Slides - TERENA Networking Conference 2008

Download Report

Transcript Slides - TERENA Networking Conference 2008

Network Access Control and Beyond
By Steve Hanna, Distinguished Engineer, Juniper
Co-Chair, Trusted Network Connect WG, TCG
Co-Chair, Network Endpoint Assessment WG, IETF
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Security Problems of Open Networks
Critical data at risk
As Access Increases
Sensitive information,
mission-critical network
Mobile and remote
devices and users
Unmanaged or
ill-managed endpoints
Network can become
unreliable
Perimeter security
ineffective
Endpoint infections
may proliferate
Network Security Decreases
Student, faculty, staff,
and/or guest access
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Network Access Control Solutions
Features
 Control Access
• to critical resources
• to entire network
 Based on
• User identity and role
• Endpoint identity and health
• Other factors
 With
• Remediation
• Management
Benefits
 Consistent Access Controls
 Reduced Downtime
• Healthier endpoints
• Fewer outbreaks
 Safe Remote Access
 Safe Access for
• Students
• Faculty
• Staff
• Guests
Network access control must be a key component of every network!
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Sample Network Access Control Policy
To Access the Production Network...
1. User Must Be Authenticated
•
With Identity Management System
2. Endpoint Must Be Healthy
•
•
•
•
Anti-Virus software running and properly configured
Recent scan shows no malware
Personal Firewall running and properly configured
Patches up-to-date
3. Behavior Must Be Acceptable
•
No port scanning, sending spam
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
State of Network Access Control
 Many products and open source implementations
 Several approaches
•
•
•
•
•
MAC registration – accountability
Identity – block unauthorized users
Endpoint health – detect and fix unhealthy endpoints
Behavior – track and block unauthorized behavior
Combination of the above
 Convergence on one architecture and standards
• TNC = Trusted Network Connect
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
What is Trusted Network Connect (TNC)?
 Open Architecture for Network Access Control
 Suite of Standards to Ensure Interoperability
 Work Group in Trusted Computing Group
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Architecture Overview
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Wireless
Wired
Network
Perimeter
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Typical TNC Deployments
 Uniform Policy
 User-Specific Policies
 TPM Integrity Check
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Uniform Policy
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Remediation
Network
Non-compliant System
Windows XP
 SP2
x OSHotFix 2499
x OSHotFix 9288
 AV - McAfee Virus Scan 8.0
 Firewall
Production
Network
Compliant System
Windows XP
 SP2
 OSHotFix 2499
 OSHotFix 9288
 AV – Symantec AV 10.1
 Firewall
Copyright © 2008 Juniper Networks, Inc.
Network
Perimeter
Client Rules
Windows XP
- SP2
- OSHotFix 2499
- OSHotFix 9288
- AV (one of)
- Symantec AV 10.1
- McAfee Virus Scan 8.0
- Firewall
www.juniper.net
‹#›
User-Specific Policies
Access
Requester (AR)
Guest
User
Ken –
Faculty
Linda –
Finance
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Guest
Network
Internet Only
Research
Network
Access Policies
- Authorized Users
- Client Rules
Finance
Network
Windows XP
 OSHotFix 9345
 OSHotFix 8834
 AV – Symantec AV 10.1
 Firewall
Copyright © 2008 Juniper Networks, Inc.
Network
Perimeter
www.juniper.net
‹#›
TPM Integrity Check
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
TPM – Trusted Platform Module
- Hardware module built into most
of today’s PCs
- Enables a hardware Root of Trust
- Measures critical components
during trusted boot
- PTS interface allows PDP to
verify configuration and remediate
as necessary
Production
Network
Compliant System
TPM Verified
 BIOS
 OS
 Drivers
 Anti-Virus Software
Copyright © 2008 Juniper Networks, Inc.
Client Rules
- BIOS
- OS
- Drivers
- Anti-Virus Software
Network
Perimeter
www.juniper.net
‹#›
Foiling Root Kits with TPM and TNC
 Solves the critical “lying endpoint problem”
• User or rootkit causes endpoint to lie about health
 TPM Measures Software in Boot Sequence
• Hash software into PCR before running it
• PCR value cannot be reset except via hard reboot
 During TNC Handshake...
•
•
•
•
PTS-IMV engages in crypto handshake with TPM
TPM securely sends PCR value to PTS-IMV
PTS-IMV compares to good configs
If not listed, endpoint is quarantined and remediated
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Why TNC?
 Open standards
• Supports multi-vendor compatibility
• Enables customer choice
• Allows open technical review for better security
 Supports Existing Networks
• wired and wireless, 802.1X and non-802.1X, firewalls,
IPsec and SSL VPNs, dialup, etc.
 Supports Optional Trusted Platform Module
• Basis for trusted endpoint
• Solves critical problem with existing products: root kits
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Architecture in Detail
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
(IF-M)
t Collector
IntegrityCollector
Measurement
Collectors (IMC)
Verifers
Integrity Verifiers
Measurement
Verifiers (IMV)
(IF-IMC)
(IF-IMV)
(IF-TNCCS)
TNC Server
(TNCS)
TNC Client (TNCC)
(IF-PTS)
Platform Trust
Service (PTS)
TSS
(IF-T)
Network
Access
Requestor
(IF-PEP)
Policy
Enforcement
Point (PEP)
Network Access
Authority
TPM
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Status
 TNC Architecture and all specs released
• IF-IMC, IF-IMV, IF-PEP for RADIUS, IF-PTS,
IF-TNCCS, IF-T for Tunneled EAP Methods
• Freely Available from TCG web site
 Rapid Specification Development Continues
• New Specifications, Enhancements
 Number of Members and Products
Growing Rapidly
 Compliance and Interoperability Testing and
Certification effort under way
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Vendor Support
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Endpoint
Supplicant/VPN Client, etc.
Network Device
FW, Switch, Router, Gateway
AAA Server, Radius,
Diameter, IIS, etc.
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC/NAP Interoperability
IF-TNCCS-SOH
NAP or TNC
Client
Switches, APs, Appliances, Servers, etc.
NAP or TNC
Server
 IF-TNCCS-SOH Standard Enables Client-Server Interoperability between NAP and TNC
• NAP servers can health check TNC clients without extra software
• NAP clients can be health checked by TNC servers without extra software
• As long as all parties implement the open IF-TNCCS-SOH standard
 Availability
• Built into Windows Vista, Windows Server 2008, Windows XP SP 3
• Unix clients shipping from Avenda Systems and UNETsystem
• Other TNC vendors planning to ship support in 1H 2008
 Implications
• Finally, an agreed-upon open standard client-server NAC protocol
• True client-server interoperability (like web browsers and servers) is here
• Industry (except Cisco) has agreed on TNC standards for NAC
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
NAP Vendor Support
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
IETF and TNC
 IETF NEA WG
• Goal: Universal Agreement on NAC Protocols
• Co-Chaired by Cisco rep and TNC-WG Chair
• Adopted TNC specs as WG drafts
• PA-TNC and PB-TNC
• Equivalent to IF-M 1.0 and IF-TNCCS 2.0
• Cisco Engineer will Co-Edit
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
What About Open Source?
 Lots of open source support for TNC
• University of Applied Arts and Sciences in Hannover, Germany
(FHH)
• http://tnc.inform.fh-hannover.de
• libtnc
• https://sourceforge.net/projects/libtnc
• OpenSEA 802.1X supplicant
• http://www.openseaalliance.org
• FreeRADIUS
• http://www.freeradius.org
 TCG support for these efforts
• Free Liaison Memberships
• Open source licensing of TNC header files
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Moving Beyond NAC – Future Vision
 Trusted Devices
• Trusted hardware and secure software provide trustworthy clients
 Access Control
• Secure and reliable access to any service from any device across
any network (in accordance with policy)
 Coordinated Security
• Security systems cooperate through open standards to provide
strong, autonomic, and efficient security at lower cost and
complexity
 Policy
• Security policies defined in business terms apply across all
security systems
• Good tools for defining and analyzing policies
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TCG – Working Toward The Future
 Trusted Devices
• TPM – open standards for trusted hardware
• TSS and PTS – open standards for secure software (not enough)
 Access Control
• TNC – working on broader access control standards
 Coordinated Security
• New IF-MAP standard addresses this directly (see next slide)
 Policy
• Important area for future work
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
IF-MAP – Problems to Be Solved
 Manage unresponsive endpoints
• Printers, phones, other embedded devices
• Guest, student, and other systems with no NAC
capability
 Monitor endpoint behavior
• Detect and respond to unacceptable use
 Integrate Security Systems
• Enable coordinated and automatic response
• Share information to improve security
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Architecture with IF-MAP
Access Requestor
t
Integrity Measurement
Collector
Collector
Collectors (IMC)
Policy Enforcement
Point
IF-MAP
IF-M
Integrity Measurement
Verifiers
Verifiers
Verifiers (IMV)
IF-IMC
TNC Client
(TNCC)
Flow Controllers,
Sensors, etc.
Metadata Access
Point
Policy Decision
Point
IF-IMV
IF-TNCCS
TNC Server
(TNCS)
IF-MAP
Network Access
Authority
IF-MAP
IF-MAP
Meta-data
Access Point
Non-edge
Policy
Flow Controllers,
Verifiers
Verifiers
Enforcement
Sensors,
etc.
Points
IF-PTS
IF-T
Platform Trust
Service (PTS)
Network
Access
Requestor
TSS
Policy
Enforcement
Point (PEP)
IF-PEP
IF-MAP
TPM
Laptops, mobile,
devices,
other endpoints
running TNC clients
Copyright © 2008 Juniper Networks, Inc.
802.1X
switches,
VPN
gateways,
edge firewalls
RADIUS
servers,
VPN
controllers,
policy servers
IF-MAP servers IDP/IDS systems,
directories,
DHCP servers,
internal firewalls,
SIM/SEM servers
www.juniper.net
‹#›
IF-MAP Use Cases
 PDP publishes info on new user & device to IF-MAP server
• IDS and NBAD use this info to adjust their settings (e.g. P2P allowed)
• Flow controller (e.g. interior firewall) uses info to adjust access controls
• PDP and flow controller subscribe to updates on user or device
 IDS publishes event to an IF-MAP server
• Device X is attacking device Y
• PDP and/or flow controller receive notification of event
• They can respond by quarantining device X, warning user, etc.
 PDP detects new unknown clientless device Z
• PDP posts info to IF-MAP server, subscribes to updates
• DHCP server, endpoint profiler, etc. publish info on device
• PDP receives notification, grants appropriate access
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
IF-MAP Benefits
 Lower deployment and operating costs
• Integration of existing systems and investments
• Fewer false alarms since policies are tuned
 Reduced deployment and operating complexity
• Standards based integration
• Automated responses
 Stronger security
•
•
•
•
Responses to both managed and unmanaged endpoints
Management of the complete lifecycle of a network endpoint
Coordinated response across many products
Policies tuned per user or group
 Better policies and reports
• Based on usernames and roles instead of IP addresses
 Benefits of open standards
• Avoid vendor lock-in
• Reduce costs through competition
• Choose best products for each job
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
IF-MAP Status
 IF-MAP Specification published April 28, 2008
• Available at http://www.trustedcomputinggroup.org/groups/network
• Free to implement
 Strong interest among customers, vendors, press, analysts, and
open source implementers
 Demonstrations in TCG booth at Interop Vegas 2008
 Builds on existing standards (XML, SOAP, HTTP, SSL)
• Ongoing alignment work with Open Group and MITRE on event format
 Work continues to expand and improve IF-MAP
 Products to follow
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
How can you participate in TCG/TNC?
 Review TCG/TNC specs and materials
• Available at http://www.trustedcomputinggroup.org
• Free to implement
 Try deployments of TCG/TNC technology
• Commercial or open source
 Contribute to open source implementations
 Start related research projects
 Apply for Mentor or Invited Expert status
• Mentor status supports researchers with advice (no NDA)
• Invited Expert status makes you a full TCG participant
• Josh Howlett of JANET is an Invited Expert
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Thanks to Academic Community
 Higher education pioneered most of these
concepts
•
•
•
•
Trusted computing
Access control & NAC
Coordinated security
Policy
“If I have seen further it is by standing on the
shoulders of Giants.”
-Sir Isaac Newton
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Summary
 Network Access Control (NAC) has clear benefits
• Controlling access to critical networks
• Detecting and fixing unhealthy endpoints
• Monitoring and addressing endpoint behavior
 Open Standards Required for NAC
• Many, Many Products Involved
 TNC = Open Standards for NAC
 Many Advances in Network Security Coming
• Trusted Devices, Access Control, Coordinated Security, Policy
 TCG Welcomes Your Input
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
For More Information
 TCG Web Site
• https://www.trustedcomputinggroup.org
 TNC Co-Chairs
Steve Hanna
email: [email protected]
Blog: http://www.gotthenac.com
Paul Sangster
email: [email protected]
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›