7
Typical TNC Deployments
• Uniform Policy
• User-Specific Policies
• TPM Integrity Check
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #8
Uniform Policy
Compliant SystemWindows XPSP2OSHotFix 2499OSHotFix 9288AV - Symantec AV 10.1Firewall
Non-compliant SystemWindows XPSP2xOSHotFix 2499xOSHotFix 9288AV - McAfee Virus Scan 8.0Firewall
Production Network
Remediation Network
Access Requestor Policy DecisionPoint
Policy EnforcementPoint
Client RulesWindows XP•SP2•OSHotFix 2499•OSHotFix 9288•AV (one of)
•Symantec AV 10.1•McAfee Virus Scan 8.0
•Firewall
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #9
User-Specific Policies
Ken – R&D
Guest User
Access Requestor Policy DecisionPoint
Policy EnforcementPoint
Finance Network
R&D Network
Linda – FinanceWindows XP
OS Hotfix 9345OS Hotfix 8834AV - Symantec AV 10.1Firewall
Guest NetworkInternet Only
Access Policies•Authorized Users•Client Rules
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #10
TPM Integrity Check
Compliant SystemTPM verifiedBIOSOSDriversAnti-Virus SW
Production Network
Access Requestor Policy DecisionPoint
Policy EnforcementPoint
Client RulesTPM enabled
•BIOS•OS•Drivers•Anti-Virus SW
TPM – Trusted Platform Module• HW module built into most of
today’s PCs• Enables a HW Root of Trust• Measures critical components
during trusted boot• PTS interface allows PDP to
verify configuration and remediate as necessary
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #11
TNC ArchitecturePolicy Decision
PointPolicy Enforcement
PointAccess Requestor
VerifiersVerifiers
tCollector
CollectorIntegrity Measurement
Collectors (IMC)Integrity Measurement
Verifiers (IMV)
IF-M
IF-IMC IF-IMV
Network Access
RequestorPolicy
EnforcementPoint (PEP)
Network AccessAuthority
IF-T
IF-PEP
TNC Server (TNCS)
TNC Client (TNCC)
IF-TNCCS
TSS
TPM
Platform Trust
Service (PTS)
IF-PTS
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #12
Trusted Platform Module (TPM)• Security hardware on motherboard
– Open specifications from TCG– Resists tampering & software attacks
• Now included in almost all enterprise PCs– Off by default
• Features– Secure key storage– Cryptographic functions– Integrity checking & remote attestation
• Applications– Strong user and machine authentication– Secure storage– Trusted / secure boot
• For TNC, most useful for detecting rootkits– Protects again the ‘lying endpoint’ problem– TPM measures critical components during trusted boot
• BIOS, Boot Loader, OS Kernel, Kernel Drivers, TNCC, IMCs
– PTS-IMC reports measurements via TNC handshake– PDP checks measurements against valid configurations– If Invalid, PDP can remediate and isolate
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #13
TNC Vendor Support
EndpointSupplicant/VPN Client, etc.
Network DeviceFW, Switch, Router, Gateway
Access RequestorPolicy Decision
PointPolicy Enforcement
PointAAA Server, Radius,
Diameter, IIS, etc
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #14
Microsoft NAP Interoperability
IF-TNCCS-SOH Standard– Developed by Microsoft as Statement of Health (SoH) protocol– Donated to TCG by Microsoft– Adopted by TCG and published as a new TNC standard, IF-TNCCS-SOH
Enables Client-Server Interoperability between NAP and TNC– NAP servers can health check TNC clients without extra software– NAP clients can be health checked by TNC servers without extra software– As long as all parties implement the open IF-TNCCS-SOH standard
Availability– Demonstrations at Interop Las Vegas 2007 (May 2007)– Built into Windows Vista now– Coming in Windows Server 2008 and Windows XP SP 3– Coming in products from other TNC vendors in 1H 2008
Implications– Finally, an agreed-upon open standard client-server NAC protocol– True client-server interoperability (like web browsers and servers) is here– Industry (except Cisco) has agreed on TNC standards for NAC
NAP or TNC Server
NAP or TNCClient
IF-TNCCS-SOH
Switches, APs, Appliances, Servers, etc.
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #15
Microsoft NAP Partners (now TNC)
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #16
TNC Advantages• Open standards
– Non-proprietary – Supports multi-vendor compatibility– Interoperability– Enables customer choice– Allows thorough and open technical review
• Leverages existing network infrastructure – Excellent Return-on-Investment (ROI)
• Roadmap for the future– Full suite of standards– Supports Trusted Platform Module (TPM)
• Products supporting TNC standards shipping today
• TNC certification and compliance program coming soon
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #17
What About Open Source?
• Lots of open source support for TNC– University of Applied Arts and Sciences in Hannover, Germany (FHH)
http://tnc.inform.fh-hannover.de– libtnc
https://sourceforge.net/projects/libtnc– OpenSEA 802.1X supplicant
http://www.openseaalliance.org– FreeRADIUS
http://www.freeradius.org
• TCG support for these efforts– Liaison Memberships– Open source licensing of TNC header files
• Information about TNC implementations available at http://www.opus1.com/nac
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #18
What’s Next for Network Security?
• Agree on TNC Standards with ALL Parties
• Universal Endpoint Support for NAC– Phones, PDAs, Printers, Cameras, etc.– Built-in Agent, Permanent Agent, Downloaded Agent, or No Agent
• Extend Integration of Endpoint Security and Network Security– Today (NAC)
• Endpoint Security (anti-malware, patch management, etc.)• AAA / Identity Management• Switches, Wireless APs & Management Systems (802.1X or not)• Other Enforcement Mechanisms
– Next Step for Integration• Intrusion Detection / Prevention• Vulnerability Scanning• Firewalls (Stateful & Stateless)• VPN Gateways (SSL & IPsec)• Any Security Component
Copyright© 2005-2008 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #19
For More Information
• TNC Web Sitehttps://www.trustedcomputinggroup.org/groups/network
• TNC Co-Chairs
Steve HannaDistinguished Engineer, Juniper Networks
Paul SangsterChief Security Standards Officer, Symantec