strongswan TNC Activities Update

Similar documents
TNC Endpoint Compliance and Network Access Control Profiles

Android BYOD Security using Trusted Network Connect Protocol Suite

TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group

Network Access Control (NAC) and Network Security Standards

HW (Fat001) TPM. Figure 1. Computing Node

The strongswan IPsec Solution

The Linux Integrity Measurement Architecture and TPM-Based Network Endpoint Assessment

A Virtualized Linux Integrity Subsystem for Trusted Cloud Computing

Security concept for gateway integrity protection within German smart grids

- IF-MAP Research Projects and Open Source Software

Embedded Trusted Computing on ARM-based systems

Trusted Virtual Machine Management for Virtualization in Critical Environments

A viable SIEM approach for Android

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Trustworthy Computing

Opal SSDs Integrated with TPMs

Index. BIOS rootkit, 119 Broad network access, 107

Trusted Network Connect (TNC)

How To Install Storegrid Server On Linux On A Microsoft Ubuntu 7.5 (Amd64) Or Ubuntu (Amd86) (Amd77) (Orchestra) (For Ubuntu) (Permanent) (Powerpoint

Software-based TPM Emulator for Linux

Secure mobile business information processing

VPN with Windows 7 and Linux strongswan using IKEv2

Trusted Virtual Datacenter Radically simplified security management

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Communication Security for Applications

Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge

Over-the-top Upgrade Guide for Snare Server v7

Building Blocks Towards a Trustworthy NFV Infrastructure

Implementation of a Trusted Ticket System

Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

Stratusphere. Architecture Overview

Penetration Testing with Kali Linux

Network Defense Tools

Lecture 7: Privacy and Security in Mobile Computing. Cristian Borcea Department of Computer Science NJIT

Network Security and Firewall 1

Snare System Version Release Notes

Data Firewall: A TPM-based Security Framework for Protecting Data in Thick Client Mobile Environment

Protecting Data with Short- Lived Encryption Keys and Hardware Root of Trust. Dan Griffin DefCon 2013

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Factory Application Certificates and Keys Products: SB700EX, SB70LC

UBS Training Course Catalog

CIT 380: Securing Computer Systems

A Perspective on the Evolution of Mobile Platform Security Architectures

vtpm: Virtualizing the Trusted Platform Module

Security Configuration Guide P/N Rev A05

Fortinet Certified Network Security Administrator

Technical Support Information

Mobile Platform Security Architectures A perspective on their evolution

How to Use? SKALICLOUD DEMO

Understanding EMC Avamar with EMC Data Protection Advisor

Network Licensing. White Paper 0-15Apr014ks(WP02_Network) Network Licensing with the CRYPTO-BOX. White Paper

Security Coordination with IF-MAP

Course Title: Penetration Testing: Security Analysis

Using the TPM to Solve Today s Most Urgent Cybersecurity Problems

Property Based TPM Virtualization

ontune SPA - Server Performance Monitor and Analysis Tool

Performance Measuring in Smartphones Using MOSES Algorithm

How To Configure L2TP VPN Connection for MAC OS X client

Patterns for Secure Boot and Secure Storage in Computer Systems

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

FortiGate Multi-Threat Security Systems I Administration, Content Inspection and SSL VPN Course #201

Setting Up Scan to SMB on TaskALFA series MFP s.

Security Orchestration with IF-MAP

SSL VPN A look at UCD through the tunnel

Leica ScanStation P20 Remote Control via Android Device

Performance Analysis Of Policy Based Mobile Virtualization in Smartphones Using MOSES Algorithm

Ciphire Mail. Abstract

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Linux Distributed Security Module 1

Deploying Windows Streaming Media Servers NLB Cluster and metasan

Acronym Term Description

8 steps to protect your Cisco router

Trusted Network Connect (TNC)

LogLogic Trend Micro OfficeScan Log Configuration Guide

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

UEFI Implications for Windows Server

How To Install Linux Titan

BlackBerry Enterprise Service 10. Version: Configuration Guide

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

NETASQ MIGRATING FROM V8 TO V9

Nessus Agents. October 2015

Transparent Identification of Users

Secure Data Management in Trusted Computing

PrintFleet Enterprise Security Overview

FileRunner Security Overview. An overview of the security protocols associated with the FileRunner file delivery application

Cautions When Using BitLocker Drive Encryption on PRIMERGY

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Transcription:

strongswan TNC Activities Update TCG Members Meeting June 2013 Dublin Prof. Andreas Steffen Institute for Internet Technologies and Applications HSR University of Applied Sciences Rapperswil andreas.steffen@hsr.ch

Where the heck is Rapperswil? 27.06.2013, tcg_dublin_2013.pptx 2

HSR - Hochschule für Technik Rapperswil University of Applied Sciences with about 1500 students Faculty of Information Technology (300-400 students) Bachelor Course (3 years), Master Course (+1.5 years) 27.06.2013, tcg_dublin_2013.pptx 3

strongswan the OpenSource VPN Solution Windows Active Directory Server Campus Network Linux FreeRadius Server High-Availability strongswan VPN Gateway Internet Windows 7/8 Agile VPN Client strongswan.hsr.ch strongswan Linux Client 27.06.2013, tcg_dublin_2013.pptx 4

Trusted Network Connect (TNC) Framework Source: Trusted Computing Group (TCG) 27.06.2013, tcg_dublin_2013.pptx 5

strongswan TNC Activities Update TCG Members Meeting Juni 2013 Dublin strongswan IMC/IMV Pairs

OS IMC/IMV Pair Objective Get Operating System Information Subscribed IF-M Subtype IETF/Operating System Supported IF-M Attributes IETF/Attribute Request IETF/Product Information, IETF/String Version, IETF/Numeric Version IETF/Operational Status (Linux Uptime) IETF/Installed Packages (Android, Debian, Ubuntu) IETF/Forwarding Enabled IETF/Factory Default Password Enabled IETF/Assessment Result IETF/Remediation Instructions IETF/IF-M Error ITA/Device ID (Android ID, Linux D-Bus ID, TPM AIK Fingerprint) ITA/Get Settings, ITA/Settings ITA/Start Angel, ITA/Stop Angel (Fragmentation of Installed Packages) 27.06.2013, tcg_dublin_2013.pptx 7

Scanner IMC/IMV Pair Objective Scan open listening TCP and UDP ports Subscribed IF-M Subtype IETF/VPN Supported IF-M Attributes IETF/Attribute Request IETF/Port Filter IETF/Assessment Result IETF/Remediation Instructions IETF/IF-M Error 27.06.2013, tcg_dublin_2013.pptx 8

Attestation IMC/IMV Pair Objective File/Directory Measurements and TPM-based Remote Attestation Subscribed IF-M Subtypes TCG/PTS, IETF/Operating System (IMV only, requires an OS IMC) Supported IF-M Attributes TCG/Request PTS Protocol Capabilities, TCG/PTS Protocol Capabilities TCG/PTS Measurement Algorithm Request/Response TCG/Request File Measurement, TCG/File Measurement TCG/Request File Metadata, TCG/Unix-Style File Metadata TCG/D-H Nonce Parameters Request/Response, TCG/D-H Nonce Finish TCG/Get TPM Version Information, TCG/TPM Version Information TCG/Get Attestation Identity Key, TCG/Attestation Identity Key TCG/Request Functional Component Evidence TCG/Generate Attestation Evidence TCG/Simple Component Evidence, TCG/Simple Evidence Final (Quote) IETF/IF-M Error, IETF/Attribute Request IETF/Product Information, IETF/String Version IETF/Assessment Result, IETF/Remediation Instructions 27.06.2013, tcg_dublin_2013.pptx 9

strongswan TNC Activities Update TCG Members Meeting Juni 2013 Dublin Linux Integrity Measurement Architecture (IMA)

Linux Integrity Measurement Architecture Linux Security Summit 2012 Paper Presented in September at LinuxCon in San Diego The transfer and database lookup of 1200 file measurements amounting to about 120 kb of IMA measurements and certified by a Quote2 TPM signature takes about 20 seconds. http://www.strongswan.org/lss2012.pdf 27.06.2013, tcg_dublin_2013.pptx 11

Linux IMA - BIOS Measurements BIOS is measured during the boot process Many Linux distributions enable BIOS measurement by default when a TPM hardware device is detected. BIOS measurement report with typically 20 130 entries is written to /sys/kernel/security/tpm0/ascii_bios_measurements BIOS measurements are extended into PCRs #0..7 PCR SHA-1 Measurement Hash Comment 0 4d894eef0ae7cb124740df4f6c5c35aa0fe7dae8 08 [S-CRTM Version] 0 f2c846e7f335f7b9e9dd0a44f48c48e1986750c7 01 [POST CODE]... 7 9069ca78e7450a285173431b3e52c5c25299e473 04 [] 4 c1e25c3f6b0dc78d57296aa2870ca6f782ccf80f 05 [Calling INT 19h] 4 67a0a98bc4d6321142895a4d938b342f6959c1a9 05 [Booting BCV Device 80h, - Hitachi HTS723216L9A360] 4 06d60b3a0dee9bb9beb2f0b04aff2e75bd1d2860 0d [IPL] 5 1b87003b6c7d90483713c90100cca3e62392b9bc 0e [IPL Partition Data] 27.06.2013, tcg_dublin_2013.pptx 12

Linux IMA - Runtime Measurements Executable files, dynamic libraries and kernel modules are measured when loaded during runtime. With current Linux distributions either IMA must be activated via the boot parameter ima_tcb or the kernel must by manually compiled with CONFIG_IMA enabled The IMA runtime measurement report with about 1200 entries is written to /sys/kernel/security/ima/ascii_runtime_measurements IMA runtime measurements are extended into TPM PCR #10 PCR SHA-1 Measurement Hash SHA-1 File Data Hash Filename 10 d0bb59e83c371ba6f3adad491619524786124f9a ima 365a7adf8fa89608d381d9775ec2f29563c2d0b8 boot_aggregate 10 76188748450a5c456124c908c36bf9e398c08d11 ima f39e77957b909f3f81f891c478333160ef3ac2ca /bin/sleep 10 df27e645963911df0d5b43400ad71cc28f7f898e ima 78a85b50138c481679fe4100ef2b3a0e6e53ba50 ld-2.15.so...... 10 30fa7707af01a670fc353386fcc95440e011b08b ima 72ebd589aa9555910ff3764c27dbdda4296575fe parport.ko...... 27.06.2013, tcg_dublin_2013.pptx 13

strongswan TNC Activities Update TCG Members Meeting Juni 2013 Dublin strongswan PDP as an IF-MAP Client

Open Source TNC IF-MAP Products MAP-Client IRON Project FH Hannover (MAP-Server) 27.06.2013, tcg_dublin_2013.pptx 15

strongswan TNC Activities Update TCG Members Meeting Juni 2013 Dublin strongswan BYOD Android VPN Client

strongswan Android BYOD VPN Client 27.06.2013, tcg_dublin_2013.pptx 17

strongswan TNC Activities Update TCG Members Meeting Juni 2013 Dublin CYGNET TNC Policy Manager

CYGNET TNC Policy Manager 27.06.2013, tcg_dublin_2013.pptx 19

CYGNET TNC Policy Manager 27.06.2013, tcg_dublin_2013.pptx 20

Defining Policies Policy Types PCKGS UNSRC FWDEN PWDEN FREFM FMEAS FMETA DREFM DMEAS DMETA TCPOP TCPBL UDPOP UDPBL Installed Packages Unknown Source Forwarding Enabled Factory Default Password Enabled File Reference Measurement File Measurement File Metadata Directory Reference Measurement Directory Measurement Directory Metadata TCP Ports allowed Open TCP Ports to be Blocked UDP Ports allowed Open UDP Ports to be Blocked 27.06.2013, tcg_dublin_2013.pptx 21

Database Schema 27.06.2013, tcg_dublin_2013.pptx 22