Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect: Open.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
1 Endpoint Security Considerations. 2 Agenda Open Networks PROs & CONs Challenges Alternatives.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.
Agenda Introduction Network Access Protection platform architecture
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
Using Secure Coprocessors to Protect Access to Enterprise Networks Dr. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh
Interop Labs Network Access Control Interop Las Vegas 2006 Karen O’Donoghue.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
Security and Policy Enforcement Mark Gibson Dave Northey
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Information Security in Real Business
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Network Security Professor Professor Dr. Adeel Akram.
SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah.
Information Security Information Technology and Computing Services Information Technology and Computing Services
Course 201 – Administration, Content Inspection and SSL VPN
Clinic Security and Policy Enforcement in Windows Server 2008.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Introduction of Trusted Network Connect Houcheng Lee May 9, 2007.
Selecting the Right Network Access Protection Architecture
Network Access Control for Education
Copyright © 2008 Juniper Networks, Inc. 1 Network Access Control and Beyond By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted.
Surviving in a hostile world  The myth of fortress applications  Tomas Olovsson CTO, Appgate Professor at Goteborg University, Sweden.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect Briefing.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Asif Jinnah Microsoft IT – United Kingdom. Security Challenges in an ever changing landscape Evolution of Security Controls: Microsoft’s Secure Anywhere.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Module 8: Configuring Network Access Protection
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
1 IF-MAP: Open Standards for Coordinating Security Presentation for SAAG IETF 72, July 31, 2008 Steve Hanna
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Configuring Network Access Protection
Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
Enabling Secure Always-On Connectivity [Name] Microsoft Corporation.
NAC-NAP Interoperability
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
Copyright © 2008 Juniper Networks, Inc. 1 Juniper Networks Access Control Solutions Delivering Comprehensive and Manageable Network Access Control Solutions.
Delivering Assured Services John Weigelt National Technology Officer Microsoft Canada.
Asif Jinnah Field Desktop Services Enabling a Flexible Workforce, an insider’s view.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Managing Network Access Protection. Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Continuous Assessment Protocols for SACM draft-hanna-sacm-assessment-protocols-00.txt November 5, 20121IETF 85 - SACM Meeting.
Copyright © 2009 Trusted Computing Group An Introduction to Federated TNC Josh Howlett, JANET(UK) 11 June, 2009.
Cosc 5/4765 NAC Network Access Control. What is NAC? The core concept: –Who you are should govern what you’re allowed to do on the network. Authentication.
Firewall Issues Research Group GGF-15 Oct Boston, Ma Leon Gommans - University of Amsterdam Inder Monga - Nortel Networks.
Implementing Network Access Protection
Trusted Network Connect: Open Standards for NAC
Check Point Connectra NGX R60
Intel Active Management Technology
Network Access Control
Presentation transcript:

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect: Open Standards for NAC

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #2 Trusted Network Connect (TNC) Open Architecture for Network Access Control –Strong security through trusted computing Open Standards for Network Access Control –Full set of specifications –Products shipping for more than two years Work Group of Trusted Computing Group –Industry standards group –About 175 TCG member organizations, 75 in TNC-WG –More joining every week

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #3 Problem: Reduce Endpoint Attacks Increasingly Sophisticated and Serious Attacks –Malware = Viruses, Worms, Spyware, Rootkits, Back Doors, Botnets –Zero-Day Exploits –Targeted Attacks –Rapid Infection Speed Exponential Growth in Malware –>40,000,000 Infected Machines –>35,000 Malware Varieties Motivated Attackers –Extortion, Identity Theft, Bank Fraud, Corporate Espionage Dissolving Network Boundaries –Mobile workforce, partners, contractors, outsourcing Regulatory Requirements –Mandatory Policy Compliance

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #4 Solution: Network Access Control Create Network Access Control Policy Require Compliance for Network Access (or Log and Advise) Isolate and Repair Non-Compliant Endpoints Optional Integration with TPM to –Identify Users –Thwart Root Kits

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #5 Sample Network Access Control Policy Machine Health –Anti-Virus software running and properly configured –Recent scan shows no malware –Personal Firewall running and properly configured –Patches up-to-date –No unauthorized software Machine Behavior –No port scanning, sending spam, etc. Other Organization-Defined Requirements

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #6 TNC Architecture VPN

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #7 Typical TNC Deployments Uniform Policy User-Specific Policies TPM Integrity Check

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #8 Uniform Policy Compliant System Windows XP SP2 OSHotFix 2499 OSHotFix 9288 AV - Symantec AV 10.1 Firewall Non-compliant System Windows XP SP2 x OSHotFix 2499 x OSHotFix 9288 AV - McAfee Virus Scan 8.0 Firewall Production Network Remediation Network Access Requestor Policy Decision Point Policy Enforcement Point Client Rules Windows XP SP2 OSHotFix 2499 OSHotFix 9288 AV (one of) Symantec AV 10.1 McAfee Virus Scan 8.0 Firewall

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #9 User-Specific Policies Ken – R&D Guest User Access Requestor Policy Decision Point Policy Enforcement Point Finance Network R&D Network Linda – Finance Windows XP OS Hotfix 9345 OS Hotfix 8834 AV - Symantec AV 10.1 Firewall Guest Network Internet Only Access Policies Authorized Users Client Rules

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #10 TPM Integrity Check Compliant System TPM verified BIOS OS Drivers Anti-Virus SW Production Network Access RequestorPolicy Decision Point Policy Enforcement Point Client Rules TPM enabled BIOS OS Drivers Anti-Virus SW TPM – Trusted Platform Module HW module built into most of today’s PCs Enables a HW Root of Trust Measures critical components during trusted boot PTS interface allows PDP to verify configuration and remediate as necessary

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #11 TNC Architecture Policy Decision Point Policy Enforcement Point Access Requestor Verifiers t Collector Integrity Measurement Collectors (IMC) Integrity Measurement Verifiers (IMV) IF-M IF-IMCIF-IMV Network Access Requestor Policy Enforcement Point (PEP) Network Access Authority IF-T IF-PEP TNC Server (TNCS) TNC Client (TNCC) IF-TNCCS TSS TPM Platform Trust Service (PTS) IF-PTS

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #12 Trusted Platform Module (TPM) Security hardware on motherboard –Open specifications from TCG –Resists tampering & software attacks Now included in almost all enterprise PCs –Off by default Features –Secure key storage –Cryptographic functions –Integrity checking & remote attestation Applications –Strong user and machine authentication –Secure storage –Trusted / secure boot For TNC, most useful for detecting rootkits –Protects again the ‘lying endpoint’ problem –TPM measures critical components during trusted boot BIOS, Boot Loader, OS Kernel, Kernel Drivers, TNCC, IMCs –PTS-IMC reports measurements via TNC handshake –PDP checks measurements against valid configurations –If Invalid, PDP can remediate and isolate

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #13 TNC Vendor Support Endpoint Supplicant/VPN Client, etc. Network Device FW, Switch, Router, Gateway Access Requestor Policy Decision Point Policy Enforcement Point AAA Server, Radius, Diameter, IIS, etc

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #14 Microsoft NAP Interoperability IF-TNCCS-SOH Standard –Developed by Microsoft as Statement of Health (SoH) protocol –Donated to TCG by Microsoft –Adopted by TCG and published as a new TNC standard, IF-TNCCS-SOH Enables Client-Server Interoperability between NAP and TNC –NAP servers can health check TNC clients without extra software –NAP clients can be health checked by TNC servers without extra software –As long as all parties implement the open IF-TNCCS-SOH standard Availability –Demonstrations at Interop Las Vegas 2007 (May 2007) –Built into Windows Vista now –Coming in Windows Server 2008 and Windows XP SP 3 –Coming in products from other TNC vendors in 1H 2008 Implications –Finally, an agreed-upon open standard client-server NAC protocol –True client-server interoperability (like web browsers and servers) is here –Industry (except Cisco) has agreed on TNC standards for NAC NAP or TNC Server NAP or TNC Client IF-TNCCS-SOH Switches, APs, Appliances, Servers, etc.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #15 Microsoft NAP Partners (now TNC)

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #16 TNC Advantages Open standards –Non-proprietary – Supports multi-vendor compatibility –Interoperability –Enables customer choice –Allows thorough and open technical review Leverages existing network infrastructure –Excellent Return-on-Investment (ROI) Roadmap for the future –Full suite of standards –Supports Trusted Platform Module (TPM) Products supporting TNC standards shipping today TNC certification and compliance program coming soon

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #17 What About Open Source? Lots of open source support for TNC –University of Applied Arts and Sciences in Hannover, Germany (FHH) –libtnc –OpenSEA 802.1X supplicant –FreeRADIUS TCG support for these efforts –Liaison Memberships –Open source licensing of TNC header files Information about TNC implementations available at

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #18 What’s Next for Network Security? Agree on TNC Standards with ALL Parties Universal Endpoint Support for NAC –Phones, PDAs, Printers, Cameras, etc. –Built-in Agent, Permanent Agent, Downloaded Agent, or No Agent Extend Integration of Endpoint Security and Network Security –Today (NAC) Endpoint Security (anti-malware, patch management, etc.) AAA / Identity Management Switches, Wireless APs & Management Systems (802.1X or not) Other Enforcement Mechanisms –Next Step for Integration Intrusion Detection / Prevention Vulnerability Scanning Firewalls (Stateful & Stateless) VPN Gateways (SSL & IPsec) Any Security Component

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #19 For More Information TNC Web Site TNC Co-Chairs Steve Hanna Distinguished Engineer, Juniper Networks Paul Sangster Chief Security Standards Officer, Symantec