sacm architecture based on tnc standards lisa lorenzin & atul shah
TRANSCRIPT
![Page 1: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/1.jpg)
SACM ArchitectureBased on TNC Standards
Lisa Lorenzin & Atul Shah
![Page 2: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/2.jpg)
Slide #2
Agenda
TNC Architecture At-a-Glance
Endpoint Compliance with SWIDs and SCAP
Security Automation
SACM Architect Based on TNC Standards
TNC Usage / Extensibility – More Details
![Page 3: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/3.jpg)
Slide #3
Trusted Network Connect
Open Architecture for Network Security
Completely vendor-neutral
Strong security through trusted computing
Original focus on NAC, now expanded to Network Security
Open Standards for Network Security Full set of specifications available to all Products shipping since 2005
Developed by Trusted Computing Group (TCG) Industry standards group More than 100 member organizations Includes large vendors, small vendors, customers, etc.
![Page 4: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/4.jpg)
Slide #4
TNC Architecture
Endpoint EnforcementPoint
PolicyServer
MAP MAPClients
![Page 5: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/5.jpg)
Slide #5
Problems Solved by TNC
Network and Endpoint Visibility
Who and what’s on my network?
Are devices on my network secure? Is user/device behavior appropriate?
Network Enforcement Block unauthorized users, devices, or behavior Grant appropriate levels of access to authorized users/devices
Device Remediation Quarantine and repair unhealthy or vulnerable devices
Security System Integration Share real-time information about users, devices, threats, etc.
Network AccessControl (NAC)
SecurityAutomation
![Page 6: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/6.jpg)
Slide #6
TNC StandardsPolicy Server
EnforcementPoint
Endpoint
VerifiersVerifiers
tCollector
CollectorIntegrity Measurement
Collectors (IMC)Integrity Measurement
Verifiers (IMV)
IF-M
IF-IMC IF-IMV
Network Access
RequestorPolicy
EnforcementPoint (PEP)
NetworkAccess
Authority
IF-T
IF-PEP
TNC Server (TNCS)
TNC Client (TNCC)
IF-TNCCS
TSS
TPM
Platform Trust
Service (PTS)
IF-PTS
MAP MAP Clients
MetadataAccessPoint
IF-MAP
IF-MAP
IF-MAP
IF-MAP
Sensor
IF-MAP
FlowController
IF-MAP
http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications
AdminClient
IF-MAP
Other
IF-MAP
![Page 7: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/7.jpg)
Slide #7
TNC Architecture & SWIDsPolicy Server
EnforcementPoint
Endpoint
VerifiersVerifiers
tCollector
CollectorSWID Collectors SWID VerifiersIF-M
IF-IMC IF-IMV
Network Access
RequestorPolicy
EnforcementPoint (PEP)
NetworkAccess
Authority
IF-T
IF-PEP
TNC Server (TNCS)
TNC Client (TNCC)
IF-TNCCS
TSS
TPM
Platform Trust
Service (PTS)
IF-PTS
MAP MAP Clients
MetadataAccessPoint
IF-MAP
IF-MAP
IF-MAP
IF-MAP
Sensor
IF-MAP
FlowController
IF-MAP
http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications
AdminClient
IF-MAP
Other
IF-MAP
![Page 8: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/8.jpg)
Slide #8
TNC and SCAP Together
AccessRequestor
(AR)
PolicyEnforcement
Point(PEP)
PolicyDecision
Point(PDP)
MetadataAccessPoint
(MAP)
Sensors,Flow
Controllers
SCAPClient
Software
SCAPAnalysisSoftware SCAP
ExternalScanner
![Page 9: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/9.jpg)
Slide #9
IF-MAP: XML > SOAP > HTTPS
MAP Service
Applications
Management
SupplyChainMgmt
SmartGrid CRM
HR
ERP
CMDB
SIEM
AssetMgmt
IPAMInfrastructure
NetworkSecurity
DNS,DHCP
AAASwitchesRouters
BuildingControls
FactoryControls
NetworkLocation
Security Automation with IF-MAP
Publish Subscribe
Search
![Page 10: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/10.jpg)
Slide #10
Communication Challenge
SNMP, Syslog
Custom Integratio
n
DLPServer or
Cloud SecurityIDS Switching Wireless Firewalls
IPAM
SIM / SEM
Asset Management System
AAA
ICS/SCADASecurity
PhysicalSecurity
EndpointSecurity(via NAC)
![Page 11: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/11.jpg)
Slide #11
How IF-MAP Solves the Problem
DLPServer or
Cloud SecurityIDS Switching Wireless Firewalls
IPAM
SIM / SEM
Asset Management System
AAA
ICS/SCADASecurity
PhysicalSecurity
EndpointSecurity(via NAC)
IF-MAP Protocol
MAP
![Page 12: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/12.jpg)
Slide #12
SACM Architecture Based on TNC
EndpointAssess-
ment
Response
Analysis
MAP
CMDB CRDB
Admin
Sensor
Other
IF-MAP
IF-CMDB IF-CRDB
Database Clients Database ClientsDatabases
![Page 13: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/13.jpg)
Slide #13
TNC Benefits for SACM
• Proven track record• Products shipping
since 2005
• Widely deployed• Broad range of
customers across many sectors
• Longstanding IETF relationship
• TNC standards accepted into NEA
• Vendor-neutral• Leverage existing
infrastructure
• Flexible & extensible• Support for broad
range of usage scenarios
• Easy integration w/existing & emerging standards
• E.g. SWIDs & SCAP
![Page 14: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/14.jpg)
Slide #14
TNC Usage & Extensibility
The following slides provide background information on how TNC works and how it is used…
![Page 15: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/15.jpg)
Slide #15
TCG: Standards for Trusted Systems
Mobile Phones
Authentication
Storage
Applications•Software Stack•Operating Systems•Web Services•Authentication•Data Protection
Infrastructure
Servers
Desktops & Notebooks
Security Hardware
NetworkSecurity
Printers & Hardcopy
Virtualized Platform
![Page 16: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/16.jpg)
Slide #16
Typical TNC Deployments
Health Check
Behavior Check
User-Specific Policies
TPM-Based Integrity Check
Clientless Endpoint Handling
Physical & Logical Security Coordination
![Page 17: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/17.jpg)
Slide #17
Health Check
Non-compliant SystemWindows 7SP1xOSHotFix 2499xOSHotFix 9288AV - McAfee Virus Scan 8.0Firewall
Access Requestor
Remediation Network
Compliant SystemWindows 7SP1OSHotFix 2499OSHotFix 9288AV - Symantec AV 10.1Firewall
Production Network
Policy EnforcementPoint
Policy DecisionPoint
NAC PolicyWindows 7•SP1•OSHotFix 2499•OSHotFix 9288•AV (one of)
•Symantec AV 10.1•McAfee Virus Scan 8.0
•Firewall
![Page 18: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/18.jpg)
Slide #18
Behavior Check
Access Requestor PolicyEnforcement
Point
RemediationNetwork
Policy DecisionPoint
NAC Policy•No P2P file sharing•No spamming•No attacking others
MetadataAccessPoint
Sensorsand Flow
Controllers
!!!
!
![Page 19: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/19.jpg)
Slide #19
User-Specific PoliciesAccess Requestor
Joe – FinanceWindows 7
OS Hotfix 9345OS Hotfix 8834AV - Symantec AV 10.1Firewall
Finance
Network
PolicyEnforcement
Point
R&D Network
Guest NetworkInternet Only
Policy DecisionPoint
NAC Policy•Users and Roles•Per-Role Rules
MetadataAccessPoint
Sensorsand Flow
Controllers
Mary – R&D
Guest User
![Page 20: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/20.jpg)
Slide #20
TPM-Based Integrity Check
Compliant SystemTPM verifiedBIOSOSDriversAnti-Virus SW
Production Network
Access Requestor Policy DecisionPoint
Policy EnforcementPoint
NAC PolicyTPM enabled
•BIOS•OS•Drivers•Anti-Virus SW
TPM – Trusted Platform Module• HW module built into most of
today’s PCs• Enables a HW Root of Trust• Measures critical components
during trusted boot• PTS interface allows PDP to
verify configuration and remediate as necessary
![Page 21: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/21.jpg)
Slide #21
Clientless Endpoint HandlingAccess Requestor Policy Decision
PointPolicy
EnforcementPoint
MetadataAccessPoint
Sensorsand Flow
Controllers
NAC Policy•Place Printers on Printer Network•Monitor Behavior
!!
RemediationNetwork
!
!
![Page 22: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/22.jpg)
Slide #22
Reader bypassed, employee tailgates
Panel receives no information
Server has employee logged as outside building
!
!
SensorMetadataAccessPoint
PolicyServer
Enforcement Point
Endpoint
Physical Security Integration
![Page 23: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/23.jpg)
Slide #23
!
Readers capture / pass credential info
IF-MAPEvent Messages
Panel authenticates identity and enforces
policy
Server publishes presence data via IF-MAP to Metadata Access
Point
! ! !
!
!
SensorMetadataAccessPoint
Policy Server
Enforcement Point
Endpoint
Coordinated Physical & Logical Control
![Page 24: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/24.jpg)
Slide #24
Foiling Root Kits with TPM and TNCSolves the critical “lying endpoint problem”
TPM Measures Software in Boot Sequence
Hash software into PCR before running it
PCR value cannot be reset except via hard reboot
During TNC Handshake...
PDP engages in crypto handshake with TPM
TPM securely sends PCR value to PDP
PDP compares to good configurations
If not listed, endpoint is quarantined and remediated
![Page 25: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/25.jpg)
Slide #25
Federated TNC
Conveys TNC results between security domains Consortia, coalitions, partnerships, outsourcing, and alliances Large organizations
Supports Web SSO with health info Roaming with health check
How? SAML profiles for TNC
Applications Network roaming Coalitions, consortia Large organizations
Role=ExecutiveDevice=Healthy
Asserting SecurityDomain (ASD)
Relying SecurityDomain (RSD)
Access Requestor
![Page 26: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/26.jpg)
Slide #26
TNC: A Flexible Architecture
Assessment Options Identity, health, behavior, and/or location Optional hardware-based assessment with TPM Pre-admission, post-admission, or both
Enforcement Options 802.1X, firewalls, VPN gateways, DHCP, host software
Clientless endpoints No NAC capabilities built in Printers, phones, robots, guest laptops
Information sharing IF-MAP lets security devices share info on user identity, endpoint health,
behavior, etc. Federated TNC supports federated environments
![Page 27: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/27.jpg)
Slide #27
TNC Advantages
Open standards
Non-proprietary – Supports multi-vendor compatibility
Interoperability
Enables customer choice
Allows thorough and open technical review
Leverages existing network infrastructure
Excellent Return-on-Investment (ROI)
Roadmap for the future
Full suite of standards
Supports Trusted Platform Module (TPM)
TNC-based products shipping for almost a decade
![Page 28: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/28.jpg)
Slide #28
TNC Adoption
Access Requestor
Policy DecisionPoint
PolicyEnforcement
Point
MetadataAccessPoint
Sensors, Flow
Controllers
![Page 29: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/29.jpg)
Slide #29
Windows Support
IF-TNCCS-SOH Standard Developed by Microsoft as Statement of Health (SoH) protocol Donated to TCG by Microsoft Adopted by TCG and published as a new TNC standard, IF-TNCCS-SOH
Availability Built into all supported versions of Microsoft Windows Also built into products from other TNC vendors
Implications NAP servers can health check TNC clients without extra software NAP clients can be health checked by TNC servers without extra software As long as all parties implement the open IF-TNCCS-SOH standard
NAP or TNC Server
NAP or TNCClient
IF-TNCCS-SOH
Switches, APs, Appliances, Servers, etc.
![Page 30: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/30.jpg)
Slide #30
IETF and TNC
IETF NEA WG Goal: Universal Agreement on NAC Client-Server
Protocols Co-Chaired by Cisco employee and TNC-WG Chair
Published several TNC protocols as IETF RFCs PA-TNC (RFC 5792), PB-TNC (RFC 5793),
PT-TLS (RFC 6876) Equivalent to TCG’s IF-M 1.0, IF-TNCCS 2.0, and IF-T/TLS Co-Editors from Cisco, Intel, Juniper, Microsoft, Symantec
Now working on getting IETF approval for IF-T/EAP
![Page 31: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/31.jpg)
Slide #31
What About Open Source?
Lots of open source support for TNC University of Applied Arts and Sciences in Hannover, Germany (FHH)
http://trust.inform.fh-hannover.de libtnc
http://sourceforge.net/projects/libtnc OpenSEA 802.1X supplicant
http://www.openseaalliance.org FreeRADIUS
http://www.freeradius.org
TCG support for these efforts Liaison Memberships Open source licensing of TNC header files
omapd IF-MAP Server
http://code.google.com/p/omapd strongSwan IPsec
http://www.strongswan.org Open Source TNC SDK (IF-IMV & IF-
IMC)
http://sourceforge.net/projects/tncsdk
![Page 32: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/32.jpg)
Slide #32
TNC Certification Program
Certifies Products that Properly Implement TNC Standards
Certification Process Compliance testing using automated test suite from
TCG Interoperability testing at Plugfest Add to list of certified products on TCG web site
Customer Benefits Confidence that products interoperate Easy to cite in procurement documents
![Page 33: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/33.jpg)
Slide #33
TNC in the Real World
Widely Deployed Thousands of Seats Hundreds of Customers Dozens of Products
Across Many Sectors Government Finance Health Care Retail …
![Page 34: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/34.jpg)
Slide #34
TNC SummaryTNC solves today’s security problems with growth for the future
Flexible open architecture to accommodate rapid change
Coordinated, automated security for lower costs and better security
TNC = open network security architecture and standards
Enables multi-vendor interoperability
Can reuse existing products to reduce costs and improve ROI
Avoids vendor lock-in
TNC has strongest security
Optional support for TPM to defeat rootkits
Thorough and open technical review
Wide support for TNC standards
Many vendors, open source, IETF
![Page 35: SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649dc85503460f94abdc9d/html5/thumbnails/35.jpg)
Slide #35
For More Information
TNC Architecture & Standards• http://www.trustedcomputinggroup.org/developers/trusted_network_connect
TCG TNC Endpoint Compliance Profile & FAQ• http://bit.ly/15pH7K3
Lisa LorenzinPrincipal Solutions Architect,
Juniper [email protected]
Atul ShahSenior Security Strategist,