1 IF-MAP: Open Standards for Coordinating Security Presentation for SAAG IETF 72, July 31, 2008 Steve Hanna

2 Information Security Past - Isolation Host Firewall Host Intrusion Detection & Prevention Host Anti-Virus Host Security Network Firewall Network Intrusion Detection & Prevention Virtual Private Networks Data Loss Prevention Vulnerability Scanners Network Anti-Virus Network Security Identity Management Server Security Web Services Security Server/Service Security

3 Network Firewall Network Intrusion Detection & Prevention Virtual Private Networks Data Loss Prevention Vulnerability Scanners Network Anti-Virus Network Security Information Security Present – Partial Coordination Host Firewall Host Intrusion Detection & Prevention Host Anti-Virus Host Security Identity Management Server Security Web Services Security Server/Service Security Network Access Control (NAC)

4 Network Firewall Network Intrusion Detection & Prevention Virtual Private Networks Data Loss Prevention Vulnerability Scanners Network Anti-Virus Network Security Information Security Future – Full Coordination Host Firewall Host Intrusion Detection & Prevention Host Anti-Virus Host Security Identity Management Server Security Web Services Security Server/Service Security NAC with IF-MAP

5 Basic NAC Architecture Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) VPN

6 Integrating Other Security Systems Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Metadata Access Point (MAP) Sensors, Flow Controllers VPN

7 TNC Architecture Policy Decision Point Policy Enforcement Point Access Requestor Verifiers t Collector Integrity Measurement Collectors (IMC) Integrity Measurement Verifiers (IMV) IF-M IF-IMCIF-IMV Network Access Requestor Policy Enforcement Point (PEP) Network Access Authority IF-T IF-PEP TNC Server (TNCS) TNC Client (TNCC) IF-TNCCS TSS TPM Platform Trust Service (PTS) IF-PTS Metadata Access Point Sensors and Flow Controllers Metadata Access Point IF-MAP Sensor IF-MAP Flow Controller IF-MAP

8 What is IF-MAP? Standard Published by Trusted Computing Group – Standard Requests & Responses –Publish, Search, Subscribe, Poll Standard Identifiers –device, identity, ip-address, mac-address, access-request Standard Metadata –device-attribute, event, role, capability, layer2-information Standard Links (marked with metadata) –access-request-device, access-request-ip, access-request-mac, authenticated-as, authenticated-by, ip-mac Protocol Binding for SOAP Ability to define optional vendor-specific extensions

9 Example IF-MAP Graph

10 IF-MAP Benefits More Informed Sensors –Sensors can tune by role and other things –Should reduce false alarms Policy and Reports in Business Terms –User identity and role vs. IP address –Simpler, easier to manage Automated Response (if desired) –Faster response = stronger security –Less expense due to automation Customer Choice and Flexibility –No need to buy all security products from one vendor –Can reuse and integrate existing security systems

11 Security and Privacy Considerations MAP = Storehouse of Sensitive Data, Critical Nerve Center –MUST TLS with mutual auth for IF-MAP clients publisher-id and timestamp to track changes –SHOULD authorization, DOS protection, anomaly detection, physical and operational security, hardening, etc. not keep historical data

12 Discussion