Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect Briefing.

Published byOpal Madlyn Stevens Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect Briefing."— Presentation transcript:

1 Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect Briefing for TF-Mobility February 6, 2008

2 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #2 Trusted Network Connect (TNC) Open Architecture for Network Access Control –Strong security through trusted computing Open Standards for Network Access Control –Full set of specifications –Products shipping today Work Group of Trusted Computing Group –Industry standards group –Over 75 member companies participating –More joining every week

3 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #3 Problem: Reduce Endpoint Attacks Increasingly Sophisticated and Serious Attacks –Malware = Viruses, Worms, Spyware, Rootkits, Back Doors, Botnets –Zero-Day Exploits –Targeted Attacks –Rapid Infection Speed Exponential Growth in Malware –>40,000,000 Infected Machines –>35,000 Malware Varieties Motivated Attackers –Extortion, Identity Theft, Bank Fraud, Corporate Espionage Dissolving Network Boundaries –Mobile workforce, increasing collaboration Regulatory Requirements –Mandatory Policy Compliance

4 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #4 Solution: Network Access Control Create Network Access Control Policy Require Compliance for Network Access (or Log and Advise) Isolate and Repair Non-Compliant Endpoints Integrate with TPM to –Identify Users –Thwart Root Kits

5 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #5 Sample Network Access Control Policy Machine Health –Anti-Virus software running and properly configured –Recent scan shows no malware –Personal Firewall running and properly configured –Patches up-to-date –No unauthorized software Machine Behavior –No port scanning, sending spam, etc. Other Organization-Defined Requirements

6 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #6 TNC Architecture VPN

7 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #7 Typical TNC Deployments Uniform Corporate Policy User-Specific Policies TPM Integrity Check

8 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #8 Single Policy Compliant System Windows XP SP2 OSHotFix 2499 OSHotFix 9288 AV - Symantec AV 10.1 Firewall Non-compliant System Windows XP SP2 x OSHotFix 2499 x OSHotFix 9288 AV - McAfee Virus Scan 8.0 Firewall Corporate Network Remediation Network Access Requestor Policy Decision Point Policy Enforcement Point Client Rules Windows XP SP2 OSHotFix 2499 OSHotFix 9288 AV (one of) Symantec AV 10.1 McAfee Virus Scan 8.0 Firewall

9 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #9 User-Specific Policies Ken – R&D Guest User Access Requestor Policy Decision Point Policy Enforcement Point Finance Network R&D Network Linda – Finance Windows XP OS Hotfix 9345 OS Hotfix 8834 AV - Symantec AV 10.1 Firewall Guest Network Internet Only Access Policies Authorized Users Client Rules

10 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #10 TPM Integrity Check Compliant System TPM verified BIOS OS Drivers Anti-Virus SW Corp LAN Access RequestorPolicy Decision Point Policy Enforcement Point Client Rules TPM enabled BIOS OS Drivers Anti-Virus SW TPM – Trusted Platform Module HW module built into most of today’s PCs Enables a HW Root of Trust Measures critical components during trusted boot PTS interface allows PDP to verify configuration and remediate as necessary

11 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #11 TNC Architecture Policy Decision Point Policy Enforcement Point Access Requestor Verifiers t Collector Integrity Measurement Collectors (IMC) Integrity Measurement Verifiers (IMV) IF-M IF-IMCIF-IMV Network Access Requestor Policy Enforcement Point (PEP) Network Access Authority IF-T IF-PEP TNC Server (TNCS) TNC Client (TNCC) IF-TNCCS TSS TPM Platform Trust Service (PTS) IF-PTS

12 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #12 Trusted Platform Module (TPM) Security hardware on motherboard –Open specifications from TCG –Resists tampering & software attacks Now included in almost all enterprise PCs –Off by default Features –Secure key storage –Cryptographic functions –Integrity checking & remote attestation Applications –Strong authentication –Secure storage –Trusted / secure boot For TNC, most useful for detecting rootkits –Protects again the ‘lying endpoint’ problem –TPM measures critical components during trusted boot BIOS, Boot Loader, OS Kernel, Kernel Drivers, TNCC, IMCs –PTS-IMC reports measurements via TNC handshake –PDP checks measurements against valid configurations –If Invalid, PDP can remediate and isolate

13 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #13 TNC Vendor Support Endpoint Supplicant/VPN Client, etc. Network Device FW, Switch, Router, Gateway Access Requestor Policy Decision Point Policy Enforcement Point AAA Server, Radius, Diameter, IIS, etc

14 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #14 Microsoft NAP Interoperability IF-TNCCS-SOH Standard –Developed by Microsoft as Statement of Health (SoH) protocol –Donated to TCG by Microsoft –Adopted by TCG and published as a new TNC standard, IF-TNCCS-SOH Enables Client-Server Interoperability between NAP and TNC –NAP servers can health check TNC clients without extra software –NAP clients can be health checked by TNC servers without extra software –As long as all parties implement the open IF-TNCCS-SOH standard Availability –Demonstrations at Interop Las Vegas 2007 (May 2007) –Built into Windows Vista now –Coming in Windows Server 2008 and Windows XP SP 3 –Coming in products from other TNC vendors in 1H 2008 Implications –Finally, an agreed-upon open standard client-server NAC protocol –True client-server interoperability (like web browsers and servers) is here –Industry (except Cisco) has agreed on TNC standards for NAC NAP or TNC Server NAP or TNC Client IF-TNCCS-SOH Switches, APs, Appliances, Servers, etc.

15 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #15 Microsoft NAP Partners (now TNC)

16 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #16 TNC Advantages Open standards –Non-proprietary – Supports multi-vendor compatibility –Interoperability –Enables customer choice –Allows thorough and open technical review Leverages existing network infrastructure –Excellent Return-on-Investment (ROI) Roadmap for the future –Full suite of standards –Supports Trusted Platform Module (TPM) Products supporting TNC standards shipping today TNC certification and compliance program coming soon

17 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #17 What About Open Source? Lots of open source support for TNC –University of Applied Arts and Sciences in Hannover, Germany (FHH) http://tnc.inform.fh-hannover.de –libtnc https://sourceforge.net/projects/libtnc –OpenSEA 802.1X supplicant http://whttp://www.openseaalliance.org TCG support for these efforts –Liaison Memberships –Open source licensing of TNC header files Information about TNC implementations available at http://www.opus1.com/nac http://www.opus1.com/nac

18 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #18 What’s Next for Network Security? Agree on TNC Standards with ALL Parties Universal Endpoint Support for NAC –Phones, PDAs, Printers, Cameras, etc. –Built-in Agent, Permanent Agent, Downloaded Agent, or No Agent Extend Integration of Endpoint Security and Network Security –Today (NAC) Endpoint Security (anti-malware, patch management, etc.) AAA / Identity Management Switches, Wireless APs & Management Systems (802.1X or not) Other Enforcement Mechanisms –Next Step for Integration Intrusion Detection / Prevention Vulnerability Scanning Firewalls (Stateful & Stateless) VPN Gateways (SSL & IPsec) Any Security Component

19 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #19 ECAM/eduroam and TNC (tech) Good fit between TNC and DAMe –TNC exchange through tunneled EAP method –Handle provided in Access-Accept –SAML AttributeQuery for assessment summary and/or details PA/IF-M Request Attributes? –Optional evaluation against Attribute Release Policy –SAML AttributeStatement with assessment summary and/or details PA/IF-M Posture Attributes or PB/IF-TNCCS Assessment Results Also interest in integrating application and network SSO And interest in integrating network security components Josh Howlett - TCG Invited Expert

20 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #20 ECAM/eduroam and TNC (non-tech) TCG TNC process under NDA with mandatory RAND cross- licensing of necessary patent claims –Membership fees waived for Invited Experts with TCG Board approval Invited Experts from edu –Josh Howlett, JANET (UK) –Chris Misra, UMass Amherst and MACE –More welcome Collaboration options –Invited Experts participate in TNC efforts –TNC folks participate in ECAM/eduroam efforts –Friendly collaboration between TNC and ECAM/eduroam

21 Copyright© 2005-2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #21 For More Information TNC Web Site https://www.trustedcomputinggroup.org/groups/network TNC Co-Chairs Steve Hanna Distinguished Engineer, Juniper Networks shanna@juniper.net Paul Sangster Chief Security Standards Officer, Symantec Paul_Sangster@symantec.com

Download ppt "Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect Briefing."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.

Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.

TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.
Agenda Introduction Network Access Protection platform architecture

Agenda Introduction Network Access Protection platform architecture
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.

Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
Interop Labs Network Access Control Interop Las Vegas 2006 Karen O’Donoghue.

Interop Labs Network Access Control Interop Las Vegas 2006 Karen O’Donoghue.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Information Security in Real Business

Information Security in Real Business
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S

Similar presentations

Ads by Google