200 likes | 385 Views
Trusted Network Connect: Open Standards for NAC. Trusted Network Connect (TNC). Open Architecture for Network Access Control Strong security through trusted computing Open Standards for Network Access Control Full set of specifications Products shipping for more than two years
E N D
Trusted Network Connect (TNC) • Open Architecture for Network Access Control • Strong security through trusted computing • Open Standards for Network Access Control • Full set of specifications • Products shipping for more than two years • Work Group of Trusted Computing Group • Industry standards group • About 175 TCG member organizations, 75 in TNC-WG • More joining every week
Problem: Reduce Endpoint Attacks • Increasingly Sophisticated and Serious Attacks • Malware = Viruses, Worms, Spyware, Rootkits, Back Doors, Botnets • Zero-Day Exploits • Targeted Attacks • Rapid Infection Speed • Exponential Growth in Malware • >40,000,000 Infected Machines • >35,000 Malware Varieties • Motivated Attackers • Extortion, Identity Theft, Bank Fraud, Corporate Espionage • Dissolving Network Boundaries • Mobile workforce, partners, contractors, outsourcing • Regulatory Requirements • Mandatory Policy Compliance
Solution: Network Access Control • Create Network Access Control Policy • Require Compliance for Network Access(or Log and Advise) • Isolate and Repair Non-Compliant Endpoints • Optional Integration with TPM to • Identify Users • Thwart Root Kits
Sample Network Access Control Policy • Machine Health • Anti-Virus software running and properly configured • Recent scan shows no malware • Personal Firewall running and properly configured • Patches up-to-date • No unauthorized software • Machine Behavior • No port scanning, sending spam, etc. • Other Organization-Defined Requirements
VPN TNC Architecture
Typical TNC Deployments • Uniform Policy • User-Specific Policies • TPM Integrity Check
Policy Decision Policy Enforcement Point Point Uniform Policy Access Requestor • Non-compliant System Windows XP • SP2 • OSHotFix 2499 • OSHotFix 9288 • AV - McAfee Virus Scan 8.0 • Firewall Remediation Network Production Network • Client Rules • Windows XP • SP2 • OSHotFix 2499 • OSHotFix 9288 • AV (one of) • Symantec AV 10.1 • McAfee Virus Scan 8.0 • Firewall • Compliant System Windows XP • SP2 • OSHotFix 2499 • OSHotFix 9288 • AV - Symantec AV 10.1 • Firewall
Policy Decision Policy Enforcement Point Point R&D Network Finance Network User-Specific Policies Access Requestor Guest Network Internet Only Guest User Ken – R&D • Access Policies • Authorized Users • Client Rules • Linda – Finance • Windows XP • OS Hotfix 9345 • OS Hotfix 8834 • AV - Symantec AV 10.1 • Firewall
Policy Decision Policy Enforcement Point Point TPM Integrity Check Access Requestor • TPM – Trusted Platform Module • HW module built into most of today’s PCs • Enables a HW Root of Trust • Measures critical components during trusted boot • PTS interface allows PDP to verify configuration and remediate as necessary Production Network • Client Rules • TPM enabled • BIOS • OS • Drivers • Anti-Virus SW • Compliant System TPM verified • BIOS • OS • Drivers • Anti-Virus SW
Policy Decision Policy Enforcement Point Point t IF-M Integrity Measurement Collector Integrity Measurement Verifiers (IMV) Verifiers Collector Verifiers Collectors (IMC) IF-IMC IF-IMV IF-TNCCS TNC Client (TNCC) TNC Server (TNCS) IF-PTS IF-T Platform Trust Network Access Requestor Network Access Authority IF-PEP Policy Enforcement Point (PEP) Service (PTS) TSS TPM TNC Architecture Access Requestor
Trusted Platform Module (TPM) Security hardware on motherboard Open specifications from TCG Resists tampering & software attacks Now included in almost all enterprise PCs Off by default Features Secure key storage Cryptographic functions Integrity checking & remote attestation Applications Strong user and machine authentication Secure storage Trusted / secure boot For TNC, most useful for detecting rootkits Protects again the ‘lying endpoint’ problem TPM measures critical components during trusted boot BIOS, Boot Loader, OS Kernel, Kernel Drivers, TNCC, IMCs PTS-IMC reports measurements via TNC handshake PDP checks measurements against valid configurations If Invalid, PDP can remediate and isolate
TNC Vendor Support Policy Decision Policy Enforcement Point Point Access Requestor EndpointSupplicant/VPN Client, etc. Network DeviceFW, Switch, Router, Gateway AAA Server, Radius,Diameter, IIS, etc
Microsoft NAP Interoperability IF-TNCCS-SOH Standard Developed by Microsoft as Statement of Health (SoH) protocol Donated to TCG by Microsoft Adopted by TCG and published as a new TNC standard, IF-TNCCS-SOH Enables Client-Server Interoperability between NAP and TNC NAP servers can health check TNC clients without extra software NAP clients can be health checked by TNC servers without extra software As long as all parties implement the open IF-TNCCS-SOH standard Availability Demonstrations at Interop Las Vegas 2007 (May 2007) Built into Windows Vista now Coming in Windows Server 2008 and Windows XP SP 3 Coming in products from other TNC vendors in 1H 2008 Implications Finally, an agreed-upon open standard client-server NAC protocol True client-server interoperability (like web browsers and servers) is here Industry (except Cisco) has agreed on TNC standards for NAC IF-TNCCS-SOH NAP or TNC Client Switches, APs, Appliances, Servers, etc. NAP or TNC Server
TNC Advantages • Open standards • Non-proprietary – Supports multi-vendor compatibility • Interoperability • Enables customer choice • Allows thorough and open technical review • Leverages existing network infrastructure • Excellent Return-on-Investment (ROI) • Roadmap for the future • Full suite of standards • Supports Trusted Platform Module (TPM) • Products supporting TNC standards shipping today • TNC certification and compliance program coming soon
What About Open Source? • Lots of open source support for TNC • University of Applied Arts and Sciences in Hannover, Germany (FHH) http://tnc.inform.fh-hannover.de • libtnc https://sourceforge.net/projects/libtnc • OpenSEA 802.1X supplicant http://www.openseaalliance.org • FreeRADIUS http://www.freeradius.org • TCG support for these efforts • Liaison Memberships • Open source licensing of TNC header files • Information about TNC implementations available at http://www.opus1.com/nac
What’s Next for Network Security? • Agree on TNC Standards with ALL Parties • Universal Endpoint Support for NAC • Phones, PDAs, Printers, Cameras, etc. • Built-in Agent, Permanent Agent, Downloaded Agent, or No Agent • Extend Integration of Endpoint Security and Network Security • Today (NAC) • Endpoint Security (anti-malware, patch management, etc.) • AAA / Identity Management • Switches, Wireless APs & Management Systems (802.1X or not) • Other Enforcement Mechanisms • Next Step for Integration • Intrusion Detection / Prevention • Vulnerability Scanning • Firewalls (Stateful & Stateless) • VPN Gateways (SSL & IPsec) • Any Security Component
For More Information • TNC Web Site https://www.trustedcomputinggroup.org/groups/network • TNC Co-Chairs Steve Hanna Distinguished Engineer, Juniper Networks shanna@juniper.net Paul Sangster Chief Security Standards Officer, Symantec Paul_Sangster@symantec.com