SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah
Agenda TNC Architecture At-a-Glance Endpoint Compliance with SWIDs and SCAP Security Automation SACM Architect Based on TNC Standards TNC Usage / Extensibility – More Details Slide #2
Trusted Network Connect Open Architecture for Network Security § Completely vendor-neutral § Strong security through trusted computing § Original focus on NAC, now expanded to Network Security Open Standards for Network Security § Full set of specifications available to all § Products shipping since 2005 Developed by Trusted Computing Group (TCG) § Industry standards group § More than 100 member organizations § Includes large vendors, small vendors, customers, etc. Slide #3
TNC Architecture Endpoint Enforcement Point Policy Server MAP Clients Slide #4
Problems Solved by TNC Network and Endpoint Visibility § Who and what’s on my network? § Are devices on my network secure? Is user/device behavior appropriate? Network Enforcement § Block unauthorized users, devices, or behavior Network Access Control (NAC) § Grant appropriate levels of access to authorized users/devices Device Remediation § Quarantine and repair unhealthy or vulnerable devices Security System Integration § Security Share real-time information about users, devices, threats, etc. Automation Slide #5
TNC Standards Endpoint t Integrity Measurement Collectors (IMC) Policy Server Enforcement Point IF-M IF-IMV IF-TNCCS TNC Server (TNCS) Sensor IF-MAP TSS TPM Policy Enforcement Point (PEP) Admin Client Flow Controller IF-T Network Access Requestor IF-MAP Metadata Access IF-MAP Point IF-PTS Platform Trust Service (PTS) MAP Clients IF-MAP Integrity Measurement Verifiers (IMV) IF-IMC TNC Client (TNCC) MAP IF-PEP Network Access Authority IF-MAP Other IF-MAP http: //www. trustedcomputinggroup. org/developers/trusted_network_connect/specifications Slide #6
TNC Architecture & SWIDs Endpoint t Collector SWID Collectors Policy Server Enforcement Point IF-M IF-IMV IF-TNCCS TNC Server (TNCS) Sensor IF-MAP TSS TPM Policy Enforcement Point (PEP) Admin Client Flow Controller IF-T Network Access Requestor IF-MAP Metadata Access IF-MAP Point IF-PTS Platform Trust Service (PTS) MAP Clients IF-MAP SWIDVerifiers IF-IMC TNC Client (TNCC) MAP IF-PEP Network Access Authority IF-MAP Other IF-MAP http: //www. trustedcomputinggroup. org/developers/trusted_network_connect/specifications Slide #7
TNC and SCAP Together Policy Access Requestor Enforcement Point (AR) (PEP) SCAP Client Software Policy Decision Point (PDP) SCAP Analysis Software Metadata Sensors, Flow Access Controllers Point (MAP) SCAP External Scanner Slide #8
Security Automation with IF-MAP ERP SIEM Smart Grid Supply Chain Mgmt AAA Switches Routers Network Location Building Controls Network Security Factory Controls DNS, DHCP Infrastructure Management CMDB Asset Mgmt CRM IPAM HR Applications Search Publish MAP Service Subscribe IF-MAP: XML > SOAP > HTTPS Slide #9
Communication Challenge Asset Management System Endpoint Security (via NAC) Custom Integration SIM / SEM IPAM Physical Security SNMP, Syslog ICS/SCADA Security AAA DLP IDS Server or Cloud Security Switching Wireless Firewalls Slide #10
How IF-MAP Solves the Problem Asset Management System Endpoint Security (via NAC) SIM / SEM IPAM MAP Physical Security IF-MAP Protocol ICS/SCADA Security AAA DLP IDS Server or Cloud Security Switching Wireless Firewalls Slide #11
SACM Architecture Based on TNC Endpoint Assessment MAP Admin IF-MAP Analysis Sensor IF-CMDB Response Database Clients CMDB Databases IF-CRDB Other Database Clients Slide #12
TNC Benefits for SACM • Proven track record • Products shipping since 2005 • Widely deployed • Broad range of customers across many sectors • Longstanding IETF relationship • TNC standards accepted into NEA • Vendor-neutral • Leverage existing infrastructure • Flexible & extensible • Support for broad range of usage scenarios • Easy integration w/existing & emerging standards • E. g. SWIDs & SCAP Slide #13
TNC Usage & Extensibility The following slides provide background information on how TNC works and how it is used… Slide #14
TCG: Standards for Trusted Systems Virtualized Platform Mobile Phones Printers & Hardcopy Authentication Network Security Storage Applications • Software Stack • Operating Systems • Web Services • Authentication • Data Protection Security Hardware Desktops & Notebooks Infrastructure Servers Slide #15
Typical TNC Deployments Health Check Behavior Check User-Specific Policies TPM-Based Integrity Check Clientless Endpoint Handling Physical & Logical Security Coordination Slide #16
Health Check Access Requestor Policy Enforcement Point Policy Decision Point R Non-compliant System Windows 7 üSP 1 x. OSHot. Fix 2499 x. OSHot. Fix 9288 üAV - Mc. Afee Virus Scan 8. 0 üFirewall em ed ia tio n N et w or k Production Network NAC Policy Compliant System Windows 7 üSP 1 üOSHot. Fix 2499 üOSHot. Fix 9288 üAV - Symantec AV 10. 1 üFirewall Windows 7 • SP 1 • OSHot. Fix 2499 • OSHot. Fix 9288 • AV (one of) • Symantec AV 10. 1 • Mc. Afee Virus Scan 8. 0 • Firewall Slide #17
Behavior Check Access Requestor Policy Enforcement Point Policy Decision Point ! Remediation Network ! Metadata Sensors Access and Flow Point Controllers ! ! NAC Policy • No P 2 P file sharing • No spamming • No attacking others Slide #18
User-Specific Policies Access Requestor Guest User Inter Mary – R&D Policy Enforcement Point t Net work net O Metadata Sensors Access and Flow Point Controllers nly R&D Netw ork ce Finan rk Netwo Joe – Finance Windows 7 üOS Hotfix 9345 üOS Hotfix 8834 üAV - Symantec AV 10. 1 üFirewall Policy Decision Point NAC Policy • Users and Roles • Per-Role Rules Slide #19
TPM-Based Integrity Check Access Requestor Policy Enforcement Point Policy Decision Point TPM – Trusted Platform Module • HW module built into most of today’s PCs • Enables a HW Root of Trust • Measures critical components during trusted boot • PTS interface allows PDP to verify configuration and remediate as necessary Production Network Compliant System TPM verified üBIOS üDrivers üAnti-Virus SW NAC Policy TPM enabled • BIOS • Drivers • Anti-Virus SW Slide #20
Clientless Endpoint Handling Access Requestor Policy Enforcement Point Policy Decision Point ! Remediation Network ! Metadata Sensors and Flow Access Controllers Point ! ! NAC Policy • Place Printers on Printer Network • Monitor Behavior Slide #21
Physical Security Integration Reader bypassed, employee tailgates Endpoint Panel receives no information Enforcement Point Policy Server has employee logged as outside building Metadata Access Point Sensor ! ! Slide #22
Coordinated Physical & Logical Contro Readers capture / pass credential info Panel authenticates identity and enforces policy ! ! Server publishes presence data via IF-MAP to Metadata Access Point ! ! IF-MAP Event Messages Endpoint Enforcement Point Policy Server Metadata Access Point Sensor ! ! Slide #23
Foiling Root Kits with TPM and TNC Solves the critical “lying endpoint problem” TPM Measures Software in Boot Sequence § Hash software into PCR before running it § PCR value cannot be reset except via hard reboot During TNC Handshake. . . § PDP engages in crypto handshake with TPM § TPM securely sends PCR value to PDP § PDP compares to good configurations § If not listed, endpoint is quarantined and remediated Slide #24
Federated TNC Conveys TNC results between security domains § Consortia, coalitions, partnerships, outsourcing, and alliances § Large organizations Supports § Web SSO with health info Asserting Security Domain (ASD) § Roaming with health check How? Role=Executive Device=Healthy § SAML profiles for TNC Applications § Network roaming § Coalitions, consortia § Large organizations Access Requestor Relying Security Domain (RSD) Slide #25
TNC: A Flexible Architecture Assessment Options § Identity, health, behavior, and/or location § Optional hardware-based assessment with TPM § Pre-admission, post-admission, or both Enforcement Options § 802. 1 X, firewalls, VPN gateways, DHCP, host software Clientless endpoints § No NAC capabilities built in § Printers, phones, robots, guest laptops Information sharing § IF-MAP lets security devices share info on user identity, endpoint health, behavior, etc. § Federated TNC supports federated environments Slide #26
TNC Advantages Open standards § Non-proprietary – Supports multi-vendor compatibility § Interoperability § Enables customer choice § Allows thorough and open technical review Leverages existing network infrastructure § Excellent Return-on-Investment (ROI) Roadmap for the future § Full suite of standards § Supports Trusted Platform Module (TPM) TNC-based products shipping for almost a decade Slide #27
TNC Adoption Access Requestor Policy Enforcement Point Policy Decision Point Metadata Access Point Sensors, Flow Controllers Slide #28
Windows Support IF-TNCCS-SOH NAP or TNC Client Switches, APs, Appliances, Servers, etc. NAP or TNC Server IF-TNCCS-SOH Standard § Developed by Microsoft as Statement of Health (So. H) protocol § Donated to TCG by Microsoft § Adopted by TCG and published as a new TNC standard, IF-TNCCS-SOH Availability § Built into all supported versions of Microsoft Windows § Also built into products from other TNC vendors Implications § NAP servers can health check TNC clients without extra software § NAP clients can be health checked by TNC servers without extra software § As long as all parties implement the open IF-TNCCS-SOH standard Slide #29
IETF and TNC IETF NEA WG § Goal: Universal Agreement on NAC Client-Server Protocols § Co-Chaired by Cisco employee and TNC-WG Chair Published several TNC protocols as IETF RFCs § PA-TNC (RFC 5792), PB-TNC (RFC 5793), PT-TLS (RFC 6876) § Equivalent to TCG’s IF-M 1. 0, IF-TNCCS 2. 0, and IFT/TLS § Co-Editors from Cisco, Intel, Juniper, Microsoft, Symantec Now working on getting IETF approval for IF-T/EAP Slide #30
What About Open Source? Lots of open source support for TNC § University of Applied Arts and Sciences in Hannover, Germany (FHH) http: //trust. inform. fh-hannover. de § libtnc § omapd IF-MAP Server http: //sourceforge. net/projects/libtnc § Open. SEA 802. 1 X supplicant § strong. Swan IPsec http: //www. strongswan. org http: //www. openseaalliance. org § Free. RADIUS http: //code. google. com/p/omapd § Open Source TNC SDK (IF-IMV & IF-IMC) http: //www. freeradius. org http: //sourceforge. net/projects/tncsd k TCG support for these efforts § Liaison Memberships § Open source licensing of TNC header files Slide #31
TNC Certification Program Certifies Products that Properly Implement TNC Standards Certification Process § Compliance testing using automated test suite from TCG § Interoperability testing at Plugfest § Add to list of certified products on TCG web site Customer Benefits § Confidence that products interoperate § Easy to cite in procurement documents Slide #32
TNC in the Real World Widely Deployed § Thousands of Seats § Hundreds of Customers § Dozens of Products Across Many Sectors § Government § Finance § Health Care § Retail … Slide #33
TNC Summary TNC solves today’s security problems with growth for the future § Flexible open architecture to accommodate rapid change § Coordinated, automated security for lower costs and better security TNC = open network security architecture and standards § Enables multi-vendor interoperability § Can reuse existing products to reduce costs and improve ROI § Avoids vendor lock-in TNC has strongest security § Optional support for TPM to defeat rootkits § Thorough and open technical review Wide support for TNC standards § Many vendors, open source, IETF Slide #34
For More Information TNC Architecture & Standards • http: //www. trustedcomputinggroup. org/develop ers/trusted_network_connect TCG TNC Endpoint Compliance Profile & FAQ • http: //bit. ly/15 p. H 7 K 3 Lisa Lorenzin Principal Solutions Architect, Juniper Networks llorenzin@juniper. net Atul Shah Senior Security Strategist, Microsoft ashah@microsoft. com Slide #35
Скачать презентацию SACM Architecture Based on TNC Standards Lisa Lorenzin
8c6d3344b5dc9cdf63c73ba1d7661026.ppt