Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction of Trusted Network Connect Houcheng Lee May 9, 2007.

Published bySimon Waters Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction of Trusted Network Connect Houcheng Lee May 9, 2007."— Presentation transcript:

1 Introduction of Trusted Network Connect Houcheng Lee houchen1@umbc.edu May 9, 2007

2 What is Trusted Computing?

3 Trusted Computing Group (TCG)

4 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Promoters AMD Hewlett-Packard IBM Intel Corporation Microsoft Sun Microsystems, Inc. Contributors Adaptec, Inc. Agere Systems American Megatrends, Inc. ARM Atmel AuthenTec, Inc. AVAYA Broadcom Corporation Certicom Corp. Check Point Software, Inc. Citrix Systems, Inc. Comodo Dell, Inc. Endforce, Inc. Ericsson Mobile Platforms AB France Telecom Group Freescale Semiconductor Fujitsu Limited Fujitsu Siemens Computers Trusted Computing Group (TCG) Membership 170 Total Members as of January, 2007 Contributors Funk Software, Inc. General Dynamics C4 Systems Giesecke & Devrient Hitachi, Ltd. Infineon InfoExpress, Inc. InterDigital Communications iPass Lenovo Holdings Limited Lexmark International Lockheed Martin M-Systems Flash Disk Pioneers Maxtor Corporation Meetinghouse Data Communications Mirage Networks Motorola Inc. National Semiconductor nCipher NEC Nevis Networks, USA Nokia NTRU Cryptosystems, Inc. NVIDIA OSA Technologies, Inc Philips Phoenix Pointsec Mobile Technologies Renesas Technology Corp. Ricoh Company LTD RSA Security, Inc. Samsung Electronics Co. SanDisk Corporation SCM Microsystems, Inc. Adopters ConSentry Networks CPR Tools, Inc. Credant Technologies Fiberlink Communications Foundstone, Inc. GuardianEdge ICT Economic Impact Industrial Technology Research Institute Infosec Corporation Integrated Technology Express Inc. LANDesk Lockdown Networks Marvell Semiconductor, Inc. MCI Meganet Corporation Roving Planet SafeBoot Safend Sana Security Secure Elements Senforce Technologies, Inc SII Network Systems, Inc. Silicon Storage Technology, Inc. Softex, Inc. StillSecure Swan Island Networks, Inc. Symwave Telemidic Co. Ltd. Toppan Printing Co., Ltd. Trusted Network Technologies ULi Electronics Inc. Valicore Technologies, Inc. Websense Contributors Seagate Technology Siemens AG SignaCert, Inc. Silicon Integrated Systems Corp. Sinosun Technology Co., Ltd. SMSC Sony Corporation STMicroelectronics Symantec Symbian Ltd Synaptics Inc. Texas Instruments Toshiba Corporation TriCipher, Inc. Unisys UPEK, Inc. Utimaco Safeware AG VeriSign, Inc. Vernier Networks Vodafone Group Services LTD Wave Systems Winbond Electronics Corporation Adopters Advanced Network Technology Labs Apani Networks Apere, Inc. ATI Technologies Inc. BigFix, Inc. BlueRISC, Inc. Bradford Networks Caymas Systems Cirond

5 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. TCG Key Players

6 Trusted Platform Module (TPM)

7 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Trusted Platform Module (TPM) Introduction What is a TPM?  A Hardware What it does? V1.2 functions, including: stores OS status information generates/stores a private key creates digital signatures anchors chain of trust for keys, digital certificates, and other credentials

8 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. TPM – TCG Definition Asymmetric Key Module  Generate, store & backup public/private key pairs  Generate digital signatures, encrypt/decrypt data Trusted Boot Configuration  Storage of software digests during boot process Anonymous Attestation  Endorsement key used to establish properties of multiple identity keys TPM Management  Turn it on/off, ownership / configure functions, etc.

9 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. TPM – Abstract Definition Root of Trust in a PC  Operations or actions based on the TPM have measurable trust.  Flexible usage model permits a wide range of actions to be defined. Doesn’t Control PC (About DRM)  User still has complete control over platform. It’s OK to turn the TPM off (it ships disabled).  User is free to install any software he/she pleases.

10 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Why Not Software? Software is hard to secure.  Ultimately, it is usually based on something stored in a relatively insecure location (like the hard drive). Soft data can be copied.  Lets an attacker take more time or apply more equipment to the attack procedure. Security can’t be measured.  Two users running same software operation may see radically different risks.

11 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. TPM Measurement flow

12 Trusted Network Connection (TNC)

13 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. What is TNC? Open Architecture for Network Access Control Suite of Standards Developed by Trusted Computing Group

14 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Network Endpoint Problem Sophisticated Attacks  Viruses, Worms, Spyware, Rootkits, Botnets  Zero-Day Exploits  Targeted Attacks  Rapid Infection Speed Exponential Growth  > 40,000,000 Infected Machines  > 35,000 Malware Varieties Motivated Attackers (Bank Crackers) Any vulnerable computer is a stepping stone

15 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Key Computing Trends Drive the Need for TNC TREND Increasing network span to mobile workers, customers, partners, suppliers Network clients moving to wireless access Malware increasingly targeting network via valid client infection New malware threats emerging at an increasing rate IMPLICATION Less reliance on physical access identity verification (i.e. guards & badges) Remote access sequences easily monitored, cloned Clients ‘innocently” infect entire networks Client scanning demands move from once/week to once/login

16 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Network Integrity Architectures Several Initiatives are pursuing Network Integrity Architectures All provide the ability to check integrity of objects accessing the network [Cisco] Network Admission Control (NAC) [Microsoft] Network Access Protocol (NAP) [TCG] Trusted Network Connect (TNC)  Support multi-vendor interoperability  Leverage existing standards  Empower enterprises with choice

17 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Trusted Network Connect Advantages Open standards  Open standards process  multi-vendor compatibility  Enable customer choice  open technical review  Integrates with established protocols like EAP, TLS, 802.1X, and IPsec Incorporates Trusted Computing Concepts - guarding the guard

18 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Moving from “who” is allowed on the network  User authentication To “who” and “what” is allowed on the network  Adding Platform Integrity verification Controlling Integrity of What is on the Network

19 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Check at connect time - Who are you - - What is on your computer User DB + Integrity DB Can I connect? Access control dialog Enterprise Net

20 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Quarantine and Remediation No I am quarantining you Try again when you’re fixed up Remediation Server Access control dialog data User DB + Integrity DB Can I connect? Enterprise Net Quarantine Net

21 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. TNC Architecture

22 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. TNC Architecture Verifiers t Collector Integrity Measurement Collectors (IMC) Integrity Measurement Verifiers (IMV) Network Access Requestor Policy Enforcement Point (PEP) Network Access Authority TNC Server (TNCS) Policy Decision Point TSS TPM Platform Trust Service (PTS) TNC Client (TNCC) Peer Relationship (IF-TNCCS) (IF-T) (IF-M) Policy Enforcement Point Access Requestor (IF-IMC)(IF-IMV) (IF-PTS) (IF-PEP)

23 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Endpoint Integrity Policy Machine Health  Anti-Virus software running and properly configured  Recent scan shows no malware  Personal Firewall running and properly configured  Patches up-to-date  No authorized software Machine Behavior  No porting scanning, sending spam, etc.

24 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Examples of Integrity Checks Virus scan  Is virus scanner present/ which version  Has it run “recently” / what is the result Spyware checking  Is Spyware checker running/ what version  Have programs been deleted/isolated What is your OS patch level Is unauthorized software present? Other - IDS logs, evidence of port scanning

25 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Network Operator Access Policy Define policy for what must be checked  e.g. Virus, Spyware and OS Patch level and results of checks e.g. Must run  VirusC- version 3.2 or higher, clean result  SPYX- version 1.5 or higher  Patchchk - version 6.2 or higher, patchlevel-3 or newer

26 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. TNC Scenario (Anti-Virus) Sequence 1)Harvesting 2)Policy authoring 3)Collection 4)Reporting 5)Evaluation 6)Enforcement 7)Remediation TNC Server TNC Client Anti-Virus Services AV-IMC Network Access Requestor Network Access Authority Other IMCs AV-IMV Other IMVs Policies 2 AR PDP Integrity Measurements 4 Control Request 6 Policy Decision 5 Baseline Measurements 1 Embedded AV configuration AV engine AV definitions 3 Measured

27 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Anti-virus Collector Patch mgt Collector firewall Collector Platform trust Collector Anti-virus Verifier Patch mgt Verifier firewall Verifier Platform trust Verifier TNC Client TNC Server IF-T - Messages are batched by TNCC/ TNCS - Either side can start batched exchange - IMC/IMV may subscribe to multiple message types - Exchanges of TNC batches called handshake TNC Model for Exchanging Integrity Data

28 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Authorized Access Only JoeK Guest LynnP Hacker_Cindi Access Requestor Policy Decision Point Policy Enforcement Point Authorized Users JoeK NoelC KathyR LynnP Access Denied Access Denied

29 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Corporate SW Requirements Compliant System Windows XP SP2 OSHotFix 2499 OSHotFix 9288 AV - Symantec AV 10.1 Firewall Non-compliant System Windows XP SP2 x OSHotFix 2499 x OSHotFix 9288 AV - McAfee Virus Scan 8.0 Firewall Corporate Network Remediation Network Access Requestor Policy Decision Point Policy Enforcement Point Client Rules Windows XP SP2 OSHotFix 2499 OSHotFix 9288 AV (one of) Symantec AV 10.1 McAfee Virus Scan 8.0 Firewall

30 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Customized Network Access Ken – R&D Guest User Access Requestor Policy Decision Point Policy Enforcement Point Finance Network R&D Network Linda – Finance Windows XP OS Hotfix 9345 OS Hotfix 8834 AV - Symantec AV 10.1 Firewall Guest Network Inter net Only Access Policies Authorized Users Client Rules

31 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Platform Trust Services PTS IF-PTS evaluates the integrity of TNC components and makes integrity reports available to the TNCC and TNCS The PTS establishes the integrity state of the TNC framework and binds this state to the platform transitive-trust chain PTS IMC collects integrity information about TNC elements and sends to PTS IMV PTS IMV has information (probably from vendors) on expected values for IMCs and other TNC and verifies received values

32 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. TPM Integrity Check Compliant System TPM verified BIOS OS Drivers Anti-Virus SW Corp LAN Access RequestorPolicy Decision Point Policy Enforcement Point Client Rules TPM enabled BIOS OS Drivers Anti-Virus SW TPM – Trusted Platform Module HW module built into most of today’s PCs Enables a HW Root of Trust Measures critical components during trusted boot PTS-IMC interface allows PDP to verify configuration and remediate as necessary

33 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. TNC Architecture – Existing Support Endpoint Supplicant/VPN Client, etc. Network Device FW, Switch, Router, Gateway Access Requestor Policy Decision Point Policy Enforcement Point AAA Server, Radius, Diameter, IIS, etc

34 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. TPM Use Cases - Government & Regulatory National Security Agency  Full drive encryption  TCG for compatibility U.S. Army  Network Enterprise Technology Command now requires TPM 1.2 on new computers F.D.I.C.  Promotes TPM usage to member banks

35 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. TPM Use Cases – Realistic Projects Pharmacy Company  With VPN over public network, put TPMs on all clients  Access dependent on digital certificate  Verifies both user and machine  Hardware and software from Lenovo Japanese Health Care Projects  Obligation to preserve data; METI funded  Fujitsu’s TNC deployment verifies HW and app config for session of broadband telemedicine  Hitachi’s TPM-based system for home health care  IBM’s Trusted Virtual Domains MicroSoft Vista BitLocker

36 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Thank you Question?

37 Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Reference Trusted Computing Group (TCG) - https://www.trustedcomputinggroup.org/home https://www.trustedcomputinggroup.org/home Trusted Network Connection (TNC) - https://www.trustedcomputinggroup.org/group s/network/ https://www.trustedcomputinggroup.org/group s/network/

Download ppt "Introduction of Trusted Network Connect Houcheng Lee May 9, 2007."

Similar presentations

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary and IDS WG TCG Activity Summary August 2010 Bagsvaerd, Denmark – PWG Meeting.

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary and IDS WG TCG Activity Summary August 2010 Bagsvaerd, Denmark – PWG Meeting.
Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.

Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo Client Offerings For Service Providers Ceedo Client Workspace Virtualization.

© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo Client Offerings For Service Providers Ceedo Client Workspace Virtualization.
Vpn-info.com.

Vpn-info.com.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.

TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Using Secure Coprocessors to Protect Access to Enterprise Networks Dr. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh

Using Secure Coprocessors to Protect Access to Enterprise Networks Dr. José Carlos Brustoloni Dept. Computer Science University of Pittsburgh
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Information Security in Real Business

Information Security in Real Business
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

Similar presentations

Ads by Google