1 / 16

Tightening the Network: Network Access Control Deployment and Applications

Tightening the Network: Network Access Control Deployment and Applications. Paul Sangster Co-Chair TNC Working Group Distinguished Engineer Symantec Corporation. Agenda. Problem Space Network Access Control Trusted Network Connect Architecture Participants Usage example

maggie-french
Download Presentation

Tightening the Network: Network Access Control Deployment and Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tightening the Network:Network Access Control Deployment and Applications Paul Sangster Co-Chair TNC Working Group Distinguished Engineer Symantec Corporation

  2. Agenda • Problem Space • Network Access Control • Trusted Network Connect • Architecture • Participants • Usage example • Integration with security hardware

  3. Malware Infecting Network • Malware includes: viruses, worms, spyware, adware, … • Detection and prevention difficult • Good security protections available (AV, firewalls…) • Malware constantly evolving, so must security protection • Challenging to keep up to date • Many security protections not in use • Spread of Malware serious cost • IT costs, reputation, downtime, lost productivity… • Many network entry points for Malware • Carried on mobile devices • Embedded in other objects

  4. Identity-based Network Access • Today, access to network restricted by Identity • Identity established via re-usable credentials (password) • Malware on system can steal credentials • No check for system integrity before access • Use of malware protection, firewalls, proper patches • Presence of malware • Result: Even authorized people introduce malware to network

  5. Need Automated Checking • Automated Integrity Compliance Checks • Before being given access to the network • While present on network • Remediation support for non-compliant • Multi-vendor ecosystem • Centralized management • Integrated with existing Identity-based controls • Allow certain individuals/roles more flexibility • Role of Network Access Control (NAC)

  6. General Model • NAC Software on Endpoint Device • Collects integrity information about state of system • Includes: vendor, version, patch level, configuration, … • Reports on requested state of system • Optionally leverage security hardware (TPM) • Central Compliance Decision Point • Requests integrity information (policy driven) • Compares integrity information to compliance policy • Decides on network access level • Notifies network infrastructure of level of access granted • May request remediation

  7. Trusted Network Connect (TNC) • Working group within Trusted Computing Group (TCG) • Creating open, multi-vendor NAC standards • Open NAC Architecture • Documented API and protocol interfaces • Open NAC Standards • Free download from TCG web site

  8. Basic TNC Architecture

  9. TNC Standards Key: APIs, Network Protocols, Future

  10. Example TNC Policy • Endpoint MUST have … • Up to date OS and application patches • IT-defined password policy settings • Anti-virus enabled and up to date • If not, • Quarantine and remediate • Except guests, • Who just get Internet access • Policy applied from central PDPs

  11. Example Flows QUARANTINE REMEDIATION Patch Level IMC Anti-Virus IMC Patch Level IMV Anti-Virus IMV • Password Policy Settings • Patch Level • AntiVirusVersion • Definition File Date • AntivirusVersion • Definition File Date TNCC TNCS NAR PEP NAA

  12. TNC Ecosystem – August 2006

  13. Protecting the TNC Client • How can the PDP be sure the TNC client is accurately reporting its state? • TNC client needs protection from malware • Malware could trick the client into reporting incorrect information • Malware could act as a measurement collector (IMC) • Answer: base security on hardware-rooted security mechanisms isolated from malware

  14. TPM as Root for TNC Security • Trusted Platform Module (TPM) • Hardware security module found on 10M+ systems • Includes cryptography engines (RSA, SHA-1) and key storage • Non-resettable registers • Store aggregated fingerprints of SW/Configs • Create digital signature of register contents as basis for a report • Platform Trust Service (PTS) • TCG specified software capable of creating Integrity Report • Integrity Report can include: • Signed manifest of software running on system • TPM signed set of registers corresponding to manifest details • TNC Client can leverage PTS to report on its integrity and other software running on system

  15. For More Information • TCG Web Site https://www.trustedcomputinggroup.org • TNC Web Site https://www.trustedcomputinggroup.org/groups/network

  16. Questions?

More Related