Download presentation
Presentation is loading. Please wait.
1
Network Access Control for Education
By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted Network Connect WG, TCG Co-Chair, Network Endpoint Assessment WG, IETF
2
Implications of Expanded Network Usage
As Access Increases Mission-critical network assets Mobile and remote devices transmitting the LAN perimeter Broader variety of network endpoints Faculty, staff, parent, and/or student access Critical data at risk Perimeter security ineffective Endpoint infections may proliferate Network control can be lost Network Security Decreases
3
Network Access Control Solutions
Control Access to critical resources to entire network Based on User identity and role Endpoint identity and health Other factors With Remediation Management Features Consistent Access Controls Reduced Downtime Healthier endpoints Fewer outbreaks Safe Remote Access Safe Access for Faculty, Staff Students, Parents Guests Devices Benefits Network access control must be a key component of every network!
4
What is Trusted Network Connect (TNC)?
Open Architecture for Network Access Control Suite of Standards to Ensure Interoperability Work Group in Trusted Computing Group (TCG)
5
Security Infrastructure
TCG: The Big Picture Desktops & Notebooks Applications Software Stack Operating Systems Web Services Authentication Data Protection Printers & Hardcopy Security Infrastructure Storage TCG Standards Mobile Phones Servers Networking Security Hardware
6
TNC Architecture Overview
Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) VPN Wireless PDP FW Wired Network Perimeter
7
Typical TNC Deployments
Uniform Policy User-Specific Policies TPM Integrity Check
8
Policy Enforcement Point (PEP) Policy Decision Point (PDP)
Uniform Policy Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Remediation Network PDP Non-compliant System Windows XP SP2 OSHotFix 2499 OSHotFix 9288 AV - McAfee Virus Scan 8.0 Firewall Client Rules Windows XP - SP2 - OSHotFix 2499 - OSHotFix 9288 - AV (one of) - Symantec AV 10.1 - McAfee Virus Scan 8.0 - Firewall Production Network Compliant System Windows XP SP2 OSHotFix 2499 OSHotFix 9288 AV – Symantec AV 10.1 Firewall Network Perimeter
9
User-Specific Policies
Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) PDP Guest User Guest Network Internet Only Ken – Faculty Classroom Network Access Policies - Authorized Users - Client Rules Linda – Finance Finance Network Windows XP OSHotFix 9345 OSHotFix 8834 AV – Symantec AV 10.1 Firewall Network Perimeter
10
Policy Enforcement Point (PEP) Policy Decision Point (PDP)
TPM Integrity Check Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) TPM – Trusted Platform Module Hardware module built into most of today’s PCs Enables a hardware Root of Trust Measures critical components during trusted boot PTS interface allows PDP to verify configuration and remediate as necessary PDP Client Rules - BIOS - OS - Drivers - Anti-Virus Software Production Network Compliant System TPM Verified BIOS OS Drivers Anti-Virus Software Network Perimeter
11
TNC Architecture in Detail
Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) (IF-M) (IF-IMC) (IF-IMV) t Collector Collector Integrity Measurement Collectors (IMC) Verifers Verifiers Verifiers (IMV) (IF-PTS) TSS TPM Platform Trust Service (PTS) TNC Client (TNCC) (IF-TNCCS) TNC Server (TNCS) Network Access Requestor Policy Enforcement Point (PEP) (IF-T) (IF-PEP) Network Access Authority
12
TNC Status TNC Architecture and all specs released
Available Since 2006 from TCG web site Rapid Specification Development Continues New Specifications, Enhancements Number of Members and Products Growing Rapidly Compliance and Interoperability Testing and Certification Efforts under way
13
TNC Vendor Support Access Requester (AR)
Policy Enforcement Point (PEP) Policy Decision Point (PDP) Endpoint Supplicant/VPN Client, etc. Network Device FW, Switch, Router, Gateway AAA Server, Radius, Diameter, IIS, etc. 13
14
TNC/NAP/UAC Interoperability
Announced May 21, 2007 by TCG, Microsoft, and Juniper NAP products implement TNC specifications Included in Windows Vista, Windows XP SP 3, and Windows Server 2008 Juniper UAC and NAP can interoperate Demonstrated at Interop Las Vegas 2007 UAC will support IF-TNCCS-SOH in 1H2008 Customer Benefits Easier implementation – can use built-in Windows NAP client Choice and compatibility – through open standards
15
NAP Vendor Support
16
What About Open Source? Several open source implementations of TNC
University of Applied Arts and Sciences in Hannover, Germany (FHH) libtnc OpenSEA 802.1X supplicant FreeRADIUS TCG support for these efforts Liaison Memberships Open source licensing of TNC header files
17
Summary Network Access Control provides
Strong Security and Safety Tight Control Over Network Access Reduced PC Administration Costs Open Standards Clearly Needed for NAC Many, Many Vendors Involved in a NAC System Some Key Benefits of Open Standards Ubiquity, Flexibility, Reduced Cost TNC = Open Standards for NAC Widely Supported – HP, IBM, Juniper, McAfee, Microsoft, Symantec, etc. Can Use TPM to Detect Root Kits TNC: Coming Soon to a Network Near You!
18
For More Information TCG Web Site Juniper UAC Web Site Steve Hanna
Juniper UAC Web Site unified_access_control Steve Hanna Distinguished Engineer, Juniper Networks Co-Chair, Trusted Network Connect Work Group, TCG Co-Chair, Network Endpoint Assessment Working Group, IETF Blog:
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.