Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trusted Network Connect: Open Standards for NAC

Published by창민 변 Modified over 6 years ago

Similar presentations

Presentation on theme: "Trusted Network Connect: Open Standards for NAC"— Presentation transcript:

1 Trusted Network Connect: Open Standards for NAC

2 Trusted Network Connect (TNC)
Open Architecture for Network Access Control Strong security through trusted computing Open Standards for Network Access Control Full set of specifications Products shipping for more than two years Work Group of Trusted Computing Group Industry standards group About 175 TCG member organizations, 75 in TNC-WG More joining every week

3 Problem: Reduce Endpoint Attacks
Increasingly Sophisticated and Serious Attacks Malware = Viruses, Worms, Spyware, Rootkits, Back Doors, Botnets Zero-Day Exploits Targeted Attacks Rapid Infection Speed Exponential Growth in Malware >40,000,000 Infected Machines >35,000 Malware Varieties Motivated Attackers Extortion, Identity Theft, Bank Fraud, Corporate Espionage Dissolving Network Boundaries Mobile workforce, partners, contractors, outsourcing Regulatory Requirements Mandatory Policy Compliance

4 Solution: Network Access Control
Create Network Access Control Policy Require Compliance for Network Access (or Log and Advise) Isolate and Repair Non-Compliant Endpoints Optional Integration with TPM to Identify Users Thwart Root Kits

5 Sample Network Access Control Policy
Machine Health Anti-Virus software running and properly configured Recent scan shows no malware Personal Firewall running and properly configured Patches up-to-date No unauthorized software Machine Behavior No port scanning, sending spam, etc. Other Organization-Defined Requirements

6 TNC Architecture VPN

7 Typical TNC Deployments
Uniform Policy User-Specific Policies TPM Integrity Check

8 Uniform Policy Access Requestor Policy Enforcement Policy Decision
Point Policy Decision Point Non-compliant System Windows XP SP2 OSHotFix 2499 OSHotFix 9288 AV - McAfee Virus Scan 8.0 Firewall Remediation Network Production Network Client Rules Windows XP SP2 OSHotFix 2499 OSHotFix 9288 AV (one of) Symantec AV 10.1 McAfee Virus Scan 8.0 Firewall Compliant System Windows XP SP2 OSHotFix 2499 OSHotFix 9288 AV - Symantec AV 10.1 Firewall

9 User-Specific Policies
Access Requestor Policy Enforcement Point Policy Decision Point Guest Network Internet Only Guest User R&D Network Ken – R&D Finance Network Access Policies Authorized Users Client Rules Linda – Finance Windows XP OS Hotfix 9345 OS Hotfix 8834 AV - Symantec AV 10.1 Firewall

10 TPM Integrity Check Compliant System Access Requestor
Policy Enforcement Point Policy Decision Point TPM – Trusted Platform Module HW module built into most of today’s PCs Enables a HW Root of Trust Measures critical components during trusted boot PTS interface allows PDP to verify configuration and remediate as necessary Production Network Client Rules TPM enabled BIOS OS Drivers Anti-Virus SW Compliant System TPM verified BIOS OS Drivers Anti-Virus SW

11 Integrity Measurement Network Access Requestor
TNC Architecture Policy Enforcement Point Policy Decision Point Access Requestor Verifiers t Collector Integrity Measurement Collectors (IMC) Verifiers (IMV) IF-M IF-IMC IF-IMV TSS TPM Platform Trust Service (PTS) IF-PTS TNC Server (TNCS) TNC Client (TNCC) IF-TNCCS Network Access Requestor Policy Enforcement Point (PEP) Network Access Authority IF-T IF-PEP

12 Trusted Platform Module (TPM)
Security hardware on motherboard Open specifications from TCG Resists tampering & software attacks Now included in almost all enterprise PCs Off by default Features Secure key storage Cryptographic functions Integrity checking & remote attestation Applications Strong user and machine authentication Secure storage Trusted / secure boot For TNC, most useful for detecting rootkits Protects again the ‘lying endpoint’ problem TPM measures critical components during trusted boot BIOS, Boot Loader, OS Kernel, Kernel Drivers, TNCC, IMCs PTS-IMC reports measurements via TNC handshake PDP checks measurements against valid configurations If Invalid, PDP can remediate and isolate 12

13 TNC Vendor Support Policy Enforcement Policy Decision Access Requestor
Point Policy Decision Point Access Requestor Endpoint Supplicant/VPN Client, etc. Network Device FW, Switch, Router, Gateway AAA Server, Radius, Diameter, IIS, etc 13

14 Microsoft NAP Interoperability
NAP or TNC Server Client IF-TNCCS-SOH Switches, APs, Appliances, Servers, etc. IF-TNCCS-SOH Standard Developed by Microsoft as Statement of Health (SoH) protocol Donated to TCG by Microsoft Adopted by TCG and published as a new TNC standard, IF-TNCCS-SOH Enables Client-Server Interoperability between NAP and TNC NAP servers can health check TNC clients without extra software NAP clients can be health checked by TNC servers without extra software As long as all parties implement the open IF-TNCCS-SOH standard Availability Demonstrations at Interop Las Vegas 2007 (May 2007) Built into Windows Vista now Coming in Windows Server 2008 and Windows XP SP 3 Coming in products from other TNC vendors in 1H 2008 Implications Finally, an agreed-upon open standard client-server NAC protocol True client-server interoperability (like web browsers and servers) is here Industry (except Cisco) has agreed on TNC standards for NAC 14

15 Microsoft NAP Partners (now TNC)

16 TNC Advantages Open standards
Non-proprietary – Supports multi-vendor compatibility Interoperability Enables customer choice Allows thorough and open technical review Leverages existing network infrastructure Excellent Return-on-Investment (ROI) Roadmap for the future Full suite of standards Supports Trusted Platform Module (TPM) Products supporting TNC standards shipping today TNC certification and compliance program coming soon

17 What About Open Source? Lots of open source support for TNC
University of Applied Arts and Sciences in Hannover, Germany (FHH) libtnc OpenSEA 802.1X supplicant FreeRADIUS TCG support for these efforts Liaison Memberships Open source licensing of TNC header files Information about TNC implementations available at

18 What’s Next for Network Security?
Agree on TNC Standards with ALL Parties Universal Endpoint Support for NAC Phones, PDAs, Printers, Cameras, etc. Built-in Agent, Permanent Agent, Downloaded Agent, or No Agent Extend Integration of Endpoint Security and Network Security Today (NAC) Endpoint Security (anti-malware, patch management, etc.) AAA / Identity Management Switches, Wireless APs & Management Systems (802.1X or not) Other Enforcement Mechanisms Next Step for Integration Intrusion Detection / Prevention Vulnerability Scanning Firewalls (Stateful & Stateless) VPN Gateways (SSL & IPsec) Any Security Component So TCG TNC has a solid set of NAC standards today with a wide variety of products supporting those standards that can include strong hardware-based security. Just as important, TCG has a clear vision for where network access control is going. The overall theme is that the scope of Network Access Control will expand in several ways. First, endpoint security and network security will continue to become more tightly integrated. Today, TNC combines endpoint security checks with user and machine identity and uses a variety of enforcement points to control network access. The next step for TNC is to integrate other network security components into the system. So an intrusion detection system can detect that a particular endpoint is misbehaving and notify the TNC server, which can cut off access. Other sensors in the network that we must integrate are vulnerability scanners, endpoint profilers, and so on. Note that this is not a one-way street. All of these devices will benefit from getting information about the endpoint health and user identity. They can do more intelligent scanning if they know who’s using a particular machine and what their job is. Some of our TNC members are pioneering this sort of integration. For example, Q1 Labs has integrated their security event management system with TNC and Juniper has integrated their firewalls. But the TNC standards don’t really say how these integrations should happen so they are not as clean and open as they could be. Another important way to expand the scope of network access control is to expand the number of endpoints that are supported. Actually, most TNC implementations already generally include some way to support all these endpoints but in most cases that support is based on vendor code not open standards. We need to make sure the standards provide the proper support for all sorts of endpoints and push to get our standards more widely supported in products. We have already taken some steps in this direction, like providing Java bindings for our APIs and adding support for VOIP phones and other VLAN-aware endpoints in our enforcement protocols. But we have more to do here. And finally we need to get all the relevant parties to agree on the TNC standards. Almost everyone is on board but there are a few holdouts. That doesn’t help customers so we’re working to bring everyone together on the TNC standards.

19 For More Information TNC Web Site TNC Co-Chairs Steve Hanna
TNC Co-Chairs Steve Hanna Distinguished Engineer, Juniper Networks Paul Sangster Chief Security Standards Officer, Symantec

Download ppt "Trusted Network Connect: Open Standards for NAC"

Similar presentations

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary 7 April 2010 Camas, WA – PWG F2F Meeting Ira McDonald (High.

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary 7 April 2010 Camas, WA – PWG F2F Meeting Ira McDonald (High.
Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.

Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
1 Endpoint Security Considerations. 2 Agenda Open Networks PROs & CONs Challenges Alternatives.

1 Endpoint Security Considerations. 2 Agenda Open Networks PROs & CONs Challenges Alternatives.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Information Security in Real Business

Information Security in Real Business
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect: Open.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect: Open.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security Current portfolio and looking forward October 2010.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security Current portfolio and looking forward October 2010.
SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah.

SACM Architecture Based on TNC Standards Lisa Lorenzin & Atul Shah.
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.

1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.

Similar presentations

Ads by Google