Copyright © 2008 Juniper Networks, Inc. 1 Network Access Control and Beyond By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted Network Connect WG, TCG Co-Chair, Network Endpoint Assessment WG, IETF

Copyright © 2008 Juniper Networks, Inc. 2 Security Problems of Open Networks Critical data at risk Network can become unreliable Perimeter security ineffective Endpoint infections may proliferate Network Security Decreases As Access Increases Sensitive information, mission-critical network Mobile and remote devices and users Unmanaged or ill-managed endpoints Student, faculty, staff, and/or guest access

Copyright © 2008 Juniper Networks, Inc. 3 Network Access Control Solutions  Control Access to critical resources to entire network  Based on User identity and role Endpoint identity and health Other factors  With Remediation Management Features  Consistent Access Controls  Reduced Downtime Healthier endpoints Fewer outbreaks  Safe Remote Access  Safe Access for Students Faculty Staff Guests Benefits Network access control must be a key component of every network!

Copyright © 2008 Juniper Networks, Inc. 4 Sample Network Access Control Policy To Access the Production Network... 1.User Must Be Authenticated With Identity Management System 2.Endpoint Must Be Healthy Anti-Virus software running and properly configured Recent scan shows no malware Personal Firewall running and properly configured Patches up-to-date 3.Behavior Must Be Acceptable No port scanning, sending spam

Copyright © 2008 Juniper Networks, Inc. 5 State of Network Access Control  Many products and open source implementations  Several approaches MAC registration – accountability Identity – block unauthorized users Endpoint health – detect and fix unhealthy endpoints Behavior – track and block unauthorized behavior Combination of the above  Convergence on one architecture and standards TNC = Trusted Network Connect

Copyright © 2008 Juniper Networks, Inc. 6 What is Trusted Network Connect (TNC)?  Open Architecture for Network Access Control  Suite of Standards to Ensure Interoperability  Work Group in Trusted Computing Group

Copyright © 2008 Juniper Networks, Inc. 7 TNC Architecture Overview Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Wireless Wired Network Perimeter FW VPN PDP

Copyright © 2008 Juniper Networks, Inc. 8 Typical TNC Deployments  Uniform Policy  User-Specific Policies  TPM Integrity Check

Copyright © 2008 Juniper Networks, Inc. 9 Uniform Policy Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Network Perimeter Client Rules Windows XP - SP2 - OSHotFix OSHotFix AV (one of) - Symantec AV McAfee Virus Scan Firewall Remediation Network Production Network Non-compliant System Windows XP SP2 xOSHotFix 2499 xOSHotFix 9288 AV - McAfee Virus Scan 8.0 Firewall Compliant System Windows XP SP2 OSHotFix 2499 OSHotFix 9288 AV – Symantec AV 10.1 Firewall PDP

Copyright © 2008 Juniper Networks, Inc User-Specific Policies Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Network Perimeter Access Policies - Authorized Users - Client Rules Guest User Ken – Faculty Windows XP OSHotFix 9345 OSHotFix 8834 AV – Symantec AV 10.1 Firewall Linda – Finance Guest Network Internet Only Research Network Finance Network PDP

Copyright © 2008 Juniper Networks, Inc TPM Integrity Check Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Network Perimeter Client Rules - BIOS - OS - Drivers - Anti-Virus Software Production Network Compliant System TPM Verified BIOS OS Drivers Anti-Virus Software TPM – Trusted Platform Module ­Hardware module built into most of today’s PCs ­Enables a hardware Root of Trust ­Measures critical components during trusted boot ­PTS interface allows PDP to verify configuration and remediate as necessary PDP

Copyright © 2008 Juniper Networks, Inc Foiling Root Kits with TPM and TNC  Solves the critical “lying endpoint problem” User or rootkit causes endpoint to lie about health  TPM Measures Software in Boot Sequence Hash software into PCR before running it PCR value cannot be reset except via hard reboot  During TNC Handshake... PTS-IMV engages in crypto handshake with TPM TPM securely sends PCR value to PTS-IMV PTS-IMV compares to good configs If not listed, endpoint is quarantined and remediated

Copyright © 2008 Juniper Networks, Inc Why TNC?  Open standards Supports multi-vendor compatibility Enables customer choice Allows open technical review for better security  Supports Existing Networks wired and wireless, 802.1X and non-802.1X, firewalls, IPsec and SSL VPNs, dialup, etc.  Supports Optional Trusted Platform Module Basis for trusted endpoint Solves critical problem with existing products: root kits

Copyright © 2008 Juniper Networks, Inc TNC Architecture in Detail Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) (IF-PTS) TSS TPM Platform Trust Service (PTS) TNC Client (TNCC) (IF-TNCCS) TNC Server (TNCS) (IF-M) (IF-IMC) (IF-IMV) t Collector Collector Integrity Measurement Collectors (IMC) Verifers Verifiers Integrity Measurement Verifiers (IMV) Network Access Requestor Policy Enforcement Point (PEP) (IF-T) (IF-PEP) Network Access Authority

Copyright © 2008 Juniper Networks, Inc TNC Status  TNC Architecture and all specs released IF-IMC, IF-IMV, IF-PEP for RADIUS, IF-PTS, IF-TNCCS, IF-T for Tunneled EAP Methods Freely Available from TCG web site  Rapid Specification Development Continues New Specifications, Enhancements  Number of Members and Products Growing Rapidly  Compliance and Interoperability Testing and Certification effort under way

Copyright © 2008 Juniper Networks, Inc TNC Vendor Support Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Endpoint Supplicant/VPN Client, etc. Network Device FW, Switch, Router, Gateway AAA Server, Radius, Diameter, IIS, etc.

Copyright © 2008 Juniper Networks, Inc TNC/NAP Interoperability  IF-TNCCS-SOH Standard Enables Client-Server Interoperability between NAP and TNC NAP servers can health check TNC clients without extra software NAP clients can be health checked by TNC servers without extra software As long as all parties implement the open IF-TNCCS-SOH standard  Availability Built into Windows Vista, Windows Server 2008, Windows XP SP 3 Unix clients shipping from Avenda Systems and UNETsystem Other TNC vendors planning to ship support in 1H 2008  Implications Finally, an agreed-upon open standard client-server NAC protocol True client-server interoperability (like web browsers and servers) is here Industry (except Cisco) has agreed on TNC standards for NAC NAP or TNC Server NAP or TNC Client IF-TNCCS-SOH Switches, APs, Appliances, Servers, etc.

Copyright © 2008 Juniper Networks, Inc NAP Vendor Support

Copyright © 2008 Juniper Networks, Inc IETF and TNC  IETF NEA WG Goal: Universal Agreement on NAC Protocols Co-Chaired by Cisco rep and TNC-WG Chair Adopted TNC specs as WG drafts PA-TNC and PB-TNC Equivalent to IF-M 1.0 and IF-TNCCS 2.0 Cisco Engineer will Co-Edit

Copyright © 2008 Juniper Networks, Inc What About Open Source?  Lots of open source support for TNC University of Applied Arts and Sciences in Hannover, Germany (FHH) libtnc OpenSEA 802.1X supplicant FreeRADIUS  TCG support for these efforts Free Liaison Memberships Open source licensing of TNC header files

Copyright © 2008 Juniper Networks, Inc Moving Beyond NAC – Future Vision  Trusted Devices Trusted hardware and secure software provide trustworthy clients  Access Control Secure and reliable access to any service from any device across any network (in accordance with policy)  Coordinated Security Security systems cooperate through open standards to provide strong, autonomic, and efficient security at lower cost and complexity  Policy Security policies defined in business terms apply across all security systems Good tools for defining and analyzing policies

Copyright © 2008 Juniper Networks, Inc TCG – Working Toward The Future  Trusted Devices TPM – open standards for trusted hardware TSS and PTS – open standards for secure software (not enough)  Access Control TNC – working on broader access control standards  Coordinated Security New IF-MAP standard addresses this directly (see next slide)  Policy Important area for future work

Copyright © 2008 Juniper Networks, Inc IF-MAP – Problems to Be Solved  Manage unresponsive endpoints Printers, phones, other embedded devices Guest, student, and other systems with no NAC capability  Monitor endpoint behavior Detect and respond to unacceptable use  Integrate Security Systems Enable coordinated and automatic response Share information to improve security

Copyright © 2008 Juniper Networks, Inc TNC Architecture with IF-MAP Laptops, mobile, devices, other endpoints running TNC clients 802.1X switches, VPN gateways, edge firewalls RADIUS servers, VPN controllers, policy servers IF-MAP servers IDP/IDS systems, directories, DHCP servers, internal firewalls, SIM/SEM servers

Copyright © 2008 Juniper Networks, Inc IF-MAP Use Cases  PDP publishes info on new user & device to IF-MAP server IDS and NBAD use this info to adjust their settings (e.g. P2P allowed) Flow controller (e.g. interior firewall) uses info to adjust access controls PDP and flow controller subscribe to updates on user or device  IDS publishes event to an IF-MAP server Device X is attacking device Y PDP and/or flow controller receive notification of event They can respond by quarantining device X, warning user, etc.  PDP detects new unknown clientless device Z PDP posts info to IF-MAP server, subscribes to updates DHCP server, endpoint profiler, etc. publish info on device PDP receives notification, grants appropriate access

Copyright © 2008 Juniper Networks, Inc IF-MAP Benefits  Lower deployment and operating costs Integration of existing systems and investments Fewer false alarms since policies are tuned  Reduced deployment and operating complexity Standards based integration Automated responses  Stronger security Responses to both managed and unmanaged endpoints Management of the complete lifecycle of a network endpoint Coordinated response across many products Policies tuned per user or group  Better policies and reports Based on usernames and roles instead of IP addresses  Benefits of open standards Avoid vendor lock-in Reduce costs through competition Choose best products for each job

Copyright © 2008 Juniper Networks, Inc IF-MAP Status  IF-MAP Specification published April 28, 2008 Available at Free to implement  Strong interest among customers, vendors, press, analysts, and open source implementers  Demonstrations in TCG booth at Interop Vegas 2008  Builds on existing standards (XML, SOAP, HTTP, SSL) Ongoing alignment work with Open Group and MITRE on event format  Work continues to expand and improve IF-MAP  Products to follow

Copyright © 2008 Juniper Networks, Inc How can you participate in TCG/TNC?  Review TCG/TNC specs and materials Available at Free to implement  Try deployments of TCG/TNC technology Commercial or open source  Contribute to open source implementations  Start related research projects  Apply for Mentor or Invited Expert status Mentor status supports researchers with advice (no NDA) Invited Expert status makes you a full TCG participant Josh Howlett of JANET is an Invited Expert

Copyright © 2008 Juniper Networks, Inc Thanks to Academic Community  Higher education pioneered most of these concepts Trusted computing Access control & NAC Coordinated security Policy “If I have seen further it is by standing on the shoulders of Giants.” -Sir Isaac Newton

Copyright © 2008 Juniper Networks, Inc Summary  Network Access Control (NAC) has clear benefits Controlling access to critical networks Detecting and fixing unhealthy endpoints Monitoring and addressing endpoint behavior  Open Standards Required for NAC Many, Many Products Involved  TNC = Open Standards for NAC  Many Advances in Network Security Coming Trusted Devices, Access Control, Coordinated Security, Policy  TCG Welcomes Your Input

Copyright © 2008 Juniper Networks, Inc For More Information  TCG Web Site  TNC Co-Chairs Steve Hanna Blog: Paul Sangster