Download PowerPoint Presentation - IF-MAP

IF-MAP: Open Standards for
Coordinating Security
Presentation for SAAG
IETF 72, July 31, 2008
Steve Hanna [email protected]
1
Information Security Past - Isolation
Server/Service
Security
Identity
Management
Network Intrusion
Detection & Prevention
Network
Security
Data Loss
Prevention
Host Intrusion
Host
Security Detection & Prevention
Server
Security
Network Anti-Virus
Vulnerability
Scanners
Host Firewall
Web Services
Security
Network
Firewall
Virtual Private
Networks
Host Anti-Virus
2
Information Security Present –
Partial Coordination
Server/Service
Security
Identity
Management
Server
Security
Network Intrusion
Network Anti-Virus
Detection & Prevention Network Access
Control (NAC)
Network
Security
Data Loss
Prevention
Host Intrusion
Host
Security Detection & Prevention
Vulnerability
Scanners
Host Firewall
Web Services
Security
Network
Firewall
Virtual Private
Networks
Host Anti-Virus
3
Information Security Future –
Full Coordination
Server/Service
Security
Identity
Management
Network Intrusion
Detection & Prevention
Network
Security
Data Loss
Prevention
Host Intrusion
Host
Security Detection & Prevention
Server
Security
Network Anti-Virus
NAC with
IF-MAP
Vulnerability
Scanners
Host Firewall
Web Services
Security
Network
Firewall
Virtual Private
Networks
Host Anti-Virus
4
Basic NAC Architecture
Access
Requestor
(AR)
Policy
Enforcement
Point
(PEP)
Policy
Decision
Point
(PDP)
VPN
5
Integrating Other Security Systems
Access
Policy
Requestor Enforcement
(AR)
Point
(PEP)
Policy
Decision
Point
(PDP)
Metadata Sensors,
Flow
Access
Controllers
Point
(MAP)
VPN
6
TNC Architecture
Access Requestor
t
Integrity Measurement
Collector
Collector
Collectors (IMC)
Policy
Enforcement
Point
IF-M
Policy Decision
Point
IF-IMV
IF-TNCCS
TNC Server
(TNCS)
Sensor
IF-MAP
Metadata
Access
IF-MAP
Point
Flow
Controller
IF-PTS
IF-T
Platform Trust
Service (PTS)
TSS
Sensors
and Flow
Controllers
IF-MAP
Integrity Measurement
Verifiers
Verifiers
Verifiers (IMV)
IF-IMC
TNC Client
(TNCC)
Metadata
Access
Point
Network
Access
Requestor
Policy
Enforcement
Point (PEP)
IF-PEP
Network
Access
Authority
IF-MAP
IF-MAP
IF-MAP
TPM
7
What is IF-MAP?
• Standard Published by Trusted Computing Group
– https://www.trustedcomputinggroup.org/groups/network
• Standard Requests & Responses
– Publish, Search, Subscribe, Poll
• Standard Identifiers
– device, identity, ip-address, mac-address, access-request
• Standard Metadata
– device-attribute, event, role, capability, layer2-information
• Standard Links (marked with metadata)
– access-request-device, access-request-ip, access-request-mac,
authenticated-as, authenticated-by, ip-mac
• Protocol Binding for SOAP
• Ability to define optional vendor-specific extensions
8
Example IF-MAP Graph
identity =
john.smith
macaddress=
00:11:22:3
3:44:55
access-request-mac
ip-mac
role=finance
and employee
ip-address
= 192.0.2.7
authenticated-as
accessrequest =
111:33
layer2-information
VLAN=1234
Port=12
capability =
accessfinanceserverallowed
ip-address
=
192.0.2.55
device-attribute =
anti-virus-running
access-requestdevice
device =
111:55
authenticated-by
ip-address
=
192.0.2.60
9
IF-MAP Benefits
• More Informed Sensors
– Sensors can tune by role and other things
– Should reduce false alarms
• Policy and Reports in Business Terms
– User identity and role vs. IP address
– Simpler, easier to manage
• Automated Response (if desired)
– Faster response = stronger security
– Less expense due to automation
• Customer Choice and Flexibility
– No need to buy all security products from one vendor
– Can reuse and integrate existing security systems
10
Security and Privacy
Considerations
• MAP = Storehouse of Sensitive Data,
Critical Nerve Center
– MUST
• TLS with mutual auth for IF-MAP clients
• publisher-id and timestamp to track changes
– SHOULD
• authorization, DOS protection, anomaly detection,
physical and operational security, hardening, etc.
• not keep historical data
11
Discussion
12