Android BYOD Security using Trusted Network Connect Protocol Suite

Similar documents

TNC Endpoint Compliance and Network Access Control Profiles

The strongswan IPsec Solution

strongswan TNC Activities Update

TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group

The Linux Integrity Measurement Architecture and TPM-Based Network Endpoint Assessment

Network Access Control (NAC) and Network Security Standards

VPN with Windows 7 and Linux strongswan using IKEv2

Trusted Network Connect (TNC) 4th European Trusted Infrastructure Summer School August / September 2009

Unified Security TNC EVERYWHERE. Wireless security. Road Warrior. IT Security. IT Security. Conference Room. Surveillance.

Trusted Network Connect (TNC)

Network Access Security It's Broke, Now What? June 15, 2010

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

How To Configure Apple ipad for Cyberoam L2TP

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

TCG. TCG Trusted Network Connect TNC Architecture for Interoperability. TCG PUBLISHED Copyright TCG

Introduction to Endpoint Security

S-911 Bracelet Locator Protocol 1.0 Analyzer. User Manual

SOFTWARE ASSET MANAGEMENT

Software Defined Perimeter: Securing the Cloud to the Internet of Things

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge

How to use FTP Commander

Knowledge Base Article: Article 218 Revision 2 How to connect BAI to a Remote SQL Server Database?

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Instructions for Accessing the Advanced Computing Facility Supercomputing Cluster at the University of Kansas

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

What s New in Juniper s SSL VPN Version 6.0

Project 4: IP over DNS Due: 11:59 PM, Dec 14, 2015

NETWORK ACCESS CONTROL

The Importance of Standards to Network Access Control

How To Set Up Mybpx Security Configuration Guide V1.2.2 (V1.3.2) On A Pc Or Mac)

How To Install Storegrid Server On Linux On A Microsoft Ubuntu 7.5 (Amd64) Or Ubuntu (Amd86) (Amd77) (Orchestra) (For Ubuntu) (Permanent) (Powerpoint

File Transfer Examples. Running commands on other computers and transferring files between computers

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Securing and Monitoring BYOD Networks using NetFlow

RELEASE NOTES. Release Notes. Introduction. Platform. Product/version/build: Remote Control ( ) ActiveX Guest 11.

Network Security Essentials Chapter 5

TFTP TRIVIAL FILE TRANSFER PROTOCOL OVERVIEW OF TFTP, A VERY SIMPLE FILE TRANSFER PROTOCOL FOR SIMPLE AND CONSTRAINED DEVICES

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Trusted Network Connect (TNC)

SECUR IN MIRTH CONNECT. Best Practices and Vulnerabilities of Mirth Connect. Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions

Configuration Guide BES12. Version 12.2

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Multi-platform TNC with Radiator, XSupplicant and libtnc

File Transfer Protocol (FTP) & SSH

ELEN 689: Topics in Network Security: Firewalls. Ellen Mitchell Computing and Information Services 20 April 2006

Configure Backup Server for Cisco Unified Communications Manager

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

EXPLORER. TFT Filter CONFIGURATION

Industrial Firewalls Endpoint Security

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

How to Integrate Camera Live View into Web Application?

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Mobile Access Software Blade

ewon-vpn - User Guide Virtual Private Network by ewons

Configuration Guide BES12. Version 12.1

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Measuring the performance of a Wired network

Juniper NetScreen 5GT

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

Connecting an Android to a FortiGate with SSL VPN

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Symantec Mobile Management Suite

Ensuring the security of your mobile business intelligence

Management, Logging and Troubleshooting

SMC7004ABR Barricade Broadband Router Installation Instructions

My Net Fone Pty. Ltd. A.B.N

ReadyNAS Remote White Paper. NETGEAR May 2010

REMOTE ACCESS DDNS CONFIGURATION MANUAL

MS-55096: Securing Data on Microsoft SQL Server 2012

SSL VPN A look at UCD through the tunnel

Phone: Fax: Box: 230

Table of Contents. Cisco Cisco VPN Client FAQ

Novell Access Manager SSL Virtual Private Network

Data Sheet. NCP Secure Enterprise Management. Next Generation Network Access Technology

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

INTRODUCTION... 2 Windows Windows Mac OS X Ubuntu Advanced routing Windows Mac OS X Ubuntu...

How do I Install and Configure MS Remote Desktop for the Haas Terminal Server on my Mac?

How to configure VPN function on TP-LINK Routers

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

MyPBX Security Configuration Guide

Gateway Administrator

Greenbow VPN Client with Teldat VPN Server. Configuration Highlights

Spirent Abacus. SIP over TLS Test 编号版本修改时间说明

VLANs. Application Note

My FreeScan Vulnerabilities Report

From Centralization to Distribution: A Comparison of File Sharing Protocols

Cisco SA 500 Series Security Appliance

iscsi Security ELEN 689 Network Security John Price Peter Rega

IP Ports and Protocols used by H.323 Devices

Guidance Regarding Skype and Other P2P VoIP Solutions

Network Security and Firewall 1

Cisco Which VPN Solution is Right for You?

Application Notes for Configuring Yealink T-22 SIP Phones to interoperate with Avaya IP Office - Issue 1.0

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Transcription:

Android BYOD Security using Trusted Network Connect Protocol Suite Prof. Andreas Steffen HSR University of Applied Sciences Rapperswil andreas.steffen@hsr.ch

Where the heck is Rapperswil? 2

HSR Hochschule für Technik Rapperswil University of Applied Sciences with about 1500 students Faculty of Information Technology (300-400 students) Bachelor Course (3 years), Master Course (+1.5 years) 3

strongswan the Open Source VPN Solution Windows Active Directory Server Campus Network Linux FreeRadius Server High-Availability strongswan VPN Gateway strongswan Client Internet Windows 7/8 Agile VPN Client strongswan.hsr.ch 4

BYOD Bring Your Own Device Security Issues Users do not protect access to their devices or use weak passwords or login methods. Users download and install dangerous software packages containing malware from unknown sources. Users do not regularly apply security updates to the installed software packages and operating system. Users run server applications potentially giving third parties access to the corporate network and/or sensitive data Malware might embed itself into the operating system, modifying system commands and libraries. 5

Android BYOD with Network Access Control allow NAC Policy Enforcement Point block NAC Server Corporate Network Android 4 Device with NAC Client isolate Policy Manager Isolation Network Attribute Requests Measurement Attributes 6

TCG Trusted Network Connect (TNC) Architecture RFC 5792 RFC 5793 RFC 6876 Lying Endpoint VPN Client VPN Gateway 7

Layered TNC Protocol Stack IF-T Transport Protocol [NET] received packet: from 152.96.15.29[50871] to 77.56.144.51[4500] (320 bytes) [ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC] [TNC] received TNCCS batch (160 bytes) for Connection ID 1 [TNC] PB-TNC state transition from 'Init' to 'Server Working' [TNC] processing PB-TNC CDATA batch [TNC] processing PB-Language-Preference message (31 bytes) [TNC] processing PB-PA message (121 bytes) [TNC] setting language preference to 'en [TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001 [IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1 [TNC] processing PA-TNC message with ID 0xec41ce1d [TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002 [TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004 [TNC} processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008 [IMV] operating system name is 'Android' from vendor Google [IMV] operating system version is '4.2.1 [IMV] device ID is cf5e4cbcc6e6a2db 8 PT-TLS (RFC 6876) or PT-EAP IF-TNCCS TNC Client-Server Protocol PB-TNC (RFC 5793) IF-M Measurement Protocol PA-TNC (RFC 5792) TNC Measurement Data

strongswan Android VPN Client: Easy to Connect 9

Dangerous: Allow Download from Unknown Sources 10

Install Blacklisted Android Web Server Package 11

Minor Non-Compliance: Isolate Client 12

Start the Android Web Server 13

Major Non-Compliance: Block Client 14

strongtnc Policy Manager 15

Defining Measurement Policies and Enforcements Currently supported policy types: PWDEN Factory Default Password Enabled FWDEN Forwarding Enabled TCPOP TCP Ports allowed to be Open Closed Port Default Policy TCPBL TCP Ports to be Blocked Open Port Default Policy UDPOP UDP Ports allowed to be Open Closed Port Default Policy UDPBL UDP Ports to be Blocked Open Port Default Policy PCKGS Installed Packages UNSRC Unknown Sources SWIDT SWID (Software ID) Tag Inventory Visit Demo at TCG Booth! FREFM File Reference Measurement SHA1/SHA256 Hash FMEAS File Measurement SHA1/SHA256 Hash FMETA File Metadata Create, Modify, Access Times DREFM Directory Reference Measurement SHA1/SHA256 Hashes DMEAS Directory Measurement SHA1/SHA256 Hashes DMETA Directory Metadata 16

Add/Edit Policies 17

Define Enforcements 18

Summary The TNC protocols have become Internet Standards The TNC protocols are platform-independent and allow interoperability The TNC protocols support trustworthy TPM-based remote attestation The strongswan BYOD Showcase demonstrates that TNC is ready for use The strongtnc policy manager bases measurements on past client behaviour 19

Thank You