Integrating Network Access And End Point Assessment With Trusted Network Connect (TNC) By Avesh Agarwal Red Hat Inc.



Similar documents
TNC: Open Standards for Network Security Automation. Copyright 2010 Trusted Computing Group

Network Access Control (NAC) and Network Security Standards

TNC Endpoint Compliance and Network Access Control Profiles

Android BYOD Security using Trusted Network Connect Protocol Suite

Trusted Network Connect (TNC)

Trusted Network Connect (TNC)

The strongswan IPsec Solution

NETWORK ACCESS CONTROL

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

Network Access Security It's Broke, Now What? June 15, 2010

Security Orchestration with IF-MAP

The Linux Integrity Measurement Architecture and TPM-Based Network Endpoint Assessment

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Security Coordination with IF-MAP

Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge

Leveraging Trusted Network Connect for Secure Connection of Mobile Devices to Corporate Networks

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

This chapter covers the following topics: Network admission control overview NAC Framework benefits NAC Framework components Operational overview

SOFTWARE ASSET MANAGEMENT

Network Access Control and Cloud Security

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

strongswan TNC Activities Update

MOBILE GAMING SYSTEM POLICIES

Orchestrated Security Network. Automated, Event Driven Network Security. Ralph Wanders Consulting Systems Engineer

SSL VPN A look at UCD through the tunnel

Network Access Control and Cloud Security

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Implementing Cisco IOS Network Security

The following chart provides the breakdown of exam as to the weight of each section of the exam.

EAP-WAI Authentication Protocol

» WHITE PAPER X and NAC: Best Practices for Effective Network Access Control.

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

REDCENTRIC MANAGED FIREWALL SERVICE DEFINITION

Latest IT Exam Questions & Answers

Securing Networks with Cisco Routers and Switches ( )

WLAN Security: Identifying Client and AP Security

Information Security Basic Concepts

How To Configure L2TP VPN Connection for MAC OS X client

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Plugin for Cisco NAC (Network Admission Control) Installation Guide

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

RSA SecurID Ready Implementation Guide

Cornerstones of Security

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

Network Access Control ProCurve and Microsoft NAP Integration

Section 12 MUST BE COMPLETED BY: 4/22

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

How To Configure Apple ipad for Cyberoam L2TP

Design and Implementation Guide. Apple iphone Compatibility

Factory-Installed, Standards-Based Hardware Security. Steven K. Sprague President & CEO, Wave Systems Corp.

IINS Implementing Cisco Network Security 3.0 (IINS)

Data Sheet. NCP Secure Enterprise Management. Next Generation Network Access Technology

Cisco Certified Security Professional (CCSP)

Cisco Network Admission Control and Microsoft Network Access Protection Interoperability Architecture

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

Network Virtualization Network Admission Control Deployment Guide

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Bypassing Network Access Control Systems

VPN. Date: 4/15/2004 By: Heena Patel

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Policy Management: The Avenda Approach To An Essential Network Service

Critical Security Controls

Cisco Security Agent (CSA) Network Admission Control (NAC)

Secure Networks for Process Control

PART D NETWORK SERVICES

Implementing Core Cisco ASA Security (SASAC)

Best Practices for Outdoor Wireless Security

Implementing Cisco IOS Network Security v2.0 (IINS)

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

CISCO IOS NETWORK SECURITY (IINS)

Sonicwall Reporting Server

Embedded Trusted Computing on ARM-based systems

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Recommended Wireless Local Area Network Architecture

Remote Access Security

CTS2134 Introduction to Networking. Module Network Security

Symantec Mobile Management Suite

How To Create A Virtual Network With A Router And Network Operating System (Ip) For A Network (Ipv) (Ip V2) (Netv) And A Virtualization) (Network) (Wired) (Virtual) (Wire)

Transcription:

Integrating Network Access And End Point Assessment With Trusted Network Connect (TNC) By Avesh Agarwal Red Hat Inc.

Agenda Network Access Control (NAC) End Point Assessment Trusted Network Connect (TNC) Demo

Network Access Control (NAC) Who are you? 802.1X, IPsec, TLS

End Point Assessment What do you have? Is it good enough to allow you access? Health Check, Posture Assessment, or /Measurements Verification

End Point Assessment: Why? Incorrect software version? Is a software operational?? Yes Possibility of vulnerable network Incorrect configuration? blacklisted software?

Missing? TNC How to transmit end point information over a network securely? How to tie it with network access control?

Trusted Network Connect (TNC) Delivery Verification Enforcement Remediation

Trusted Network Connect (TNC) Reference Measurements, Policy Database PDP Internet/Intranet PEP Allow Protected Network Isolate Remediation Network NAR: Network Access Requester PEP: Policy Enforcement Point PDP: Policy Decision Point

Trusted Network Connect: Features TCG/IETF Specifications Open Interoperable Extensible Modular Plug-in Architecture NAC Agnostic TCG: Trusted Computing Group IETF: Internet Engineering Task Fork

TNC Architecture Collection Access Requester (AR) Measurement Collectors IMCs IMC 3 IMC t 2 IMC 1 Collector Collector Policy Enforcement Point (PEP) IF-M Policy Decision Point (PDP) IMV 2 IMV 1 t Measurement Verifiers IMVs Evaluation TNC Client (TNCC) IF-IMC IF-TNCCS IF-IMV TNC Server (TNCS) Network Access Network Access Requester Supplicant/ VPN client, etc. IF-T Policy Enforcement Point (PEP) Switch/Firewall/ VPN gateway/tls server, etc. Network Access Authority AAA server/ TLS server Source: http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications

Threat Model TNC Threat Model/ Countermeasures Any entity, part of TNC, exchange could be compromised Any communication, part of TNC exchange, could be compromised Countermeasures Relies on protection by existing network access protocols 802.1X, IKEv2, TLS Relies on hardware assisted protection: TPM (Trusted Platform Module)

TNC Architecture: Terminology TCG terminology Trusted Network Connect (TNC) Measurement Collector (IMC) Measurement Verifier (IMV) IF-M (Protocol between IMC and IMV) IF-IMC (local APIs between TNC client and IMC) IF-IMV (local APIs between TNC server and IMV) TNC client TNC Server IF-TNCCS (Protocol between TNC client and Server) IETF Terminology Network End Point Assessment (NEA) IETF RFC 5209 Posture Collector Posture Validator PA-TNC (Protocol between Posture Collector and Posture Validator) IETF RFC 5792 No IETF specification No IETF specification Posture Broker Client Posture Broker Server PB-TNC (Protocol between Posture Broker Client and Server) IETF RFC 5793 IF-T (EAP) PT-EAP IETF RFC 7171 NO TCG specification PT-TLS IETF RFC 6876

TNC Architecture: End Point Assessment Component Value 0 Testing Component Name 1 Operating System 2 Anti-virus 3 Anti-spyware 4 Anti-malware 5 Firewall 6 Intrusion Detection /Prevention System 7 VPN 8 NEA Client Attribute Value Attribute Name 0 Testing 1 Attribute Request 2 Product Information 3 Numeric Version 4 String Version 5 Operational Status 6 Port Filter 7 Installed Packages 8 PA-TNC Error 9 Assessment Result 10 Remediation Instructions 11 Forwarding Enabled 12 Factory Default Password Enabled

TNC Architecture: IMC Implementation IMC TNC_IMC_Initialize() TNC_IMC_BeginHandshake() TNC_IMC_ProvideBindFunction() IF-IMC TNC Client TNC_TNCC_ReportMessageTypes() TNC_TNCC_RequestHandshakeRetry() TNC_TNCC_SendMessage() TNC_TNCC_BindFunction() /etc/tnc_config: IMC NAME-OF-IMC /path-to-imc.so

TNC Architecture: IMV Implementation IMV TNC_IMV_Initialize() TNC_IMV_SolicitRecommendation() TNC_IMV_ProvideBindFunction() IF-IMV TNC Server TNC_TNCS_ReportMessageTypes() TNC_TNCS_SendMessage() TNC_TNCS_BindFunction() /etc/tnc_config: IMV NAME-OF-IMV /path-to-imv.so

TPM Assisted Remote Attestation Extending TCG's TNC architecture Not specified by IETF Collection Access Requester (AR) Measurement Collectors IMCs IMC 3 IMC t 2 IMC 1 Collector Collector Policy Enforcement Point (PEP) IF-M Policy Decision Point (PDP) IMV 2 IMV 1 t Measurement Verifiers IMVs Evaluation TNC Client (TNCC) IF-IMC IF-TNCCS IF-IMV TNC Server (TNCS) IF-PTS Network Access Platform Trust Service (PTS) TSS TPM Network Access Requester Supplicant/ VPN client, etc. IF-T Policy Enforcement Point (PEP) Switch/Firewall/ VPN gateway/tls server, etc. Network Access Authority AAA server/ TLS server Source: http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications

Current Status: RHEL and Fedora Packages: strongswan (strongimcv in RHEL), tncfhh, tpm-tools, tpm-quote-tools freeradius, wpa_supplicant, libtnc Functionality RHEL Fedora TNC client-server (IF-TNCCS) IMC-IMV (IF-M) PT-EAP PT-TLS OS IMC/IMV SWID IMC/IMV PTS IMC/IMV TNC over TLS TNC over 802.1x TNC over IPsec/IKEv2

Existing TNC IMC/IMV Modules OS IMC/IMV SWID IMC/IMV PTS IMC/IMV IETF RFC 5792 TCG's SWID IF-M specification TCG's PTS IF-M specification OS components and Attributes Software Identifiers (SWIDs) TPM based measurements

Resources Articles http://people.redhat.com/avagarwa/files/rhel7.1-tnc/ TNC specifications http://www.trustedcomputinggroup.org/developers/t rusted_network_connect/specifications IETF RFCs 5209, 5792, 5793, 6876, 7171 Strongswan upstream http://www.strongswan.org/

TNC Architecture: End Point Assessment Component Value 0 Testing Component Name 1 Operating System 2 Anti-virus 3 Anti-spyware 4 Anti-malware 5 Firewall 6 Intrusion Detection /Prevention System 7 VPN 8 NEA Client Attribute Value Attribute Name 0 Testing 1 Attribute Request 2 Product Information 3 Numeric Version 4 String Version 5 Operational Status 6 Port Filter 7 Installed Packages 8 PA-TNC Error 9 Assessment Result 10 Remediation Instructions 11 Forwarding Enabled 12 Factory Default Password Enabled

Thank You Questions? Feedback: http://sched.co/2bi1

TNC Architecture Collection Access Requester (AR) Measurement Collectors IMCs IMC 3 IMC t 2 IMC 1 Collector Collector Policy Enforcement Point (PEP) IF-M Policy Decision Point (PDP) IMV 2 IMV 1 t Measurement Verifiers IMVs Evaluation TNC Client (TNCC) IF-IMC IF-TNCCS IF-IMV TNC Server (TNCS) Network Access Network Access Requester Supplicant/ VPN client, etc. IF-T Policy Enforcement Point (PEP) Switch/Firewall/ VPN gateway/tls server, etc. Network Access Authority AAA server/ TLS server Source: http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications

TNC Architecture: IF-T (PT-EAP) IMC TNC client EAP-TNC Method Tunnel EAP Method EAP Peer IF-M IF-TNCCS IF-T PT-EAP (IETF RFC 7171) Tunnel EAP (EAP-TTLS) EAP IMV TNC server EAP-TNC Method Tunnel EAP Method EAP Authenticator Use case: pre admission assessment or reassessment with 802.1X or IKEV2 Source: http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications

TNC Architecture: IF-T (PT-TLS) IMC TNC client TNC client TLS client IF-M IF-TNCCS IF-T PT-TLS (IETF RFC 6876) TLS IMV TNC server TNC server TLS server Use case: pre admission assessment or reassessment with TLS

TNC Architecture Collection Access Requester (AR) Measurement Collectors IMCs IMC 3 IMC t 2 IMC 1 Collector Collector Policy Enforcement Point (PEP) IF-M Policy Decision Point (PDP) IMV 2 IMV 1 t Measurement Verifiers IMVs Evaluation TNC Client (TNCC) IF-IMC IF-TNCCS IF-IMV TNC Server (TNCS) Network Access Network Access Requester Supplicant/ VPN client, etc. IF-T Policy Enforcement Point (PEP) Switch/Firewall/ VPN gateway/tls server, etc. Network Access Authority AAA server/ TLS server Source: http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications

TNC Architecture: IF-TNCCS Evaluation Layer Encapsulates/Decapsulates messages between IMCs and IMVs Computes overall assessment results Provides recommendation to policy enforcement point (PEP) Allowed, Denied, Quarantined Provides remediation instructions to TNC clients Vendor IDs in messages for vendor specific extension 0 for IETF standard messages 0x005597 for TCG standard messages

TNC Architecture Collection Access Requester (AR) Measurement Collectors IMCs IMC 3 IMC t 2 IMC 1 Collector Collector Policy Enforcement Point (PEP) IF-M Policy Decision Point (PDP) IMV 2 IMV 1 t Measurement Verifiers IMVs Evaluation TNC Client (TNCC) IF-IMC IF-TNCCS IF-IMV TNC Server (TNCS) Network Access Network Access Requester Supplicant/ VPN client, etc. IF-T Policy Enforcement Point (PEP) Switch/Firewall/ VPN gateway/tls server, etc. Network Access Authority AAA server/ TLS server Source: http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications

TNC Architecture: IF-M Collection Layer Publish/Subscribe model of message exchange Zero or more IMCs/IMVs subscribed to a particular message One-to-One communication between IMC and IMV also possible Dynamic IDs for IMCs/IMVs IMCs collect measurements provide to TNC client IMVs verify the measurements provide results to TNC servers

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information