Firewall Issues Research Group GGF-15 Oct 4 2005 Boston, Ma Leon Gommans - University of Amsterdam Inder Monga - Nortel Networks.

Slides:

Advertisements

Similar presentations

Authentication.

Advertisements

Encrypting Wireless Data with VPN Techniques

GT 4 Security Goals & Plans Sam Meder

The Anatomy of the Grid: An Integrated View of Grid Architecture Carl Kesselman USC/Information Sciences Institute Ian Foster, Steve Tuecke Argonne National.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

Agenda Introduction Network Access Protection platform architecture

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect: Open.

1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Network Access Control for Education

Surviving in a hostile world  The myth of fortress applications  Tomas Olovsson CTO, Appgate Professor at Goteborg University, Sweden.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect Briefing.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.

Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.

1 IF-MAP: Open Standards for Coordinating Security Presentation for SAAG IETF 72, July 31, 2008 Steve Hanna

Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.

Dataplane and Content Security on Optical Networks panel.

Configuring Network Access Protection

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

The Globus eXtensible Input/Output System (XIO): A protocol independent IO system for the Grid Bill Allcock, John Bresnahan, Raj Kettimuthu and Joe Link.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

Module 6: Network Policies and Access Protection.

Network Access Control

AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.

Module 5: Network Policies and Access Protection

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Continuous Assessment Protocols for SACM draft-hanna-sacm-assessment-protocols-00.txt November 5, 20121IETF 85 - SACM Meeting.

Copyright © 2009 Trusted Computing Group An Introduction to Federated TNC Josh Howlett, JANET(UK) 11 June, 2009.

Firewall Issues BoF 5:00 Agenda bashing, find note-taker, sign-up sheets, IPR. 5:05 Introduction - Leon Gommans UvA 5:20 SOAP Routing Issues - Frank Siebenlist.

Virtual Private Networks

Module 9: Configuring Network Access

Virtual Private Networks

Virtual Private Network (VPN)

OGSA-WG Basic Profile Session #1 Security

Remote Access Lecture 2.

Implementing Network Access Protection

Mutual Attestation of IoT Devices Connect Security World September 2016 Marseille Prof. Andreas Steffen Institute for Internet Technologies and Applications.

Securing the Network Perimeter with ISA 2004

Grid Network Services: Lessons from SC04 draft-ggf-bas-sc04demo-0.doc

Mutual Attestation of IoT Devices and TPM 2

Organized by governmental sector (National Institute　of information )

University of Technology

draft-fitzgeraldmckay-sacm-endpointcompliance-00

Trusted Network Connect: Open Standards for NAC

Examining Network Protocols

IS4550 Security Policies and Implementation

מרכז אימות לפלטפורמת מתן שירותים

– Chapter 5 (B) – Using IEEE 802.1x

Packet Switching To improve the efficiency of transferring information over a shared communication line, messages are divided into fixed-sized, numbered.

Virtual Private Network (VPN)

Firewalls and GMPLS Networks: A token based approach

Enterprise Service Bus (ESB) (Chapter 9)

Goals Introduce the Windows Server 2003 family of operating systems

IS4680 Security Auditing for Compliance

PREPARED BY: RIDDHI PATEL (09CE085)

دیواره ی آتش.

AAA: A Survey and a Policy- Based Architecture and Framework

Security and identity (Network Access Protection, Parental Controls)

Presentation transcript:

Firewall Issues Research Group GGF-15 Oct 4 2005 Boston, Ma Leon Gommans - University of Amsterdam Inder Monga - Nortel Networks

Trusted Network Connect Architecture and GridFTP Leon Gommans - University of Amsterdam lgommans@science.uva.nl

Content Trusted Network Connect (TNC) Architecture TNC and gridftp Garage Door Opener Extensible Authentication Protocol (EAP)

Trusted Network Connect Architecture Part of Trusted Computing Group (TCG) work (www.trustedcomputinggroup.org) Relevant document: TNC Architecture for interoperability v1.0 Show / discuss relevance to Grids.

TNC Scope and Goals Allow networks to enforce policy regarding the security state of endpoints. Security state determined by set of integrity measurements of an endpoint. Network access is granted depending on evaluation of endpoint security state. TNC defines architecture for access control and authorization. Leverages existing access control mechanisms such as IEEE 802.1X Defines interoperable interfaces using attributes considering software state, endpoint compliance and platform authentication.

TNC Platform Authentication Concerns two aspects in TCG realm: Proof of identity using a non-migratable Attestation Identity Key - see: www.trustedcomputinggroup.org/groups/glossary Proof of integrity May trust the user (PKI cert., proxy cert.) May trust the connection (SSL, IPSec) But who trusts the platform ? Laptop, PDA moving in and out Enterprise Network Inter-machine communication trust is established via conformance.

TNC Architecture Provides framework to achieve a multi-vendor network standard providing: Platform authentication Endpoint policy compliance Access policy Assessment, Isolation and Remediation

TNC Architecture cont. Domain 1 Domain 2 Domain 3 Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Domain 1 Domain 2 Domain 3

TNC Architecture cont. AR PEP PDP Integrity Measurement Layer IF-M Collectors IF-M Integrity Measurement Verifiers IF-IMC IF-IMV Integrity Evaluation Layer TNC Client IF-TNCCS TNC Server IF-T Network Access Layer Access Requestor (AR) Policy Enforcement Point (PEP) Network Access Authority IF-PEP Supplicant VPN Client etc. 802.1X Switch / Firewall VPN Gateway AAA server

Globus XIO Globus XIO Driver Driver Driver Network Protocol Application Disk Special Device Driver Source: The Globus Alliance

Globus XIO Framework Moves the data from user to driver stack. Manages the interactions between drivers. Assist in the creation of drivers. Asynchronous support. Close and EOF Barriers. Error checking Internal API for passing operations down the stack. User API Driver Stack Transform Framework TNC AR Transport Source: The Globus Alliance

gridftp Garage Door Opener RFT Service GridFTP Server GridFTP Server F/W GDO TNC AR F/W GDO TNC AR EAP EAP Virus check Patch levels Other IMC’s Virus check Patch levels Other IMC’s TNC PEP TNC PDP Firewall Application profiles Virus check Patch levels Other IMV’s

Extensible Authentication Protocol RFC 3748 Reliable peer-peer protocol over a data link (PPP, IEEE-802) without requiring IP. Used to allow authentication on: Dial-in access using PPP 802.1X port based switches 802.11 Wireless LANs Purpose: Support a flexible dialog between a back-end EAP server and a peer that needs authentication.

EAP cont. Peer Pass-through Authenticator Authentication Server +-+-+-+-+-+-+ +-+-+-+-+-+-+ | | | | |EAP method | |EAP method | | V | | ^ | +-+-+-!-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-!-+-+-+ | ! | |EAP | EAP | | | ! | | ! | |Peer | Auth.| EAP Auth. | | ! | |EAP ! peer| | | +-----------+ | |EAP !Auth.| | ! | | | ! | ! | | ! | +-+-+-!-+-+-+ +-+-+-+-!-+-+-+-+-+-!-+-+-+-+ +-+-+-!-+-+-+ | ! | | ! | ! | | ! | |EAP !layer| | EAP !layer| EAP !layer | |EAP !layer| |Lower!layer| | Lower!layer| AAA ! /IP | | AAA ! /IP | ! ! ! ! +-------->--------+ +--------->-------+ Pass-through Authenticator

Conclusions TNC Architecture seems worth while to follow its progress. Use of EAP as IF-T is a recommendation - Firewall vendor support ? UvA and ANL will work on prototype implementation Functional design expected by next GGF.