1ef74edb843caf2945342d83e9991dd5.ppt
- Количество слайдов: 12
IF-MAP: Open Standards for Coordinating Security Presentation for SAAG IETF 72, July 31, 2008 Steve Hanna shanna@juniper. net 1
Information Security Past - Isolation Server/Service Security Identity Management Network Intrusion Detection & Prevention Network Security Data Loss Prevention Host Intrusion Host Security Detection & Prevention Server Security Network Anti-Virus Vulnerability Scanners Host Firewall Web Services Security Network Firewall Virtual Private Networks Host Anti-Virus 2
Information Security Present – Partial Coordination Server/Service Security Identity Management Server Security Network Intrusion Network Anti-Virus Detection & Prevention Network Access Control (NAC) Network Security Data Loss Prevention Host Intrusion Host Security Detection & Prevention Vulnerability Scanners Host Firewall Web Services Security Network Firewall Virtual Private Networks Host Anti-Virus 3
Information Security Future – Full Coordination Server/Service Security Identity Management Network Intrusion Detection & Prevention Network Security Data Loss Prevention Host Intrusion Host Security Detection & Prevention Server Security Network Anti-Virus NAC with IF-MAP Vulnerability Scanners Host Firewall Web Services Security Network Firewall Virtual Private Networks Host Anti-Virus 4
Basic NAC Architecture Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) VPN 5
Integrating Other Security Systems Access Policy Requestor Enforcement (AR) Point (PEP) Policy Decision Point (PDP) Metadata Sensors, Flow Access Controllers Point (MAP) VPN 6
TNC Architecture Access Requestor t Integrity Measurement Collectors (IMC) Policy Enforcement Point IF-M Policy Decision Point IF-IMV IF-TNCCS TNC Server (TNCS) Sensor IF-MAP Metadata Access IF-MAP Point Flow Controller IF-PTS IF-T Platform Trust Service (PTS) TSS TPM Network Access Requestor Policy Enforcement Point (PEP) Sensors and Flow Controllers IF-MAP Integrity Measurement Verifiers (IMV) IF-IMC TNC Client (TNCC) Metadata Access Point IF-PEP Network Access Authority IF-MAP 7
What is IF-MAP? • Standard Published by Trusted Computing Group – https: //www. trustedcomputinggroup. org/groups/network • Standard Requests & Responses – Publish, Search, Subscribe, Poll • Standard Identifiers – device, identity, ip-address, mac-address, access-request • Standard Metadata – device-attribute, event, role, capability, layer 2 -information • Standard Links (marked with metadata) – access-request-device, access-request-ip, access-request-mac, authenticated-as, authenticated-by, ip-mac • Protocol Binding for SOAP • Ability to define optional vendor-specific extensions 8
Example IF-MAP Graph 9
IF-MAP Benefits • More Informed Sensors – Sensors can tune by role and other things – Should reduce false alarms • Policy and Reports in Business Terms – User identity and role vs. IP address – Simpler, easier to manage • Automated Response (if desired) – Faster response = stronger security – Less expense due to automation • Customer Choice and Flexibility – No need to buy all security products from one vendor – Can reuse and integrate existing security systems 10
Security and Privacy Considerations • MAP = Storehouse of Sensitive Data, Critical Nerve Center – MUST • TLS with mutual auth for IF-MAP clients • publisher-id and timestamp to track changes – SHOULD • authorization, DOS protection, anomaly detection, physical and operational security, hardening, etc. • not keep historical data 11
Discussion 12