View
219
Download
2
Tags:
Embed Size (px)
Citation preview
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1
Putting Trust into the Network: Securing Your Network through
Trusted Access ControlNed Smith
Intel NCAC
April 27th, 2005
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #2
Agenda• TCG Model for Trusted Computing
• Establishing Endpoint Integrity / Identity
• Access Control Decisions Based on TPM
• Relating XACML with TCG Integrity Schema
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #3
Challenges of Trusted Computing
• Assurance of safe computing environments– Viruses, Worms, Rootkits, Spyware, Adware etc… – Identifying the endpoint is ambiguous
• The endpoint has a distinct boundary– Controllers, busses, networks and peripherals associated
with a platform• Authentication protocols presume authorization tokens
are bound to the endpoint
• Control of resources in foreign environments– Infosec policy associated with data as it moves
through different computing environments– The environment must follow the policy
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #4
TCG Model of a Trusted Computing Platform
Layer Resources
Measurement Engine
Layer ServicesProvidedServicesStorage Engine
Verification Engine
Reporting Engine
Enforcement Engine
Policies
Protection Domain
Metrics
Dependent
Services
Tru
sted
Eng
ine
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #5
ExamplesSecure Boot
– A secure boot service implements Measurement and Reporting engines integrated with a Verification engine
– The Verification engine evaluates measurements according to a policy to determine proper boot sequence
– If the sequence is in error, an Enforcement engine is employed to terminate the boot process
• Trusted Boot– Trusted boot service implements Measurement and
Storage engines following the boot sequence– A Verification engine on a remote node (network server)
evaluates the boot sequence at a later time
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #6
PEP Domain
PDP Domain
Decomposition for Network Access Control
Access Requestor Domain
Measurement Engine
Measurement AttestationStorage Engine
Verification Engine
Reporting Engine
Policies
MetricsAccess
Request1
2
6
4
7 NetworkConnect
5
Enforcement Engine Apply Access
3
Access Control
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #7
How to Define the Endpoint?• Authentication tokens
– Keys, pass-phrases, certificates etc…
• Boot sequence• Device enumeration• Software install / load• Running processes / threads• Manufacturer intrinsic attributes
– Model, version, quality metrics
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #8
Three Vectors of Endpoint Integrity / Identity
• Measurement– Hash of software/firmware captures platform state
• Controllers and processors are enumerated and measured• Executing code may be scanned to determine its present state
• Cryptographic Identity– Authentication keys
• Reporting Engines use cryptographic keys to authenticate the reporting engine that by extension identifies the platform.
• Origin Identity– MMV
• Each component (device, platform, software package) can be identified by its Manufacturer, Model and Version (MMV)
• Credentials issued by manufacturers contain MMV intrinsic assertions– Reference Measurements
• Manufacturer provided signatures
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #9
Root of Trust for Measurement
(RTM)Measure
POST Code
Execute
Initial Program Loader (IPL)
Measure
Option Rom(2)
Measure
Option Rom(3)
Measure
Option Rom(1)
Measure
Execute ExecuteExecute
Execute
Operating System
Measure
Execute
Option Rom(3)
ExtensionMeasure
Execute
PCI ConfigCMOS
BIS Certificates...
Measure
Log of Extended
Values
Example: Pre-Boot Integrity Measurement Collection
TPMTPMHash of
ExtendedValues
Measure = Hash of code or dataExecute = Code is loaded into CPU
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #10
Platform Configuration Registers (PCRs)
• Stores cumulative configuration• Update is an Extend operation:
– [PCR] = SHA-1 {[PCR] + Extend value}– Value:
• It is infeasible to calculate the value A such that:– PCRdesiredValue = Extend (A)
• PCRs re-initialized at system reset– TPM_Init
• Measurement Log contains
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #11
Collecting Measurements After System Boot
• A Platform Trust Service (PTS) can be used to Measure Applications– Files
• Read files from disk; compute a measurement
– Processes• Ring 3 - DLL injection to read another
processes memory• Ring 0 – Access pages in memory / DMA
accesses
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #12
Example Platform Trust Service• Integrity of the PTS is established
– Pre-boot by measuring PTS drivers included in OS image
– Post-boot by measuring PTS process memory pages
• PTS may measure processes and files– Determined by policy – e.g. protect integrity reporting infrastructure
– Triggered by request – e.g. measure before connecting to the network
Initial Program Loader (IPL)
Operating System(PTS
Driver)
Measure
Execute
PTS Service
Execute
Measure
Other ServicesOther
ServicesOther
Processes or Files
Measure
Pre-boot
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #13
Policy Decision PointAccess Requestor
TCG Model for Exchanging Integrity Data
• IF-IMC & IF-IMV exchange messages containing posture information– Messages are batched for delivery by TNCC / TNCS– Either side may start a batched exchange– IMCs and IMVs may subscribe to multiple message types– Follow-on exchanges may continue indefinitely
• But may be gated by the underlying transport
TNC Client TNC Server
Tunnel Batch
Anti-VirusCollector
FirewallCollector
Patch MgmtCollector
TNC IntegrityCollector
Anti-VirusVerifier
FirewallVerifier
Patch MgmtVerifier
TNC IntegrityVerifier
Sta
tus
OK
!OK
OKOK
!OK!OK
OKOK
OKOKOK
OK
The TNC Server Makes the Final Decision
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #14
Evaluation of Integrity Reports
• Integrity Reports ought to be shadowed by a Reference Value– Reference values
• “Normal” boot sequence will have repeatable PCR values• Versioning “freezes” code changes so hash values don’t change
– Authentication keys have trust anchors– Watchdogs have a schedule of expected events
• Reference Values Should Come from an Authoritative Source– Manufacturer – to detect modification due to stolen source– Evaluation labs – who make assertions of quality and
conformance– Platform Owner – the entity taking the risk!
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #15
Integrity Measurement
Harvesters
Integrity SignatureDatabase
Value-Added Provider
ReferenceIntegrity
MeasurementsHarvesting Mechanism
Submission Mechanism
= Anticipated TCG specification
Integrity Harvesting Model
• Harvesting gathers Assertions and Values from a trustworthy source
• TCG Integrity Schema defined structure
TCG Certificates
Evaluation Mechanism
Policies / Rules
Verifier(PDP)
Policy Authoring
Mechanism
TCG Integrity Schema
Policy Authors
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #16
TCG Integrity Schema• Consists of a tree of Assertions and hash Values
– Reference measurements– Quality assertions– Development / Manufacturing processes– Trust related operations
• E.g. Creation of platform endorsement key• Associated with a Target “Component”
– Composite attributes form its “Identity”• Manufacture name / vendor ID• Model number / name• Version information
– Patch level
– Component Identity is unique with respect to a release• Not necessarily a particular copy or instance
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #17
Integrity Schema and XACML• Evaluation correlates reference and actual values
with appropriate consequences – A policy structure such as XACML may be helpful
• An XACML Policy is a tree of– PolicySet
• Contains multiple Policies and policy references– Policy
• Contains multiple Rules– Rule
• Contains decision logic expressed in terms of Conditions and Effect
• TCG Assertions may be mapped to XACML as Condition Attributes
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #18
A Conceptual Model
ReferenceIntegrity
Measurements
TCG Certificates
XACMLContext
PDP
Policy Authoring
Mechanism
Policy Authors
PEPAR
PolicyDatabase
Policy Sources
Integrity SignatureDatabase
Attribute Sources
XACMLResponse
XACMLRequest
XACML Policy or Attribute References
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #19
XACML Condition Attribute
<xs:element name="AttributeValue" type="xacml:AttributeValueType" substitutionGroup="xacml:Expression"/>
<xs:complexType name="AttributeValueType" mixed="true">
<xs:complexContent mixed="true">
<xs:extension base="xacml:ExpressionType">
<xs:sequence>
<xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
<xs:anyAttribute namespace="##any" processContents="lax"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
Integrity SignatureDatabase
Attribute Sources
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #20
Summary• TCG model for Trusted Computing is
centered around collection and verification of trust attributes
• Trust attributes can be applied to network access control
• The TCG is developing infrastructure for collecting reference trust attributes
• XACML may be a viable framework for making access decisions involving TCG trust attributes
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #21
Questions?• Contact Information
– The Trusted Computing Group• www.trustedcomputinggroup.org• [email protected]
– Infrastructure Working Group Co-Chairs• Ned Smith / Intel
• Thomas Hardjono / Verisign– [email protected]
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #22
Backup
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #23
Steps of a Trusted Network Connection
• Find out the condition of the platform• Communicate platform state when connecting• Decide what level of access is acceptable• Restrict the environment in accordance with access rights• Remediation may be required to reconcile denied access
CollectionCollection
EnforcementEnforcement
Decision MakingDecision Making
ReportingReporting
RemediationRemediation
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #24
TCG Trusted Network Connect Architecture
AR PEP
IF-IMC IF-IMV
NetworkAccess
RequestorPolicy Enforcement
Point
Network AccessAuthority
TNCServer
IF-TNCCS
PDP
Supplicant/VPN Client, etc.
Switch/ Firewall/VPN Gateway
IF-Transport
RTM / TPM
Platform Trust
Service
TNCClient
VerifiersVerifiersCollector
CollectorIntegrity Measurement
CollectorsIntegrity Measurement
VerifiersIF-V
Re
me
dia
tio
n
La
ye
r
Inte
gri
ty
Me
as
ure
me
nt
La
ye
r
Inte
gri
ty
Ev
alu
ati
on
L
ay
er
Ne
two
rk
Ac
ce
ss
L
ay
er
VerifiersVerifiersCollector
CollectorRemediationApplications
RemediationResources
Integrity Log
IF-PTSIF-PEP
• PTS protects the integrity of TNC components• RTM protects PTS • TPM protects measurements and keys
• Enforcement mechanisms• Control of network boundary
• Reporting and transfer of integrity information• Access decision making
• Collection of integrity information • Authoring of rules
• Automated response and provisioning
Tru
st
La
ye
r
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #25
TNC with 802.1X at Link Layer
Requestor Switch / Access Point
EAP Peer
802.1x Access Agent
802.1x PAE
RADIUS Client RADIUS Server
EAP Peer
Verifier
802.1x RADIUS*
AR PDPPEP
Verifier & Collector exchange posture information over EAP tunnel using EAP inner methods, AVPs or TLVs
AR – Access RequesterAVP – Attribute Value PairEAP – Extensible Authentication ProtocolPAE – Port Access Entity
PDP – Policy Decision PointPEP – Policy Enforcement Point NAC – Network Access ControlTLV – Tag Length Value
Collector VerifierNAC Extensions
EAP
Network Boundary
802.1X
TNC