Download Slides - TERENA Networking Conference 2008

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
Document related concepts

Deep packet inspection wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Computer security wikipedia , lookup

Mobile security wikipedia , lookup

Security and safety features new to Windows Vista wikipedia , lookup

Trusted Computing wikipedia , lookup

Security-focused operating system wikipedia , lookup

Access control wikipedia , lookup

Wireless security wikipedia , lookup

Unix security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Network Access Control and Beyond
By Steve Hanna, Distinguished Engineer, Juniper
Co-Chair, Trusted Network Connect WG, TCG
Co-Chair, Network Endpoint Assessment WG, IETF
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Security Problems of Open Networks
Critical data at risk
As Access Increases
Sensitive information,
mission-critical network
Mobile and remote
devices and users
Unmanaged or
ill-managed endpoints
Network can become
unreliable
Perimeter security
ineffective
Endpoint infections
may proliferate
Network Security Decreases
Student, faculty, staff,
and/or guest access
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Network Access Control Solutions
Features
 Control Access
• to critical resources
• to entire network
 Based on
• User identity and role
• Endpoint identity and health
• Other factors
 With
• Remediation
• Management
Benefits
 Consistent Access Controls
 Reduced Downtime
• Healthier endpoints
• Fewer outbreaks
 Safe Remote Access
 Safe Access for
• Students
• Faculty
• Staff
• Guests
Network access control must be a key component of every network!
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Sample Network Access Control Policy
To Access the Production Network...
1. User Must Be Authenticated
•
With Identity Management System
2. Endpoint Must Be Healthy
•
•
•
•
Anti-Virus software running and properly configured
Recent scan shows no malware
Personal Firewall running and properly configured
Patches up-to-date
3. Behavior Must Be Acceptable
•
No port scanning, sending spam
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
State of Network Access Control
 Many products and open source implementations
 Several approaches
•
•
•
•
•
MAC registration – accountability
Identity – block unauthorized users
Endpoint health – detect and fix unhealthy endpoints
Behavior – track and block unauthorized behavior
Combination of the above
 Convergence on one architecture and standards
• TNC = Trusted Network Connect
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
What is Trusted Network Connect (TNC)?
 Open Architecture for Network Access Control
 Suite of Standards to Ensure Interoperability
 Work Group in Trusted Computing Group
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Architecture Overview
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Wireless
Wired
Network
Perimeter
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Typical TNC Deployments
 Uniform Policy
 User-Specific Policies
 TPM Integrity Check
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Uniform Policy
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Remediation
Network
Non-compliant System
Windows XP
 SP2
x OSHotFix 2499
x OSHotFix 9288
 AV - McAfee Virus Scan 8.0
 Firewall
Production
Network
Compliant System
Windows XP
 SP2
 OSHotFix 2499
 OSHotFix 9288
 AV – Symantec AV 10.1
 Firewall
Copyright © 2008 Juniper Networks, Inc.
Network
Perimeter
Client Rules
Windows XP
- SP2
- OSHotFix 2499
- OSHotFix 9288
- AV (one of)
- Symantec AV 10.1
- McAfee Virus Scan 8.0
- Firewall
www.juniper.net
‹#›
User-Specific Policies
Access
Requester (AR)
Guest
User
Ken –
Faculty
Linda –
Finance
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Guest
Network
Internet Only
Research
Network
Access Policies
- Authorized Users
- Client Rules
Finance
Network
Windows XP
 OSHotFix 9345
 OSHotFix 8834
 AV – Symantec AV 10.1
 Firewall
Copyright © 2008 Juniper Networks, Inc.
Network
Perimeter
www.juniper.net
‹#›
TPM Integrity Check
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
TPM – Trusted Platform Module
- Hardware module built into most
of today’s PCs
- Enables a hardware Root of Trust
- Measures critical components
during trusted boot
- PTS interface allows PDP to
verify configuration and remediate
as necessary
Production
Network
Compliant System
TPM Verified
 BIOS
 OS
 Drivers
 Anti-Virus Software
Copyright © 2008 Juniper Networks, Inc.
Client Rules
- BIOS
- OS
- Drivers
- Anti-Virus Software
Network
Perimeter
www.juniper.net
‹#›
Foiling Root Kits with TPM and TNC
 Solves the critical “lying endpoint problem”
• User or rootkit causes endpoint to lie about health
 TPM Measures Software in Boot Sequence
• Hash software into PCR before running it
• PCR value cannot be reset except via hard reboot
 During TNC Handshake...
•
•
•
•
PTS-IMV engages in crypto handshake with TPM
TPM securely sends PCR value to PTS-IMV
PTS-IMV compares to good configs
If not listed, endpoint is quarantined and remediated
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Why TNC?
 Open standards
• Supports multi-vendor compatibility
• Enables customer choice
• Allows open technical review for better security
 Supports Existing Networks
• wired and wireless, 802.1X and non-802.1X, firewalls,
IPsec and SSL VPNs, dialup, etc.
 Supports Optional Trusted Platform Module
• Basis for trusted endpoint
• Solves critical problem with existing products: root kits
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Architecture in Detail
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
(IF-M)
t Collector
IntegrityCollector
Measurement
Collectors (IMC)
Verifers
Integrity Verifiers
Measurement
Verifiers (IMV)
(IF-IMC)
(IF-IMV)
(IF-TNCCS)
TNC Server
(TNCS)
TNC Client (TNCC)
(IF-PTS)
Platform Trust
Service (PTS)
TSS
(IF-T)
Network
Access
Requestor
(IF-PEP)
Policy
Enforcement
Point (PEP)
Network Access
Authority
TPM
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Status
 TNC Architecture and all specs released
• IF-IMC, IF-IMV, IF-PEP for RADIUS, IF-PTS,
IF-TNCCS, IF-T for Tunneled EAP Methods
• Freely Available from TCG web site
 Rapid Specification Development Continues
• New Specifications, Enhancements
 Number of Members and Products
Growing Rapidly
 Compliance and Interoperability Testing and
Certification effort under way
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Vendor Support
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Endpoint
Supplicant/VPN Client, etc.
Network Device
FW, Switch, Router, Gateway
AAA Server, Radius,
Diameter, IIS, etc.
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC/NAP Interoperability
IF-TNCCS-SOH
NAP or TNC
Client
Switches, APs, Appliances, Servers, etc.
NAP or TNC
Server
 IF-TNCCS-SOH Standard Enables Client-Server Interoperability between NAP and TNC
• NAP servers can health check TNC clients without extra software
• NAP clients can be health checked by TNC servers without extra software
• As long as all parties implement the open IF-TNCCS-SOH standard
 Availability
• Built into Windows Vista, Windows Server 2008, Windows XP SP 3
• Unix clients shipping from Avenda Systems and UNETsystem
• Other TNC vendors planning to ship support in 1H 2008
 Implications
• Finally, an agreed-upon open standard client-server NAC protocol
• True client-server interoperability (like web browsers and servers) is here
• Industry (except Cisco) has agreed on TNC standards for NAC
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
NAP Vendor Support
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
IETF and TNC
 IETF NEA WG
• Goal: Universal Agreement on NAC Protocols
• Co-Chaired by Cisco rep and TNC-WG Chair
• Adopted TNC specs as WG drafts
• PA-TNC and PB-TNC
• Equivalent to IF-M 1.0 and IF-TNCCS 2.0
• Cisco Engineer will Co-Edit
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
What About Open Source?
 Lots of open source support for TNC
• University of Applied Arts and Sciences in Hannover, Germany
(FHH)
• http://tnc.inform.fh-hannover.de
• libtnc
• https://sourceforge.net/projects/libtnc
• OpenSEA 802.1X supplicant
• http://www.openseaalliance.org
• FreeRADIUS
• http://www.freeradius.org
 TCG support for these efforts
• Free Liaison Memberships
• Open source licensing of TNC header files
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Moving Beyond NAC – Future Vision
 Trusted Devices
• Trusted hardware and secure software provide trustworthy clients
 Access Control
• Secure and reliable access to any service from any device across
any network (in accordance with policy)
 Coordinated Security
• Security systems cooperate through open standards to provide
strong, autonomic, and efficient security at lower cost and
complexity
 Policy
• Security policies defined in business terms apply across all
security systems
• Good tools for defining and analyzing policies
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TCG – Working Toward The Future
 Trusted Devices
• TPM – open standards for trusted hardware
• TSS and PTS – open standards for secure software (not enough)
 Access Control
• TNC – working on broader access control standards
 Coordinated Security
• New IF-MAP standard addresses this directly (see next slide)
 Policy
• Important area for future work
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
IF-MAP – Problems to Be Solved
 Manage unresponsive endpoints
• Printers, phones, other embedded devices
• Guest, student, and other systems with no NAC
capability
 Monitor endpoint behavior
• Detect and respond to unacceptable use
 Integrate Security Systems
• Enable coordinated and automatic response
• Share information to improve security
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Architecture with IF-MAP
Access Requestor
t
Integrity Measurement
Collector
Collector
Collectors (IMC)
Policy Enforcement
Point
IF-MAP
IF-M
Integrity Measurement
Verifiers
Verifiers
Verifiers (IMV)
IF-IMC
TNC Client
(TNCC)
Flow Controllers,
Sensors, etc.
Metadata Access
Point
Policy Decision
Point
IF-IMV
IF-TNCCS
TNC Server
(TNCS)
IF-MAP
Network Access
Authority
IF-MAP
IF-MAP
Meta-data
Access Point
Non-edge
Policy
Flow Controllers,
Verifiers
Verifiers
Enforcement
Sensors,
etc.
Points
IF-PTS
IF-T
Platform Trust
Service (PTS)
Network
Access
Requestor
TSS
Policy
Enforcement
Point (PEP)
IF-PEP
IF-MAP
TPM
Laptops, mobile,
devices,
other endpoints
running TNC clients
Copyright © 2008 Juniper Networks, Inc.
802.1X
switches,
VPN
gateways,
edge firewalls
RADIUS
servers,
VPN
controllers,
policy servers
IF-MAP servers IDP/IDS systems,
directories,
DHCP servers,
internal firewalls,
SIM/SEM servers
www.juniper.net
‹#›
IF-MAP Use Cases
 PDP publishes info on new user & device to IF-MAP server
• IDS and NBAD use this info to adjust their settings (e.g. P2P allowed)
• Flow controller (e.g. interior firewall) uses info to adjust access controls
• PDP and flow controller subscribe to updates on user or device
 IDS publishes event to an IF-MAP server
• Device X is attacking device Y
• PDP and/or flow controller receive notification of event
• They can respond by quarantining device X, warning user, etc.
 PDP detects new unknown clientless device Z
• PDP posts info to IF-MAP server, subscribes to updates
• DHCP server, endpoint profiler, etc. publish info on device
• PDP receives notification, grants appropriate access
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
IF-MAP Benefits
 Lower deployment and operating costs
• Integration of existing systems and investments
• Fewer false alarms since policies are tuned
 Reduced deployment and operating complexity
• Standards based integration
• Automated responses
 Stronger security
•
•
•
•
Responses to both managed and unmanaged endpoints
Management of the complete lifecycle of a network endpoint
Coordinated response across many products
Policies tuned per user or group
 Better policies and reports
• Based on usernames and roles instead of IP addresses
 Benefits of open standards
• Avoid vendor lock-in
• Reduce costs through competition
• Choose best products for each job
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
IF-MAP Status
 IF-MAP Specification published April 28, 2008
• Available at http://www.trustedcomputinggroup.org/groups/network
• Free to implement
 Strong interest among customers, vendors, press, analysts, and
open source implementers
 Demonstrations in TCG booth at Interop Vegas 2008
 Builds on existing standards (XML, SOAP, HTTP, SSL)
• Ongoing alignment work with Open Group and MITRE on event format
 Work continues to expand and improve IF-MAP
 Products to follow
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
How can you participate in TCG/TNC?
 Review TCG/TNC specs and materials
• Available at http://www.trustedcomputinggroup.org
• Free to implement
 Try deployments of TCG/TNC technology
• Commercial or open source
 Contribute to open source implementations
 Start related research projects
 Apply for Mentor or Invited Expert status
• Mentor status supports researchers with advice (no NDA)
• Invited Expert status makes you a full TCG participant
• Josh Howlett of JANET is an Invited Expert
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Thanks to Academic Community
 Higher education pioneered most of these
concepts
•
•
•
•
Trusted computing
Access control & NAC
Coordinated security
Policy
“If I have seen further it is by standing on the
shoulders of Giants.”
-Sir Isaac Newton
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Summary
 Network Access Control (NAC) has clear benefits
• Controlling access to critical networks
• Detecting and fixing unhealthy endpoints
• Monitoring and addressing endpoint behavior
 Open Standards Required for NAC
• Many, Many Products Involved
 TNC = Open Standards for NAC
 Many Advances in Network Security Coming
• Trusted Devices, Access Control, Coordinated Security, Policy
 TCG Welcomes Your Input
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
For More Information
 TCG Web Site
• https://www.trustedcomputinggroup.org
 TNC Co-Chairs
Steve Hanna
email: [email protected]
Blog: http://www.gotthenac.com
Paul Sangster
email: [email protected]
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Related documents
Kaizuka Juniper - Hicks Nurseries
Kaizuka Juniper - Hicks Nurseries
Juniper Parsoni
Juniper Parsoni
Globalisation- 10 important facts
Globalisation- 10 important facts
Andorra Juniper
Andorra Juniper
Blue Sargent Juniper
Blue Sargent Juniper
Hollywood Juniper
Hollywood Juniper
Beautiful ideas. Real value.
Beautiful ideas. Real value.
Juniper Haircap Moss
Juniper Haircap Moss
Sargent Juniper - Hicks Nurseries
Sargent Juniper - Hicks Nurseries
vGUARD - InfoGuard
vGUARD - InfoGuard
Great Lakes
Great Lakes
CHAP 26: GLOBAL BUSINESS
CHAP 26: GLOBAL BUSINESS