Multi-platform TNC with Radiator, XSupplicant and libtnc



Similar documents
TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group

Trusted Network Connect (TNC)

Unified Security TNC EVERYWHERE. Wireless security. Road Warrior. IT Security. IT Security. Conference Room. Surveillance.

Network Access Control (NAC) and Network Security Standards

NETWORK ACCESS CONTROL

The Importance of Standards to Network Access Control

Network Access Security It's Broke, Now What? June 15, 2010

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

Network Access Control ProCurve and Microsoft NAP Integration

Eduroam wireless network Windows Vista

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Eduroam wireless network Apple Mac OSX 10.4

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

Eduroam wireless network Apple Mac OSX 10.5

This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview

Accessing Restricted University Online Resources Using Network Connect. on the Secure Remote Access Service

Network Access Control for Mobile Networks

IDM and Endpoint Integrity Technical Overview

Building A Secure Microsoft Exchange Continuity Appliance

Microsoft Windows Server System White Paper

Trusted Network Connect (TNC) 4th European Trusted Infrastructure Summer School August / September 2009

Note that if at any time during the setup process you are asked to login, click either Cancel or Work Offline depending upon the prompt.

Cisco Network Admission Control and Microsoft Network Access Protection Interoperability Architecture

What s New in Juniper s SSL VPN Version 6.0

802.1X Client Software

Table of Contents. Cisco Cisco VPN Client FAQ

Computer Classroom Security Standard

Symantec Client Management Suite 8.0

Mobile Network Access Control

Evolving Network Security with the Alcatel-Lucent Access Guardian

A M D DA S 1. 0 For the Manageability, Virtualization and Security of Embedded Solutions

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Efficient and easy-to-use network access control and dynamic vlan management. Date: F r e e N A C. n e t Swisscom

Eduroam wireless network - Windows 7

eduroam Network guide configuration for Microsoft Windows 7

Trusted Network Connect (TNC)

UC Merced CyberRisk Update

Lumension Endpoint Management and Security Suite

Cisco VPN Concentrator Implementation Guide

Installing and Configuring vcenter Multi-Hypervisor Manager

WIRELESS NETWORK SECURITY

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

Wireless Network Configuration Guide

Windows XP User guide for wired network v1.1

Mac OS X Secure Wireless Setup Guide

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

6. After connecting reopen the wireless connections window. Right click on RamNet and select properties. Page 2 of 7

How to configure 802.1X authentication with a Windows XP or Vista supplicant

How To Test An Eap Test On A Network With A Testnet (Networking) On A Pc Or Mac Or Ipnet (For A Network) On An Ipnet Or Ipro (For An Ipro) On Pc Or Ipo

ICANWK504A Design and implement an integrated server solution

Version 5 - July 2015 IT Services Page 2

» WHITE PAPER X and NAC: Best Practices for Effective Network Access Control.

1 About eduroam Wired eduroam... 1

Cisco Identity Services Engine

Network Services One Washington Square, San Jose, CA

Insightix Discovery & NAC. Lite Edition. Installation Guide. Version 3.0. May United States. International 945 Concord St.

Support Guide: Managing the Subject machine s Firewall.

How To Set Up Hopkins Wireless On Windows 7 On A Pc Or Mac Or Ipad (For A Laptop) On A Network Card (For Windows 7) On Your Computer Or Ipa (For Mac Or Mac) On An Ipa Or

Course Description for Operating Systems Hands-On (S&R Technology Lab)

Standard Information Communications Technology. Multifunction Device. January 2013 Version 2.2. Department of Corporate and Information Services

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Reducing the cost and complexity of endpoint management

WINDOWS 7 & HOMEGROUP

SAML-Based SSO Solution

Microsoft Exchange ActiveSync Administrator s Guide

Table of Contents. FleetSoft Installation Guide

Setting up Windows XP for WPA Wireless Access (ISU-OIT-WPA)

Comparing Mobile VPN Technologies WHITE PAPER

SAML-Based SSO Solution

USER GUIDE: MaaS360 Services

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

Compulink Advantage Cloud sm Software Installation, Configuration, and Performance Guide for Windows

Setting up a SQ20xx WIFI and Laptop for a Peer-to-peer (Ad-hoc) connection

Division of Information Technology Lehman College CUNY

Securing end devices

Odyssey Access Client FIPS Edition

Johns Hopkins

Goals. Understanding security testing

Did you know your security solution can help with PCI compliance too?

Abstract. Avaya Solution & Interoperability Test Lab

IMAP and SMTP Setup in Clients

Network Access Control (NAC)

FileMaker. Running FileMaker Pro 10 on Citrix Presentation Server

Security Orchestration with IF-MAP

Student Halls Network. Connection Guide

Securing the University Network

Getting Your Multifunction Back On Your Network After A Router Or Network Change

IBM Endpoint Manager for Mobile Devices

Canterbury College Eduroam Wi-Fi Guide

Sygate Secure Enterprise and Alcatel

CUSTOMER S GUIDE. DNA Broadband

MaaS360 Mobile Service

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

REDCENTRIC N3 SECURE REMOTE ACCESS SERVICE DEFINITION. SD045 V4.1 Issue Date Page 1 Public

Requirements Document for ROI Print Assessment/Print Manager

Wireless Local Area Networks (WLANs)

NETWORK ACCESS CONTROL TECHNOLOGIES

Release Notes for Websense Web Endpoint (32- and 64-bit OS)

InfoExpress Cyber Gatekeeper. How to quote? Günter Neuleitner. März 2009

Step by step guide for connecting PC to wired LAN at dormitories of University of Pardubice

Transcription:

May 1, 2007 Radiator Multi-platform TNC with Radiator, XSupplicant and libtnc Copyright (C) 2007 Open System Consultants Pty. Ltd. This white paper discusses the theory and application of Trusted Network Connect endpoint integrity checking in a heterogeneous environment using Radiator, XSupplicant and libtnc. 1.0 Introduction A perennial problem for network administrators is whether (and how much) to trust devices that connect to their network. Traditionally, access to a wireless network depends only on knowing a valid username and password. And for a wired network, access may only depend on finding an unoccupied network socket. Further, employees or students might take their laptop home and connect directly to the internet, get infected by a virus or malware, and then bring the infected machine back into the core of their employer s network where the virus has free reign. Recently a number of efforts have concentrated on this problem of endpoint integrity : how to be sure a user s laptop is clean and secure before letting it connect to the corporate network. One of those efforts is TNC: Trusted Network Connect. TNC is a public specification for a system that checks endpoint integrity during network connection. Endpoints such as user s laptops get checked for valid anti-virus software or other corporate prerequisites before being allowed to connect to the network. TNC has been developed by Trusted Computing Group (http://www.trustedcomputinggroup.org) a non-profit consortium whose goal is to develop and promote open, vendor- 1 of 8

802.1X and XSupplicant neutral, industry standard specifications for trusted computing building blocks and software interfaces across multiple platforms. Products that support TNC are now starting to appear in the market place. However, most TNC enabled products are closed and proprietary, and in all cases only support a limited subset of computing platforms and operating systems. This is a serious problem for administrators who wish to deploy TNC in a heterogeneous (multi-platform and/or multi-operating System) environment. While most vendors supporting TNC do so on Intel compatible processors with Microsoft Windows, few support it on Linux or Mac OS X, and none on other operating systems or processors in common use. Further, the ability to customize the TNC components is deliberately limited by the proprietary vendors. Source code is never provided. A number of other commentators have remarked on the absence of TNC support on Mac OS X, for example. The remainder of this white paper discusses an open-source implementation of TNC support for 802.1X clients, in conjunction with a full-source RADIUS server, allowing administrators to roll out and customize TNC support for a much wider range of devices on their network. 2.0 802.1X and XSupplicant The more limited problem of secure authentication of connections to wired and wireless networks is basically solved now. 802.1X specifies a series of protocols that will securely and reliably carry authentication credentials (such as username and password) from wireless (or wired) computers to, say, a RADIUS server, where the username and password is checked. Using for example EAP-PEAP or EAP-TTLS, users can only connect to the network if their username and password are correct, and dishonest people are unable to crack or sniff the authentication details from the wireless signals. 802.1X can be used to protect both wired and wireless networks, and is now the system of choice for secure authentication of network access. 2 of 8 Multi-platform TNC with Radiator, XSupplicant and libtnc

TNC and libtnc FIGURE 1. A typical architecture for 802.1X + RADIUS password based access control 802.1X over EAPOL over wireless Wireless Access Point 802.1X over RADIUS User s laptop RADIUS Server 802.1X authentication relies on software called the supplicant which runs on the user s computer. The supplicant talks to the wireless access point (or switch in a wired network) and negotiates the new connection, usually sending the username and password over an encrypted tunnel. The wireless access point sends the authentication credentials to a RADIUS server where they are checked and the RADIUS server then tells the access point whether to accept or reject the connection. There are a number of commercial and free supplicants available for a range of operating systems and processors. Most are proprietary and closed source, such as the one supplied with Windows XP and Vista, or the commercial pay-per-license Odyssey supplicant from Juniper Networks. However, there are no commercial supplicant vendors that support all operating systems and platforms. There are, however a number of free, open-source supplicants, which can run on a wide range of operating systems and processors. One such supplicant is XSupplicant, developed by the Open1X group. XSupplicant runs on Unix, Linux, Windows, Mac OS X and others, and on a range of processor types, with a range of 802.1X compliant wireless and wired access points. XSupplicant comes with full source under the GPL and the freedom to modify it to suit your needs. However 802.1X on its own is not sufficient for endpoint integrity checking. For that you need TNC. 3.0 TNC and libtnc TNC (Trusted Network Connect) is an open specification describing protocols and APIs for enforcing endpoint integrity. Developed by the Trusted Computing Group, it speci- Multi-platform TNC with Radiator, XSupplicant and libtnc 3 of 8

TNC and libtnc fies how a supplicant, Access Point (or network switch) and a RADIUS server can communicate in order to confirm that the user s laptop is clean and secure by some criteria specified by the network administrator. TNC is developed by a membership of vendors and independent experts. Open System Consultants Chief Technologist Mike McCauley is an invited expert on the TNC project group, contributing to the development of the TNC specifications. In the TNC model, a software module called the IMC (Integrity Measurement Collector) runs on the user s laptop and is accessible by the 802.1x supplicant. On the RADIUS server runs a complementary software module called the IMV (Integrity Measurement Verifier). During network connection, and after the user s password has been checked, the IMV communicates with the IMC on the laptop and checks that the laptop complies with whatever preconditions the IMV requires. Typically the IMV will ask the IMC to confirm that a particular software package (say, an anti-virus package) is valid and up-to-date. Or it might require that a particular operating system version and patch set is installed. Only if the IMC conforms to the requirements will the Access Point be directed to let the user connect to the corporate LAN. Otherwise they might be connected to an isolated remediation LAN where they may be limited to installing software to fix their laptop. This means that with TNC, only users who have both a valid username and password and a secure laptop will be allowed to connect to the corporate network. 4 of 8 Multi-platform TNC with Radiator, XSupplicant and libtnc

TNC and libtnc FIGURE 2. User s Laptop How TNC communicates over 802.1X and RADIUS from laptop to RADIUS server. Wireless Access Point RADIUS Server Host TNC over 802.1X over EAPOL over wireless Access Point TNC over 802.1X over RADIUS over TCP-IP Supplicant RADIUS Server IF-IMC IF-IMV IMC The IMC gets information about the user s laptop and sends it to the IMC during 802.1X authentication IMV The IMV uses information sent by the IMC to decide whether to allow the user s laptop to connect to the network libtnc is a open-source library that implements the protocols and APIs specified by TNC. Developed by staff at Open System Consultants and released as free software under the GNU Public License (GPL), libtnc can be used in any open-source application that requires TNC interoperability. libtnc is also available under a commercial license for integrators who do not wish to comply with the GPL. libtnc includes all the infrastructure required to add TNC support to an application. It includes functions to load IMCs and IMVs dynamically into the application s address space, and to call their TNC specified functions. It also includes skeleton IMC and IMV modules, allowing developers to produce their own custom IMCs and IMVs. libtnc also includes a fully functional, multi-platform, multi-os IMC that can answer a range of TNC queries about the host it is running on. Multi-platform TNC with Radiator, XSupplicant and libtnc 5 of 8

Radiator Like XSupplicant, libtnc runs on Windows, Linux, Mac OS X and other operating systems and platforms. One of the open-source projects that uses libtnc is XSupplicant, discussed above. When XSupplicant is built with TNC support and the libtnc library, it can participate in a TNC conversation with a TNC enabled RADIUS server during 802.1X authentication. The final link in a TNC deployment is a TNC enabled RADIUS server, such as Radiator. 4.0 Radiator Radiator is a full-source commercial RADIUS server from Open System Consultants. Open System Consultants has a long history of cooperation with the Open1X group s XSupplicant and other open-source projects, and Radiator interoperates with XSupplicant (with or without TNC support). Radiator includes support for TNC over 802.1X, and can interoperate with XSupplicant+libtnc running on any platform. Radiator also runs on any platform and can be extensively configured to suit almost any need. Radiator includes a module to interrogate the sample IMC supplied with libtnc, and to accept or reject access based on the answers it gets from the laptop s IMC. Radiator can be configured to specify what conditions a laptop needs to meet before being granted access. These conditions can depend on the laptop operating system type, packages installed, registry values etc. 6 of 8 Multi-platform TNC with Radiator, XSupplicant and libtnc

Summary FIGURE 3. User s Laptop Simplified timeline of a TNC conversation between XSupplicant, Access Point and Radiator RADIUS Server Host IMC Supplicant Access Point RADIUS Server IMV 802.1x user authentication (username, password) OK (checking) Im running on MacOSX version 10.4 Do you have Clam Anti-Virus installed Yes, its version xxxx (preconditions for Mac OS X?) OK, let them in You are connected User is now connected to the corporate network and can get on with their work 5.0 Summary Together XSupplicant+libtnc+Radiator can be used to build a complete TNC enabled access control system in a multi-platform heterogeneous environment, almost out of the box. Furthermore, administrators have at their disposal all the tools they need to build a custom TNC enabled network security system to suit their requirements. This means that 802.1X+TNC can now be deployed over a wide range of operating systems and platforms, greatly exceeding the potential coverage and customizability of any single TNC vendor. 6.0 References 1. Open1X source code and documentation for XSupplicant http://open1x.sourceforge.net/ Multi-platform TNC with Radiator, XSupplicant and libtnc 7 of 8

References 2. Trusted Computing Group http://www.trustedcomputinggroup.org 3. Trusted Network Connect specifications for TNC etc. http://www.trustedcomputinggroup.org/groups/network/ 4. Open System Consultants for information about Radiator etc. http://www.open.com.au/radiator 5. Joel Snyder discusses TNC and the lack of support on Mac and Linux http://www.networkworld.com/reviews/2007/041907-nac-intro.html 8 of 8 Multi-platform TNC with Radiator, XSupplicant and libtnc

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information