Slides
advertisement
Network Access Control and Beyond By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted Network Connect WG, TCG Co-Chair, Network Endpoint Assessment WG, IETF Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› Security Problems of Open Networks Critical data at risk As Access Increases Sensitive information, mission-critical network Mobile and remote devices and users Unmanaged or ill-managed endpoints Network can become unreliable Perimeter security ineffective Endpoint infections may proliferate Network Security Decreases Student, faculty, staff, and/or guest access Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› Network Access Control Solutions Features Control Access • to critical resources • to entire network Based on • User identity and role • Endpoint identity and health • Other factors With • Remediation • Management Benefits Consistent Access Controls Reduced Downtime • Healthier endpoints • Fewer outbreaks Safe Remote Access Safe Access for • Students • Faculty • Staff • Guests Network access control must be a key component of every network! Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› Sample Network Access Control Policy To Access the Production Network... 1. User Must Be Authenticated • With Identity Management System 2. Endpoint Must Be Healthy • • • • Anti-Virus software running and properly configured Recent scan shows no malware Personal Firewall running and properly configured Patches up-to-date 3. Behavior Must Be Acceptable • No port scanning, sending spam Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› State of Network Access Control Many products and open source implementations Several approaches • • • • • MAC registration – accountability Identity – block unauthorized users Endpoint health – detect and fix unhealthy endpoints Behavior – track and block unauthorized behavior Combination of the above Convergence on one architecture and standards • TNC = Trusted Network Connect Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› What is Trusted Network Connect (TNC)? Open Architecture for Network Access Control Suite of Standards to Ensure Interoperability Work Group in Trusted Computing Group Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› TNC Architecture Overview Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Wireless Wired Network Perimeter Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› Typical TNC Deployments Uniform Policy User-Specific Policies TPM Integrity Check Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› Uniform Policy Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Remediation Network Non-compliant System Windows XP SP2 x OSHotFix 2499 x OSHotFix 9288 AV - McAfee Virus Scan 8.0 Firewall Production Network Compliant System Windows XP SP2 OSHotFix 2499 OSHotFix 9288 AV – Symantec AV 10.1 Firewall Copyright © 2008 Juniper Networks, Inc. Network Perimeter Client Rules Windows XP - SP2 - OSHotFix 2499 - OSHotFix 9288 - AV (one of) - Symantec AV 10.1 - McAfee Virus Scan 8.0 - Firewall www.juniper.net ‹#› User-Specific Policies Access Requester (AR) Guest User Ken – Faculty Linda – Finance Policy Enforcement Point (PEP) Policy Decision Point (PDP) Guest Network Internet Only Research Network Access Policies - Authorized Users - Client Rules Finance Network Windows XP OSHotFix 9345 OSHotFix 8834 AV – Symantec AV 10.1 Firewall Copyright © 2008 Juniper Networks, Inc. Network Perimeter www.juniper.net ‹#› TPM Integrity Check Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) TPM – Trusted Platform Module - Hardware module built into most of today’s PCs - Enables a hardware Root of Trust - Measures critical components during trusted boot - PTS interface allows PDP to verify configuration and remediate as necessary Production Network Compliant System TPM Verified BIOS OS Drivers Anti-Virus Software Copyright © 2008 Juniper Networks, Inc. Client Rules - BIOS - OS - Drivers - Anti-Virus Software Network Perimeter www.juniper.net ‹#› Foiling Root Kits with TPM and TNC Solves the critical “lying endpoint problem” • User or rootkit causes endpoint to lie about health TPM Measures Software in Boot Sequence • Hash software into PCR before running it • PCR value cannot be reset except via hard reboot During TNC Handshake... • • • • PTS-IMV engages in crypto handshake with TPM TPM securely sends PCR value to PTS-IMV PTS-IMV compares to good configs If not listed, endpoint is quarantined and remediated Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› Why TNC? Open standards • Supports multi-vendor compatibility • Enables customer choice • Allows open technical review for better security Supports Existing Networks • wired and wireless, 802.1X and non-802.1X, firewalls, IPsec and SSL VPNs, dialup, etc. Supports Optional Trusted Platform Module • Basis for trusted endpoint • Solves critical problem with existing products: root kits Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› TNC Architecture in Detail Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) (IF-M) t Collector IntegrityCollector Measurement Collectors (IMC) Verifers Integrity Verifiers Measurement Verifiers (IMV) (IF-IMC) (IF-IMV) (IF-TNCCS) TNC Server (TNCS) TNC Client (TNCC) (IF-PTS) Platform Trust Service (PTS) TSS (IF-T) Network Access Requestor (IF-PEP) Policy Enforcement Point (PEP) Network Access Authority TPM Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› TNC Status TNC Architecture and all specs released • IF-IMC, IF-IMV, IF-PEP for RADIUS, IF-PTS, IF-TNCCS, IF-T for Tunneled EAP Methods • Freely Available from TCG web site Rapid Specification Development Continues • New Specifications, Enhancements Number of Members and Products Growing Rapidly Compliance and Interoperability Testing and Certification effort under way Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› TNC Vendor Support Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Endpoint Supplicant/VPN Client, etc. Network Device FW, Switch, Router, Gateway AAA Server, Radius, Diameter, IIS, etc. Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› TNC/NAP Interoperability IF-TNCCS-SOH NAP or TNC Client Switches, APs, Appliances, Servers, etc. NAP or TNC Server IF-TNCCS-SOH Standard Enables Client-Server Interoperability between NAP and TNC • NAP servers can health check TNC clients without extra software • NAP clients can be health checked by TNC servers without extra software • As long as all parties implement the open IF-TNCCS-SOH standard Availability • Built into Windows Vista, Windows Server 2008, Windows XP SP 3 • Unix clients shipping from Avenda Systems and UNETsystem • Other TNC vendors planning to ship support in 1H 2008 Implications • Finally, an agreed-upon open standard client-server NAC protocol • True client-server interoperability (like web browsers and servers) is here • Industry (except Cisco) has agreed on TNC standards for NAC Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› NAP Vendor Support Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› IETF and TNC IETF NEA WG • Goal: Universal Agreement on NAC Protocols • Co-Chaired by Cisco rep and TNC-WG Chair • Adopted TNC specs as WG drafts • PA-TNC and PB-TNC • Equivalent to IF-M 1.0 and IF-TNCCS 2.0 • Cisco Engineer will Co-Edit Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› What About Open Source? Lots of open source support for TNC • University of Applied Arts and Sciences in Hannover, Germany (FHH) • http://tnc.inform.fh-hannover.de • libtnc • https://sourceforge.net/projects/libtnc • OpenSEA 802.1X supplicant • http://www.openseaalliance.org • FreeRADIUS • http://www.freeradius.org TCG support for these efforts • Free Liaison Memberships • Open source licensing of TNC header files Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› Moving Beyond NAC – Future Vision Trusted Devices • Trusted hardware and secure software provide trustworthy clients Access Control • Secure and reliable access to any service from any device across any network (in accordance with policy) Coordinated Security • Security systems cooperate through open standards to provide strong, autonomic, and efficient security at lower cost and complexity Policy • Security policies defined in business terms apply across all security systems • Good tools for defining and analyzing policies Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› TCG – Working Toward The Future Trusted Devices • TPM – open standards for trusted hardware • TSS and PTS – open standards for secure software (not enough) Access Control • TNC – working on broader access control standards Coordinated Security • New IF-MAP standard addresses this directly (see next slide) Policy • Important area for future work Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› IF-MAP – Problems to Be Solved Manage unresponsive endpoints • Printers, phones, other embedded devices • Guest, student, and other systems with no NAC capability Monitor endpoint behavior • Detect and respond to unacceptable use Integrate Security Systems • Enable coordinated and automatic response • Share information to improve security Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› TNC Architecture with IF-MAP Access Requestor t Integrity Measurement Collector Collector Collectors (IMC) Policy Enforcement Point IF-MAP IF-M Integrity Measurement Verifiers Verifiers Verifiers (IMV) IF-IMC TNC Client (TNCC) Flow Controllers, Sensors, etc. Metadata Access Point Policy Decision Point IF-IMV IF-TNCCS TNC Server (TNCS) IF-MAP Network Access Authority IF-MAP IF-MAP Meta-data Access Point Non-edge Policy Flow Controllers, Verifiers Verifiers Enforcement Sensors, etc. Points IF-PTS IF-T Platform Trust Service (PTS) Network Access Requestor TSS Policy Enforcement Point (PEP) IF-PEP IF-MAP TPM Laptops, mobile, devices, other endpoints running TNC clients Copyright © 2008 Juniper Networks, Inc. 802.1X switches, VPN gateways, edge firewalls RADIUS servers, VPN controllers, policy servers IF-MAP servers IDP/IDS systems, directories, DHCP servers, internal firewalls, SIM/SEM servers www.juniper.net ‹#› IF-MAP Use Cases PDP publishes info on new user & device to IF-MAP server • IDS and NBAD use this info to adjust their settings (e.g. P2P allowed) • Flow controller (e.g. interior firewall) uses info to adjust access controls • PDP and flow controller subscribe to updates on user or device IDS publishes event to an IF-MAP server • Device X is attacking device Y • PDP and/or flow controller receive notification of event • They can respond by quarantining device X, warning user, etc. PDP detects new unknown clientless device Z • PDP posts info to IF-MAP server, subscribes to updates • DHCP server, endpoint profiler, etc. publish info on device • PDP receives notification, grants appropriate access Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› IF-MAP Benefits Lower deployment and operating costs • Integration of existing systems and investments • Fewer false alarms since policies are tuned Reduced deployment and operating complexity • Standards based integration • Automated responses Stronger security • • • • Responses to both managed and unmanaged endpoints Management of the complete lifecycle of a network endpoint Coordinated response across many products Policies tuned per user or group Better policies and reports • Based on usernames and roles instead of IP addresses Benefits of open standards • Avoid vendor lock-in • Reduce costs through competition • Choose best products for each job Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› IF-MAP Status IF-MAP Specification published April 28, 2008 • Available at http://www.trustedcomputinggroup.org/groups/network • Free to implement Strong interest among customers, vendors, press, analysts, and open source implementers Demonstrations in TCG booth at Interop Vegas 2008 Builds on existing standards (XML, SOAP, HTTP, SSL) • Ongoing alignment work with Open Group and MITRE on event format Work continues to expand and improve IF-MAP Products to follow Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› How can you participate in TCG/TNC? Review TCG/TNC specs and materials • Available at http://www.trustedcomputinggroup.org • Free to implement Try deployments of TCG/TNC technology • Commercial or open source Contribute to open source implementations Start related research projects Apply for Mentor or Invited Expert status • Mentor status supports researchers with advice (no NDA) • Invited Expert status makes you a full TCG participant • Josh Howlett of JANET is an Invited Expert Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› Thanks to Academic Community Higher education pioneered most of these concepts • • • • Trusted computing Access control & NAC Coordinated security Policy “If I have seen further it is by standing on the shoulders of Giants.” -Sir Isaac Newton Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› Summary Network Access Control (NAC) has clear benefits • Controlling access to critical networks • Detecting and fixing unhealthy endpoints • Monitoring and addressing endpoint behavior Open Standards Required for NAC • Many, Many Products Involved TNC = Open Standards for NAC Many Advances in Network Security Coming • Trusted Devices, Access Control, Coordinated Security, Policy TCG Welcomes Your Input Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#› For More Information TCG Web Site • https://www.trustedcomputinggroup.org TNC Co-Chairs Steve Hanna email: shanna@juniper.net Blog: http://www.gotthenac.com Paul Sangster email: Paul_Sangster@symantec.com Copyright © 2008 Juniper Networks, Inc. www.juniper.net ‹#›
