Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.

Slides:



Advertisements
Similar presentations
1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary December 2010 Irvine, CA – PWG Meeting Ira McDonald (High.
Advertisements

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary 7 April 2010 Camas, WA – PWG F2F Meeting Ira McDonald (High.
Encrypting Wireless Data with VPN Techniques
The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.
1 Endpoint Security Considerations. 2 Agenda Open Networks PROs & CONs Challenges Alternatives.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Guide to Network Defense and Countermeasures Second Edition
TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Technical Architectures
Security and Policy Enforcement Mark Gibson Dave Northey
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Modified by: Masud-Ul-Hasan and Ahmad Al-Yamani 1 Chapter 11 Network Management (Selected Topics)
Chapter 9: Moving to Design
© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect: Open.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Open Cloud Sunil Kumar Balaganchi Thammaiah Internet and Web Systems 2, Spring 2012 Department of Computer Science University of Massachusetts Lowell.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah.
Clinic Security and Policy Enforcement in Windows Server 2008.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Securing Access & PCI Compliance for Your Network Juniper Networks.
Chapter 9 Elements of Systems Design
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Selecting the Right Network Access Protection Architecture
Network Access Control for Education
Copyright © 2008 Juniper Networks, Inc. 1 Network Access Control and Beyond By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect Briefing.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 8: Configuring Network Access Protection
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
1 Introduction to Middleware. 2 Outline What is middleware? Purpose and origin Why use it? What Middleware does? Technical details Middleware services.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
1 IF-MAP: Open Standards for Coordinating Security Presentation for SAAG IETF 72, July 31, 2008 Steve Hanna
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
9 Systems Analysis and Design in a Changing World, Fourth Edition.
9 Systems Analysis and Design in a Changing World, Fourth Edition.
Configuring Network Access Protection
NAC-NAP Interoperability
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
Module 6: Network Policies and Access Protection.
Network Access Control
Module 5: Network Policies and Access Protection
Managing Network Access Protection. Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of.
Continuous Assessment Protocols for SACM draft-hanna-sacm-assessment-protocols-00.txt November 5, 20121IETF 85 - SACM Meeting.
9 Systems Analysis and Design in a Changing World, Fifth Edition.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Copyright © 2009 Trusted Computing Group An Introduction to Federated TNC Josh Howlett, JANET(UK) 11 June, 2009.
Firewall Issues Research Group GGF-15 Oct Boston, Ma Leon Gommans - University of Amsterdam Inder Monga - Nortel Networks.
Implementing Network Access Protection
Mutual Attestation of IoT Devices and TPM 2
draft-fitzgeraldmckay-sacm-endpointcompliance-00
Trusted Network Connect: Open Standards for NAC
Network Access Control
NAP / PWG Discussion August 17, 2009.
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Presentation transcript:

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect (TNC)

2 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net What is Trusted Network Connect (TNC)?  Trusted Network Connect, or TNC, is: The name of a subgroup of the Trusted Computing Group (TCG) An open network access control architecture An open network access control standard Ensures interoperability From the Trusted Computing Group (TCG)

3 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net TNC in the TCG TCG Standard s TCG Standard s Applications Specifies standard set of APIs for application vendors who want to use TPM Storage Focuses on standards for security services on dedicated storage systems Mobile Enables trust for mobile devices including mobile phones, PDAs Servers Provides definitions, specifications, requirements for implementation of TCG in servers PC Client Provides common functionality, interfaces, security/privacy requirements for desktop, laptop clients, establishing root of trust Trusted Platform Module (TPM) Specifies silicon that securely stores digital keys, certificates, passwords Trusted Network Connect (TNC) Ensures endpoint compliance with integrity policies at, after network connection Infrastructure Defines architectural framework, interfaces needed to bridge infrastructure gaps

4 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Why Trusted Network Connect (TNC)?  Provides open standards for network access control (NAC)  Vendor-agnostic, multi-vendor compatibility Supports heterogeneous network environments  Reduces costs and deployment time Leverages existing, installed products – software and hardware Empowers choice, an advantage over single vendor lock-in Enables selection of best-of-breed products  Increases security Thorough and open technical review of all standards ALL endpoints are covered and secure  Higher, faster Return on Investment (ROI)

5 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Basic TNC Diagram VPN Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP)

6 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Collector IF-IMV IF-IMC IF-M IF-TNCCS Network Access Authority Integrity Measurement Verifiers TNC Server PDP IF-T IF-PEP Point Policy Enforcement PEPSwitch/ Firewall Firewall/ VPN Gateway ARTNC Client Network Access Requestor Supplicant/ VPN Client, etc. Integrity Measurement Collectors TNC Architecture

7 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net TNC Standards – Client  AR = Access Requestor – Entity attempting network access – can be device, supplicant, etc.  Integrity Measurement Collectors (IMCs) Software component that measures security aspects of the AR's integrity, including AV parameters, FW status, software versions, etc. Multiple IMCs can interact with 1+ TNC Client/Servers  TNC Client Software component running on AR that aggregates integrity measurements from IMCs Arranges reports on local platform and IMC measurements  Network Access Requestor (NAR) Establishes network access; can be an 802.1X supplicant, VPN client, etc. There can be several NARs on a single AR to handle connections to different networks. ARTNC Client Network Access Requestor Supplicant/ VPN Client, etc. Integrity Measurement Collectors

8 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net TNC Standards – Enforcement  PEP = Policy Enforcement Point - Entity enforcing the network access decisions  Policy Enforcement Point (PEP) Controls network access Consults with decision point, determines whether network access should be granted to AR Can be 802.1X Authenticator (802.1X switch, access point), firewall, VPN gateway, etc. Point Policy Enforcement PEPSwitch/ Firewall Firewall/ VPN Gateway

9 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net TNC Standards – Server  PDP = Policy Decision Point - Entity that recommends and decides on network access request from AR  Integrity Measurement Verifiers (IMVs) Verifies AR’s integrity based on measurements received from IMCs and/or other data  TNC Server Manages message flow between IMVs/IMCs, gathers IMV action recommendations, combines those policy- based recommendations into overall network access recommendation for Network Access Authority (NAA)  Network Access Authority (NAA) Decides whether network access should be granted AR Consults TNC Server, determines if AR’s integrity measurements comply with security policy NAA can be part of AAA Server Network Access Authority Integrity Measurement Verifiers TNC Server PDP

10 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net TNC Standards – Specifications/Protocols  IF-M (IMC-IMV Messaging Protocol) Specifies a standard way for the IMC and IMV to communicate  IF-TNCCS (TNC Client Server Protocol) Describes a standard way for the TNC Client and the TNC Server to exchange messages  IF-T (Transport Protocol) Specifies how TNC Client Server Protocol (IF-TNCCS) should be carried over EAP tunneled methods  IF-PEP (Policy Enforcement Point Protocol) Details how to use RADIUS for communications between a Network Access Authority – typically a AAA/RADIUS server – and a Policy Enforcement Point (PEP)  IF-IMC & IF-IMV (IMC/IMV Protocols) Communications method for gathering integrity measurements from IMCs, delivering measurements to IMVs, and for messaging between IMCs and IMVs

11 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net UAC/TNC/Partner Architecture AV / Anti Spyware Patch Management Classified Data Stores / Apps Network Perimeter OAC w/Infranet Agent (IA) or clientless IA Network Infrastructure Security Event Manager (SEMs) Juniper FW Enforcer AAA Servers Identity Stores AR PEP PDP

12 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net TNC, NAP & C-NAC Security Software Integrity Client Access Software Policy Server Integrity Server Net Access Authority Network Access Device Security Software AV Clients System Health Agents TNC Client Quarantine Agent Trust Agent Network Access Requester Enforcement Network Access Requester Policy Servers System Health Verifiers AV Servers TNC Server Quarantine Server ACS AAA RADIUS Network Access Authority  TNC, NAP, C-NAC - NOT head-to-head competitors Simply different ways to attain network access control  NAP, C-NAC = Proprietary  TNC = Open Standards = Interoperable  TNC compliant products – like UAC - work with NAP, C-NAC products - but, NOT other way around! GREEN = TNC YELLOW = NAP RED = C-NAC

13 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Summary  TNC is an open network access control architecture and standard  TNC is NOT a dead-on competitor to NAP or C-NAC TNC compliant offerings work with NAP and C-NAC products because they’re based on open, interoperable standards  TNC delivers: Vendor-agnostic, multi-vendor support for diverse, heterogeneous networking environments Cost and deployment time reductions by leveraging installed products An alternative to single vendor lock-in A thorough and open technical review of standards The ability to cover and secure ALL endpoints A higher, faster Return on Investment (ROI) CHOICE!

14 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net For More Information  TCG Web Site  TNC Web Site

15 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Thank You!