Integrating Network Access And End Point Assessment With Trusted Network Connect (TNC) By Avesh Agarwal Red Hat Inc.

Transcription

1 Integrating Network Access And End Point Assessment With Trusted Network Connect (TNC) By Avesh Agarwal Red Hat Inc.

2 Agenda Network Access Control (NAC) End Point Assessment Trusted Network Connect (TNC) Demo

3 Network Access Control (NAC) Who are you? 802.1X, IPsec, TLS

4 End Point Assessment What do you have? Is it good enough to allow you access? Health Check, Posture Assessment, or /Measurements Verification

5 End Point Assessment: Why? Incorrect software version? Is a software operational?? Yes Possibility of vulnerable network Incorrect configuration? blacklisted software?

6 Missing? TNC How to transmit end point information over a network securely? How to tie it with network access control?

7 Trusted Network Connect (TNC) Delivery Verification Enforcement Remediation

8 Trusted Network Connect (TNC) Reference Measurements, Policy Database PDP Internet/Intranet PEP Allow Protected Network Isolate Remediation Network NAR: Network Access Requester PEP: Policy Enforcement Point PDP: Policy Decision Point

9 Trusted Network Connect: Features TCG/IETF Specifications Open Interoperable Extensible Modular Plug-in Architecture NAC Agnostic TCG: Trusted Computing Group IETF: Internet Engineering Task Fork

10 TNC Architecture Collection Access Requester (AR) Measurement Collectors IMCs IMC 3 IMC t 2 IMC 1 Collector Collector Policy Enforcement Point (PEP) IF-M Policy Decision Point (PDP) IMV 2 IMV 1 t Measurement Verifiers IMVs Evaluation TNC Client (TNCC) IF-IMC IF-TNCCS IF-IMV TNC Server (TNCS) Network Access Network Access Requester Supplicant/ VPN client, etc. IF-T Policy Enforcement Point (PEP) Switch/Firewall/ VPN gateway/tls server, etc. Network Access Authority AAA server/ TLS server Source:

11 Threat Model TNC Threat Model/ Countermeasures Any entity, part of TNC, exchange could be compromised Any communication, part of TNC exchange, could be compromised Countermeasures Relies on protection by existing network access protocols 802.1X, IKEv2, TLS Relies on hardware assisted protection: TPM (Trusted Platform Module)

12 TNC Architecture: Terminology TCG terminology Trusted Network Connect (TNC) Measurement Collector (IMC) Measurement Verifier (IMV) IF-M (Protocol between IMC and IMV) IF-IMC (local APIs between TNC client and IMC) IF-IMV (local APIs between TNC server and IMV) TNC client TNC Server IF-TNCCS (Protocol between TNC client and Server) IETF Terminology Network End Point Assessment (NEA) IETF RFC 5209 Posture Collector Posture Validator PA-TNC (Protocol between Posture Collector and Posture Validator) IETF RFC 5792 No IETF specification No IETF specification Posture Broker Client Posture Broker Server PB-TNC (Protocol between Posture Broker Client and Server) IETF RFC 5793 IF-T (EAP) PT-EAP IETF RFC 7171 NO TCG specification PT-TLS IETF RFC 6876

13 TNC Architecture: End Point Assessment Component Value 0 Testing Component Name 1 Operating System 2 Anti-virus 3 Anti-spyware 4 Anti-malware 5 Firewall 6 Intrusion Detection /Prevention System 7 VPN 8 NEA Client Attribute Value Attribute Name 0 Testing 1 Attribute Request 2 Product Information 3 Numeric Version 4 String Version 5 Operational Status 6 Port Filter 7 Installed Packages 8 PA-TNC Error 9 Assessment Result 10 Remediation Instructions 11 Forwarding Enabled 12 Factory Default Password Enabled

14 TNC Architecture: IMC Implementation IMC TNC_IMC_Initialize() TNC_IMC_BeginHandshake() TNC_IMC_ProvideBindFunction() IF-IMC TNC Client TNC_TNCC_ReportMessageTypes() TNC_TNCC_RequestHandshakeRetry() TNC_TNCC_SendMessage() TNC_TNCC_BindFunction() /etc/tnc_config: IMC NAME-OF-IMC /path-to-imc.so

15 TNC Architecture: IMV Implementation IMV TNC_IMV_Initialize() TNC_IMV_SolicitRecommendation() TNC_IMV_ProvideBindFunction() IF-IMV TNC Server TNC_TNCS_ReportMessageTypes() TNC_TNCS_SendMessage() TNC_TNCS_BindFunction() /etc/tnc_config: IMV NAME-OF-IMV /path-to-imv.so

16 TPM Assisted Remote Attestation Extending TCG's TNC architecture Not specified by IETF Collection Access Requester (AR) Measurement Collectors IMCs IMC 3 IMC t 2 IMC 1 Collector Collector Policy Enforcement Point (PEP) IF-M Policy Decision Point (PDP) IMV 2 IMV 1 t Measurement Verifiers IMVs Evaluation TNC Client (TNCC) IF-IMC IF-TNCCS IF-IMV TNC Server (TNCS) IF-PTS Network Access Platform Trust Service (PTS) TSS TPM Network Access Requester Supplicant/ VPN client, etc. IF-T Policy Enforcement Point (PEP) Switch/Firewall/ VPN gateway/tls server, etc. Network Access Authority AAA server/ TLS server Source:

17 Current Status: RHEL and Fedora Packages: strongswan (strongimcv in RHEL), tncfhh, tpm-tools, tpm-quote-tools freeradius, wpa_supplicant, libtnc Functionality RHEL Fedora TNC client-server (IF-TNCCS) IMC-IMV (IF-M) PT-EAP PT-TLS OS IMC/IMV SWID IMC/IMV PTS IMC/IMV TNC over TLS TNC over 802.1x TNC over IPsec/IKEv2

18 Existing TNC IMC/IMV Modules OS IMC/IMV SWID IMC/IMV PTS IMC/IMV IETF RFC 5792 TCG's SWID IF-M specification TCG's PTS IF-M specification OS components and Attributes Software Identifiers (SWIDs) TPM based measurements

19 Resources Articles TNC specifications rusted_network_connect/specifications IETF RFCs 5209, 5792, 5793, 6876, 7171 Strongswan upstream

20 TNC Architecture: End Point Assessment Component Value 0 Testing Component Name 1 Operating System 2 Anti-virus 3 Anti-spyware 4 Anti-malware 5 Firewall 6 Intrusion Detection /Prevention System 7 VPN 8 NEA Client Attribute Value Attribute Name 0 Testing 1 Attribute Request 2 Product Information 3 Numeric Version 4 String Version 5 Operational Status 6 Port Filter 7 Installed Packages 8 PA-TNC Error 9 Assessment Result 10 Remediation Instructions 11 Forwarding Enabled 12 Factory Default Password Enabled

21 Thank You Questions? Feedback:

22 TNC Architecture Collection Access Requester (AR) Measurement Collectors IMCs IMC 3 IMC t 2 IMC 1 Collector Collector Policy Enforcement Point (PEP) IF-M Policy Decision Point (PDP) IMV 2 IMV 1 t Measurement Verifiers IMVs Evaluation TNC Client (TNCC) IF-IMC IF-TNCCS IF-IMV TNC Server (TNCS) Network Access Network Access Requester Supplicant/ VPN client, etc. IF-T Policy Enforcement Point (PEP) Switch/Firewall/ VPN gateway/tls server, etc. Network Access Authority AAA server/ TLS server Source:

23 TNC Architecture: IF-T (PT-EAP) IMC TNC client EAP-TNC Method Tunnel EAP Method EAP Peer IF-M IF-TNCCS IF-T PT-EAP (IETF RFC 7171) Tunnel EAP (EAP-TTLS) EAP IMV TNC server EAP-TNC Method Tunnel EAP Method EAP Authenticator Use case: pre admission assessment or reassessment with 802.1X or IKEV2 Source:

24 TNC Architecture: IF-T (PT-TLS) IMC TNC client TNC client TLS client IF-M IF-TNCCS IF-T PT-TLS (IETF RFC 6876) TLS IMV TNC server TNC server TLS server Use case: pre admission assessment or reassessment with TLS

25 TNC Architecture Collection Access Requester (AR) Measurement Collectors IMCs IMC 3 IMC t 2 IMC 1 Collector Collector Policy Enforcement Point (PEP) IF-M Policy Decision Point (PDP) IMV 2 IMV 1 t Measurement Verifiers IMVs Evaluation TNC Client (TNCC) IF-IMC IF-TNCCS IF-IMV TNC Server (TNCS) Network Access Network Access Requester Supplicant/ VPN client, etc. IF-T Policy Enforcement Point (PEP) Switch/Firewall/ VPN gateway/tls server, etc. Network Access Authority AAA server/ TLS server Source:

26 TNC Architecture: IF-TNCCS Evaluation Layer Encapsulates/Decapsulates messages between IMCs and IMVs Computes overall assessment results Provides recommendation to policy enforcement point (PEP) Allowed, Denied, Quarantined Provides remediation instructions to TNC clients Vendor IDs in messages for vendor specific extension 0 for IETF standard messages 0x for TCG standard messages

27 TNC Architecture Collection Access Requester (AR) Measurement Collectors IMCs IMC 3 IMC t 2 IMC 1 Collector Collector Policy Enforcement Point (PEP) IF-M Policy Decision Point (PDP) IMV 2 IMV 1 t Measurement Verifiers IMVs Evaluation TNC Client (TNCC) IF-IMC IF-TNCCS IF-IMV TNC Server (TNCS) Network Access Network Access Requester Supplicant/ VPN client, etc. IF-T Policy Enforcement Point (PEP) Switch/Firewall/ VPN gateway/tls server, etc. Network Access Authority AAA server/ TLS server Source:

28 TNC Architecture: IF-M Collection Layer Publish/Subscribe model of message exchange Zero or more IMCs/IMVs subscribed to a particular message One-to-One communication between IMC and IMV also possible Dynamic IDs for IMCs/IMVs IMCs collect measurements provide to TNC client IMVs verify the measurements provide results to TNC servers