View
42
Download
2
Category
Tags:
Preview:
DESCRIPTION
Network Access Control for Education. By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted Network Connect WG, TCG Co-Chair, Network Endpoint Assessment WG, IETF. As Access Increases Mission-critical network assets Mobile and remote devices transmitting the LAN perimeter - PowerPoint PPT Presentation
Citation preview
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 1
Network Access Controlfor Education
By Steve Hanna, Distinguished Engineer, JuniperCo-Chair, Trusted Network Connect WG, TCG
Co-Chair, Network Endpoint Assessment WG, IETF
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 2
Implications of Expanded Network UsageCritical data at riskCritical data at risk
Perimeter security ineffectivePerimeter security ineffective
Endpoint infections Endpoint infections
may proliferatemay proliferate
Network control Network control
can be lostcan be lost
Network Security DecreasesNetwork Security Decreases
As Access Increases
Mission-critical
network assets
Mobile and remote
devices transmitting the LAN
perimeter
Broader variety of
network endpoints
Faculty, staff, parent,
and/or student access
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 3
Network Access Control Solutions
Control Access• to critical resources• to entire network
Based on• User identity and role• Endpoint identity and health• Other factors
With• Remediation• Management
FeaturesFeatures
Consistent Access Controls
Reduced Downtime• Healthier endpoints• Fewer outbreaks
Safe Remote Access
Safe Access for• Faculty, Staff• Students, Parents• Guests• Devices
BenefitsBenefits
Network access control must be a key component of every network!
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 4
What is Trusted Network Connect (TNC)?
Open Architecture for Network Access Control
Suite of Standards to Ensure Interoperability
Work Group in Trusted Computing Group (TCG)
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 5
TCG: The Big Picture
TCG Standar
ds
TCG Standar
ds
Applications•Software Stack•Operating Systems•Web Services•Authentication•Data Protection
Storage
Mobile Phones
Servers
Desktops & Notebooks
Security Hardware
Networking
Printers & Hardcopy
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 6
TNC Architecture Overview
Access Access Requester (AR)Requester (AR)
Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)
Policy Decision Point Policy Decision Point (PDP)(PDP)
Wireless
Wired
NetworkPerimeter
FW
VPN
PDP
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 7
Typical TNC Deployments
Uniform Policy
User-Specific Policies
TPM Integrity Check
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 8
Uniform Policy
Access Access Requester (AR)Requester (AR)
Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)
Policy Decision Point Policy Decision Point (PDP)(PDP)
NetworkPerimeter
Client RulesWindows XP- SP2- OSHotFix 2499- OSHotFix 9288- AV (one of) - Symantec AV 10.1 - McAfee Virus Scan 8.0- Firewall
RemediationNetwork
ProductionNetwork
Non-compliant SystemWindows XP
SP2x OSHotFix 2499x OSHotFix 9288 AV - McAfee Virus Scan 8.0 Firewall
Compliant SystemWindows XP
SP2 OSHotFix 2499 OSHotFix 9288 AV – Symantec AV 10.1 Firewall
PDP
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 9
User-Specific Policies
Access Access Requester (AR)Requester (AR)
Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)
Policy Decision Point Policy Decision Point (PDP)(PDP)
NetworkPerimeter
Access Policies- Authorized Users- Client Rules
GuestUser
Ken –Faculty
Windows XP OSHotFix 9345 OSHotFix 8834 AV – Symantec AV 10.1 Firewall
Linda –Finance
Guest NetworkInternet Only
ClassroomNetwork
FinanceNetwork
PDP
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 10
TPM Integrity Check
Access Access Requester (AR)Requester (AR)
Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)
Policy Decision Point Policy Decision Point (PDP)(PDP)
NetworkPerimeter
Client Rules- BIOS- OS- Drivers- Anti-Virus Software
ProductionNetwork
Compliant SystemTPM Verified
BIOS OS Drivers Anti-Virus Software
TPM – Trusted Platform Module
Hardware module built into most of today’s PCs
Enables a hardware Root of Trust
Measures critical components during trusted boot
PTS interface allows PDP to verify configuration and remediate as necessary
PDP
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 11
TNC Architecture in Detail
Access Access Requester (AR)Requester (AR)
Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)
Policy Decision Point Policy Decision Point (PDP)(PDP)
(IF-PTS)
TSS
TPM
Platform TrustService (PTS)
TNC Client (TNCC)(IF-TNCCS)
TNC Server(TNCS)
(IF-M)
(IF-IMC) (IF-IMV)
t CollectorCollectorIntegrity Measurement
Collectors (IMC)
VerifersVerifiersIntegrity Measurement
Verifiers (IMV)
NetworkAccess
Requestor PolicyEnforcementPoint (PEP)
(IF-T)
(IF-PEP) Network AccessAuthority
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 12
TNC Status
TNC Architecture and all specs released• Available Since 2006 from TCG web site
Rapid Specification Development Continues• New Specifications, Enhancements
Number of Members and Products Growing Rapidly
Compliance and Interoperability Testing and Certification Efforts under way
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 13
TNC Vendor Support
Access Access Requester (AR)Requester (AR)
Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)
Policy Decision Point Policy Decision Point (PDP)(PDP)
EndpointSupplicant/VPN Client, etc.
Network DeviceFW, Switch, Router, Gateway
AAA Server, Radius,Diameter, IIS, etc.
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 14
TNC/NAP/UAC Interoperability Announced May 21, 2007 by TCG, Microsoft, and
Juniper
NAP products implement TNC specifications• Included in Windows Vista, Windows XP SP 3, and
Windows Server 2008
Juniper UAC and NAP can interoperate• Demonstrated at Interop Las Vegas 2007• UAC will support IF-TNCCS-SOH in 1H2008
Customer Benefits• Easier implementation – can use built-in Windows NAP client• Choice and compatibility – through open standards
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 15
NAP Vendor Support
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 16
What About Open Source? Several open source implementations of TNC
• University of Applied Arts and Sciences in Hannover, Germany (FHH)
http://tnc.inform.fh-hannover.de• libtnc
https://sourceforge.net/projects/lib/tnc• OpenSEA 802.1X supplicant
http://www.openseaalliance.org• FreeRADIUS
http://www.freeradius.org
TCG support for these efforts• Liaison Memberships• Open source licensing of TNC header files
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 17
Summary Network Access Control provides
• Strong Security and Safety• Tight Control Over Network Access• Reduced PC Administration Costs
Open Standards Clearly Needed for NAC• Many, Many Vendors Involved in a NAC System• Some Key Benefits of Open Standards
• Ubiquity, Flexibility, Reduced Cost
TNC = Open Standards for NAC• Widely Supported – HP, IBM, Juniper, McAfee, Microsoft, Symantec, etc.• Can Use TPM to Detect Root Kits
TNC: Coming Soon to a Network Near You!
Copyright © 2008 Juniper Networks, Inc. www.juniper.net 18
For More Information TCG Web Site
• https://www.trustedcomputinggroup.org
Juniper UAC Web Site• http://www.juniper.net/products_and_services/
unified_access_control
Steve Hanna• Distinguished Engineer, Juniper Networks• Co-Chair, Trusted Network Connect Work Group, TCG• Co-Chair, Network Endpoint Assessment Working Group, IETF• email: shanna@juniper.net• Blog: http://www.gotthenac.com
Recommended