Trusted Network Connect Briefing for TF-Mobility February 6, 2008

Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1

Trusted Network ConnectBriefing for TF-Mobility

February 6, 2008


Trusted Network Connect (TNC)• Open Architecture for Network Access Control

– Strong security through trusted computing

• Open Standards for Network Access Control– Full set of specifications– Products shipping today

• Work Group of Trusted Computing Group– Industry standards group– Over 75 member companies participating– More joining every week


Problem: Reduce Endpoint Attacks

• Increasingly Sophisticated and Serious Attacks– Malware = Viruses, Worms, Spyware, Rootkits, Back Doors, Botnets– Zero-Day Exploits– Targeted Attacks– Rapid Infection Speed

• Exponential Growth in Malware– >40,000,000 Infected Machines– >35,000 Malware Varieties

• Motivated Attackers– Extortion, Identity Theft, Bank Fraud, Corporate Espionage

• Dissolving Network Boundaries– Mobile workforce, increasing collaboration

• Regulatory Requirements– Mandatory Policy Compliance


Solution: Network Access Control

• Create Network Access Control Policy

• Require Compliance for Network Access(or Log and Advise)

• Isolate and Repair Non-Compliant Endpoints

• Integrate with TPM to– Identify Users– Thwart Root Kits


Sample Network Access Control Policy

• Machine Health– Anti-Virus software running and properly configured– Recent scan shows no malware– Personal Firewall running and properly configured– Patches up-to-date– No unauthorized software

• Machine Behavior– No port scanning, sending spam, etc.

• Other Organization-Defined Requirements


TNC Architecture

Networkperimeter

Access Requestor

(AR)

PolicyEnforcement

Point(PEP)

PolicyDecision

Point(PDP)

wireless

wired

VPN


Typical TNC Deployments

• Uniform Corporate Policy

• User-Specific Policies

• TPM Integrity Check


Single Policy

Compliant SystemWindows XPSP2OSHotFix 2499OSHotFix 9288AV - Symantec AV 10.1Firewall

Non-compliant SystemWindows XPSP2xOSHotFix 2499xOSHotFix 9288AV - McAfee Virus Scan 8.0Firewall

Corporate Network

Remediation Network

Access Requestor Policy DecisionPoint

Policy EnforcementPoint

Client RulesWindows XP•SP2•OSHotFix 2499•OSHotFix 9288•AV (one of)

•Symantec AV 10.1•McAfee Virus Scan 8.0

•Firewall


User-Specific Policies

Ken – R&D

Guest User



Finance Network

R&D Network

Linda – FinanceWindows XP

OS Hotfix 9345OS Hotfix 8834AV - Symantec AV 10.1Firewall

Guest NetworkInternet Only

Access Policies•Authorized Users•Client Rules


TPM Integrity Check

Compliant SystemTPM verifiedBIOSOSDriversAnti-Virus SW

Corp LAN



Client RulesTPM enabled

•BIOS•OS•Drivers•Anti-Virus SW

TPM – Trusted Platform Module• HW module built into most of

today’s PCs• Enables a HW Root of Trust• Measures critical components

during trusted boot• PTS interface allows PDP to

verify configuration and remediate as necessary


TNC ArchitecturePolicy Decision

PointPolicy Enforcement

PointAccess Requestor

VerifiersVerifiers

tCollector

CollectorIntegrity Measurement

Collectors (IMC)Integrity Measurement

Verifiers (IMV)

IF-M

IF-IMC IF-IMV

Network Access

RequestorPolicy

EnforcementPoint (PEP)

Network AccessAuthority

IF-T

IF-PEP

TNC Server (TNCS)

TNC Client (TNCC)

IF-TNCCS

TSS

TPM

Platform Trust

Service (PTS)

IF-PTS


Trusted Platform Module (TPM)• Security hardware on motherboard

– Open specifications from TCG– Resists tampering & software attacks

• Now included in almost all enterprise PCs– Off by default

• Features– Secure key storage– Cryptographic functions– Integrity checking & remote attestation

• Applications– Strong authentication– Secure storage– Trusted / secure boot

• For TNC, most useful for detecting rootkits– Protects again the ‘lying endpoint’ problem– TPM measures critical components during trusted boot

• BIOS, Boot Loader, OS Kernel, Kernel Drivers, TNCC, IMCs

– PTS-IMC reports measurements via TNC handshake– PDP checks measurements against valid configurations– If Invalid, PDP can remediate and isolate


TNC Vendor Support

EndpointSupplicant/VPN Client, etc.

Network DeviceFW, Switch, Router, Gateway

Access RequestorPolicy Decision

PointPolicy Enforcement

PointAAA Server, Radius,

Diameter, IIS, etc


Microsoft NAP Interoperability

IF-TNCCS-SOH Standard– Developed by Microsoft as Statement of Health (SoH) protocol– Donated to TCG by Microsoft– Adopted by TCG and published as a new TNC standard, IF-TNCCS-SOH

Enables Client-Server Interoperability between NAP and TNC– NAP servers can health check TNC clients without extra software– NAP clients can be health checked by TNC servers without extra software– As long as all parties implement the open IF-TNCCS-SOH standard

Availability– Demonstrations at Interop Las Vegas 2007 (May 2007)– Built into Windows Vista now– Coming in Windows Server 2008 and Windows XP SP 3– Coming in products from other TNC vendors in 1H 2008

Implications– Finally, an agreed-upon open standard client-server NAC protocol– True client-server interoperability (like web browsers and servers) is here– Industry (except Cisco) has agreed on TNC standards for NAC

NAP or TNC Server

NAP or TNCClient

IF-TNCCS-SOH

Switches, APs, Appliances, Servers, etc.


Microsoft NAP Partners (now TNC)


TNC Advantages• Open standards

– Non-proprietary – Supports multi-vendor compatibility– Interoperability– Enables customer choice– Allows thorough and open technical review

• Leverages existing network infrastructure – Excellent Return-on-Investment (ROI)

• Roadmap for the future– Full suite of standards– Supports Trusted Platform Module (TPM)

• Products supporting TNC standards shipping today

• TNC certification and compliance program coming soon


What About Open Source?

• Lots of open source support for TNC– University of Applied Arts and Sciences in Hannover, Germany

(FHH)http://tnc.inform.fh-hannover.de

– libtnchttps://sourceforge.net/projects/libtnc

– OpenSEA 802.1X supplicanthttp://www.openseaalliance.org

• TCG support for these efforts– Liaison Memberships– Open source licensing of TNC header files

• Information about TNC implementations available at http://www.opus1.com/nac


What’s Next for Network Security?

• Agree on TNC Standards with ALL Parties

• Universal Endpoint Support for NAC– Phones, PDAs, Printers, Cameras, etc.– Built-in Agent, Permanent Agent, Downloaded Agent, or No Agent

• Extend Integration of Endpoint Security and Network Security– Today (NAC)

• Endpoint Security (anti-malware, patch management, etc.)• AAA / Identity Management• Switches, Wireless APs & Management Systems (802.1X or not)• Other Enforcement Mechanisms

– Next Step for Integration• Intrusion Detection / Prevention• Vulnerability Scanning• Firewalls (Stateful & Stateless)• VPN Gateways (SSL & IPsec)• Any Security Component


ECAM/eduroam and TNC (tech)

• Good fit between TNC and DAMe– TNC exchange through tunneled EAP method– Handle provided in Access-Accept– SAML AttributeQuery for assessment summary and/or details

• PA/IF-M Request Attributes?– Optional evaluation against Attribute Release Policy– SAML AttributeStatement with assessment summary and/or

details• PA/IF-M Posture Attributes or PB/IF-TNCCS Assessment Results

• Also interest in integrating application and network SSO

• And interest in integrating network security components

• Josh Howlett - TCG Invited Expert


ECAM/eduroam and TNC (non-tech)

• TCG TNC process under NDA with mandatory RAND cross-licensing of necessary patent claims– Membership fees waived for Invited Experts with TCG Board

approval

• Invited Experts from edu– Josh Howlett, JANET (UK)– Chris Misra, UMass Amherst and MACE– More welcome

• Collaboration options– Invited Experts participate in TNC efforts– TNC folks participate in ECAM/eduroam efforts– Friendly collaboration between TNC and ECAM/eduroam


For More Information

• TNC Web Sitehttps://www.trustedcomputinggroup.org/groups/network

• TNC Co-Chairs

Steve HannaDistinguished Engineer, Juniper Networks

[email protected]

Paul SangsterChief Security Standards Officer, Symantec

[email protected]

Documents

Trusted Network Connect Briefing for TF-Mobility February 6, 2008