strongSwan TNC Activities Update › tcg › TCG_Dublin_2013.pdf · strongSwan TNC Activities...

Preview:

Click to see full reader

Citation preview

strongSwan TNC Activities Update

TCG Members Meeting June 2013 Dublin

Prof. Andreas Steffen

Institute for Internet Technologies and Applications

HSR University of Applied Sciences Rapperswil

andreas.steffen@hsr.ch

27.06.2013, tcg_dublin_2013.pptx 2

Where the heck is Rapperswil?

27.06.2013, tcg_dublin_2013.pptx 3

HSR - Hochschule für Technik Rapperswil

• University of Applied Sciences with about 1500 students

• Faculty of Information Technology (300-400 students)

• Bachelor Course (3 years), Master Course (+1.5 years)

27.06.2013, tcg_dublin_2013.pptx 4

strongSwan – the OpenSource VPN Solution

Campus

Network

strongSwan Linux Client

Windows 7/8 Agile VPN Client

Linux FreeRadius Server

Windows Active Directory Server

Internet

High-Availability strongSwan

VPN Gateway

strongswan.hsr.ch

27.06.2013, tcg_dublin_2013.pptx 5

Trusted Network Connect (TNC) Framework

Source: Trusted Computing Group (TCG)

strongSwan TNC Activities Update

TCG Members Meeting Juni 2013 Dublin

strongSwan IMC/IMV Pairs

27.06.2013, tcg_dublin_2013.pptx 7

OS IMC/IMV Pair

• Objective

• Get Operating System Information

• Subscribed IF-M Subtype

• IETF/Operating System

• Supported IF-M Attributes

• IETF/Attribute Request • IETF/Product Information, IETF/String Version, IETF/Numeric Version • IETF/Operational Status (Linux Uptime) • IETF/Installed Packages (Android, Debian, Ubuntu) • IETF/Forwarding Enabled • IETF/Factory Default Password Enabled • IETF/Assessment Result • IETF/Remediation Instructions • IETF/IF-M Error

• ITA/Device ID (Android ID, Linux D-Bus ID, TPM AIK Fingerprint) • ITA/Get Settings, ITA/Settings • ITA/Start Angel, ITA/Stop Angel (Fragmentation of Installed Packages)

27.06.2013, tcg_dublin_2013.pptx 8

Scanner IMC/IMV Pair

• Objective

• Scan open listening TCP and UDP ports

• Subscribed IF-M Subtype

• IETF/VPN

• Supported IF-M Attributes

• IETF/Attribute Request • IETF/Port Filter • IETF/Assessment Result • IETF/Remediation Instructions • IETF/IF-M Error

27.06.2013, tcg_dublin_2013.pptx 9

Attestation IMC/IMV Pair

• Objective

• File/Directory Measurements and TPM-based Remote Attestation

• Subscribed IF-M Subtypes

• TCG/PTS, IETF/Operating System (IMV only, requires an OS IMC)

• Supported IF-M Attributes

• TCG/Request PTS Protocol Capabilities, TCG/PTS Protocol Capabilities • TCG/PTS Measurement Algorithm Request/Response • TCG/Request File Measurement, TCG/File Measurement • TCG/Request File Metadata, TCG/Unix-Style File Metadata • TCG/D-H Nonce Parameters Request/Response, TCG/D-H Nonce Finish • TCG/Get TPM Version Information, TCG/TPM Version Information • TCG/Get Attestation Identity Key, TCG/Attestation Identity Key • TCG/Request Functional Component Evidence • TCG/Generate Attestation Evidence • TCG/Simple Component Evidence, TCG/Simple Evidence Final (Quote)

• IETF/IF-M Error, IETF/Attribute Request • IETF/Product Information, IETF/String Version • IETF/Assessment Result, IETF/Remediation Instructions

strongSwan TNC Activities Update

TCG Members Meeting Juni 2013 Dublin

Linux Integrity Measurement Architecture (IMA)

27.06.2013, tcg_dublin_2013.pptx 11

Linux Integrity Measurement Architecture

• Linux Security Summit 2012 Paper

• Presented in September at LinuxCon in San Diego

• The transfer and database lookup of 1200 file measurements amounting to about 120 kB of IMA measurements and certified by a Quote2 TPM signature takes about 20 seconds.

• http://www.strongswan.org/lss2012.pdf

27.06.2013, tcg_dublin_2013.pptx 12

Linux IMA - BIOS Measurements

PCR SHA-1 Measurement Hash Comment

0 4d894eef0ae7cb124740df4f6c5c35aa0fe7dae8 08 [S-CRTM Version]

0 f2c846e7f335f7b9e9dd0a44f48c48e1986750c7 01 [POST CODE]

...

7 9069ca78e7450a285173431b3e52c5c25299e473 04 []

4 c1e25c3f6b0dc78d57296aa2870ca6f782ccf80f 05 [Calling INT 19h]

4 67a0a98bc4d6321142895a4d938b342f6959c1a9 05 [Booting BCV Device 80h, - Hitachi HTS723216L9A360]

4 06d60b3a0dee9bb9beb2f0b04aff2e75bd1d2860 0d [IPL]

5 1b87003b6c7d90483713c90100cca3e62392b9bc 0e [IPL Partition Data]

• BIOS is measured during the boot process

• Many Linux distributions enable BIOS measurement by default when a TPM hardware device is detected.

• BIOS measurement report with typically 20…130 entries is written to /sys/kernel/security/tpm0/ascii_bios_measurements

• BIOS measurements are extended into PCRs #0..7

27.06.2013, tcg_dublin_2013.pptx 13

Linux IMA - Runtime Measurements

PCR SHA-1 Measurement Hash SHA-1 File Data Hash Filename

10 d0bb59e83c371ba6f3adad491619524786124f9a ima 365a7adf8fa89608d381d9775ec2f29563c2d0b8 boot_aggregate

10 76188748450a5c456124c908c36bf9e398c08d11 ima f39e77957b909f3f81f891c478333160ef3ac2ca /bin/sleep

10 df27e645963911df0d5b43400ad71cc28f7f898e ima 78a85b50138c481679fe4100ef2b3a0e6e53ba50 ld-2.15.so

... ...

10 30fa7707af01a670fc353386fcc95440e011b08b ima 72ebd589aa9555910ff3764c27dbdda4296575fe parport.ko

... ...

• Executable files, dynamic libraries and kernel modules are measured when loaded during runtime.

• With current Linux distributions either IMA must be activated via the boot parameter ima_tcb or the kernel must by manually compiled with CONFIG_IMA enabled

• The IMA runtime measurement report with about 1200 entries is written to /sys/kernel/security/ima/ascii_runtime_measurements

• IMA runtime measurements are extended into TPM PCR #10

strongSwan TNC Activities Update

TCG Members Meeting Juni 2013 Dublin

strongSwan PDP as an IF-MAP Client

27.06.2013, tcg_dublin_2013.pptx 15

Open Source TNC IF-MAP Products

IRON Project FH Hannover (MAP-Server)

MAP-Client

strongSwan TNC Activities Update

TCG Members Meeting Juni 2013 Dublin

strongSwan BYOD Android VPN Client

27.06.2013, tcg_dublin_2013.pptx 17

strongSwan Android BYOD VPN Client

strongSwan TNC Activities Update

TCG Members Meeting Juni 2013 Dublin

CYGNET TNC Policy Manager

27.06.2013, tcg_dublin_2013.pptx 19

CYGNET TNC Policy Manager

27.06.2013, tcg_dublin_2013.pptx 20

CYGNET TNC Policy Manager

27.06.2013, tcg_dublin_2013.pptx 21

Defining Policies

• Policy Types

• PCKGS Installed Packages • UNSRC Unknown Source • FWDEN Forwarding Enabled • PWDEN Factory Default Password Enabled • FREFM File Reference Measurement • FMEAS File Measurement • FMETA File Metadata • DREFM Directory Reference Measurement • DMEAS Directory Measurement • DMETA Directory Metadata • TCPOP TCP Ports allowed Open • TCPBL TCP Ports to be Blocked • UDPOP UDP Ports allowed Open • UDPBL UDP Ports to be Blocked

27.06.2013, tcg_dublin_2013.pptx 22

Database Schema

Recommended

The strongSwan IPsec Solution with TNC Support · 15.06.2011, tcg_munich_2011.pptx 9 strongSwan Business Model • Paid development of customer-specific add-ons •Features of general
Documents
TNC COAXIAL CONNECTORS TNC COAXIAL CONNECTORS · 2016. 5. 25. · TNC COAXIAL CONNECTORS TNC COAXIAL CONNECTORS 95 The Connex TNC connectors are made to a high quality level. Medium
Documents
Data Interfaces for HEIDENHAIN s · 2017. 12. 22. · TNC 370 TNC 406 TNC 407/415 TNC 410 TNC 425 TNC 426/430 CNC 232B CNC 234.xx CNC 332 1.3 Other Documentation on Data Interfaces
Documents
State of the TCG Christophe Arviset For the TCG. TCG State of the TCG 6 December 2010 Christophe Arviset – TCG chair Page 2 Technical Coordination Group
Documents
TNC COAXIAL CONNECTORS TNC COAXIAL CONNECTORS · TNC COAXIAL CONNECTORS TNC COAXIAL CONNECTORS 95 The Connex TNC connectors are made to a high quality level. Medium size …
Documents
Data Interfaces for HEIDENHAIN s...TNC 131/135 TNC 145 TNC 150/151/155 TNC 246 TNC 2500 TNC 306 TNC 310 TNC 335 TNC 351/355 TNC 360 TNC 370 TNC 406 TNC 407/415 TNC 410 TNC 425 TNC
Documents
Technical Manual TNC 407, TNC 415 B, TNC 425sheerservice.com.br/media/TNC$20407_415.pdf · Contents Technical Manual TNC 407, TNC 415 B, TNC 425 Update Information Introduction Mounting
Documents
LinuxTag 2005 Paper: Advanced Features of Linux strongSwan · PDF fileAdvanced Features of Linux strongSwan the OpenSource VPN Solution Institute of Internet Technologies and Applications
Documents
Technical Manual TNC 407, TNC 415 B, TNC 425€¦ · 01.98 TNC 407/TNC 415/TNC 425 Preface This Technical Manual is intended for manufacturers and distributors of machine tools. It
Documents
TNC IF-TNCCS v1 1 r15 - Trusted Computing Group · TNC IF-TNCCS TCG Copyright Specification Version 1.1 TCG PUBLISHED
Documents
TNC-Pi manually - TNC-X.Com
Documents
TCG Trusted Network Connect TNC IF-T: Protocol Bindings
Documents
State of the TCG Christophe Arviset For the TCG. TCG State of the TCG 17 May 2010 Christophe Arviset – TCG chair Page 2 Technical Coordination Group Technical
Documents
TCG Trusted Network Communications TNC IF-MAP Binding for …€¦ · Steve Hatch Boeing Corporation Richard Hill Boeing Corporation David Mattes Boeing Corporation Travis Reid Boeing
Documents
TCG Trusted Mobility Solutions TCG Work Group Use Cases ......TCG TMS Use Cases – Enterprise, Financial, & NFV Copyright © TCG 2011-2018 PUBLISHED
Documents
IF-TNCCS-SOH v1.0 r8 - Trusted Computing Group › wp-content › uploads › ... · TNC IF-TNCCS: Protocol Bindings for SoH TCG Copyright Specification Version 1.0 TCG PUBLISHED
Documents
TNC 640 TNC 320 / TNC 620
Documents
Grass Trimmer/Brush Cutter TCG 22EASSL /TCG 22EASS TCG ... · PDF fileGrass Trimmer/Brush Cutter Model TCG 22EAS(SL)/TCG 22EAS(S) ... Since this manual covers several models, ... Grass
Documents
The strongSwan Open Source VPN Solution
Documents
TNC 426 TNC 430 - Heidenhain · Machine operating modes MANUAL OPERATION ... HEIDENHAIN TNC 426, TNC 430 I TNC Models, ... 151 Feed rate in microns per spindle revolution: M136
Documents