draft-fitzgeraldmckay-sacm-endpointcompliance-00

Slides:



Advertisements
Similar presentations
Towards Usage Control Models: Beyond Traditional Access Control 7 th SACMAT, June 3, 2002 Jaehong Park and Ravi Sandhu Laboratory for Information Security.
Advertisements

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary December 2010 Irvine, CA – PWG Meeting Ira McDonald (High.
1Copyright © 2011, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary May 2011 Webster, NY – PWG Meeting Ira McDonald (High North.
Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
SACM Terminology Nancy Cam-Winget, David Waltermire, March.
TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.
IETF NEA WG (NEA = Network Endpoint Assessment) Chairs:Steve Hanna, Susan Thomson,
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
CORDRA Philip V.W. Dodds March The “Problem Space” The SCORM framework specifies how to develop and deploy content objects that can be shared and.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
SACM Information Model. Current Status First WG draft posted 10/24 Many open issues remain Several comments / suggestions sent to WG for review Today.
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect.
TNC Endpoint Compliance and Network Access Control Profiles TCG Members Meeting June 2014 Barcelona Prof. Andreas Steffen Institute for Internet Technologies.
Network Access Control for Education
FIORANO FOR SAAS.  Fiorano addresses the need for integration technology that bridge the gap between SaaS providers and Consumers.  Fiorano enables.
Lecture 9: Chapter 9 Architectural Design
Introduction GOALS:  To improve the Quality of Service (QoS) for the JBI platform and endpoints  E.g., latency, fault tolerance, scalability, graceful.
1 DHCP Authentication Discussion INTAREA meeting, 70th IETF Vancouver, Canada Jari Arkko and Ralph Droms.
A semi autonomic infrastructure to manage non functional properties of a service Pierre de Leusse Panos Periorellis Paul Watson Theo Dimitrakos UK e-Science.
July 27, 2009IETF NEA Meeting1 NEA Working Group IETF 75 Co-chairs: Steve Hanna
AUTHORS: MIKE P. PAPAZOGLOU WILLEM-JAN VAN DEN HEUVEL PRESENTED BY: MARGARETA VAMOS Service oriented architectures: approaches, technologies and research.
SACM Requirements Nancy Cam-Winget March 2014.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
1 IF-MAP: Open Standards for Coordinating Security Presentation for SAAG IETF 72, July 31, 2008 Steve Hanna
NEA Requirement I-D IETF 68 – Prague Paul Sangster Symantec Corporation.
NEA Requirements Update -06 version summary. Posture Transport Considerations Issue –Ability of existing protocols used for network access to meet requirements.
March 2004 At A Glance NASA’s GSFC GMSEC architecture provides a scalable, extensible ground and flight system approach for future missions. Benefits Simplifies.
Mutual Network Endpoint Assessment Jiwei Wei Han Yin Ke Jia IETF
NEA Working Group IETF meeting July 27, Co-chairs: Steve Hanna
Dec 5, 2007NEA Working Group1 NEA Requirement I-D IETF 70 – Vancouver Mahalingam Mani Avaya Inc.
1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)
NEA Working Group IETF meeting July 27, 2011 Jul 27, 2011IETF 81 - NEA Meeting1.
UCI Large-Scale Collection of Application Usage Data to Inform Software Development David M. Hilbert David F. Redmiles Information and Computer Science.
Cyberinfrastructure Overview of Demos Townsville, AU 28 – 31 March 2006 CREON/GLEON.
Asset Summary Reporting draft-davidson-sacm-asr-00 David Waltermire
Continuous Assessment Protocols for SACM draft-hanna-sacm-assessment-protocols-00.txt November 5, 20121IETF 85 - SACM Meeting.
SACM Vulnerability Assessment Scenario IETF 95 04/05/2016.
Copyright © 2009 Trusted Computing Group An Introduction to Federated TNC Josh Howlett, JANET(UK) 11 June, 2009.
Prof. Andreas Steffen Institute for Networked Solutions
Internet of Things Approach to Cloud-Based Smart Car Parking
May 12, 2015 Dan Romascanu Adam Montville
Firewall Issues Research Group GGF-15 Oct Boston, Ma Leon Gommans - University of Amsterdam Inder Monga - Nortel Networks.
SACM Virtual Interim Meeting
Proposed SACM Architecture
Mutual Attestation of IoT Devices Connect Security World September 2016 Marseille Prof. Andreas Steffen Institute for Internet Technologies and Applications.
Module 8: Securing Network Traffic by Using IPSec and Certificates
Mutual Attestation of IoT Devices and TPM 2
Introduction to OVAL to SACM Info Model Paper
Nancy Cam-Winget June 2015 SACM Requirements Nancy Cam-Winget June 2015.
Network Services Interface
SACM Virtual Interim Meeting
#01 Client/Server Computing
Deploying CIM to Bridge the Modeling Gap Between Operations and Planning Mike usa.siemens.com/digitalgrid unrestricted © Siemens AG 2017.
Debashish Purkayastha, Dirk Trossen, Akbar Rahman
Distributed Systems Bina Ramamurthy 11/30/2018 B.Ramamurthy.
Working Group Draft for TCPCLv4
Distributed Systems Bina Ramamurthy 12/2/2018 B.Ramamurthy.
Antonio Pastor Diego R. López Adrian Shaw
SAMANVITHA RAMAYANAM 18TH FEBRUARY 2010 CPE 691
Module 8: Securing Network Traffic by Using IPSec and Certificates
Introduction to Web Services
Resource and Service Management on the Grid
Monitoring Biodiversity in Protected and
#01 Client/Server Computing
Henk Birkholz Jarret Lu Nancy Cam-Winget
Presentation transcript:

draft-fitzgeraldmckay-sacm-endpointcompliance-00

Quick note about IPR There are intellectual property rights considerations associated with the Trusted Computing Group (TCG) Trusted Network Connect (TNC) specifications In the past, the TCG has been willing to donate their specification to the IETF It is important to note that the Trusted Computing Group (TCG) Trusted Network Connect (TNC) specifications has intellectual property rights (IPR) associated with them. As a result, these IPR considerations will need to be resolved prior to any specifications being submitted to the IETF. As a result, this Internet-Draft is informative in nature. With that said, in the past, the TCG has been willing to work with the IETF and contribute their specifications.

TNC Architecture Policy Enforcement Point Policy Decision Access Requestor Verifiers t Collector Integrity Measurement Collectors (IMC) Verifiers (IMV) IF-M IF-IMC IF-IMV TSS TPM Platform Trust Service (PTS) IF-PTS TNC Server (TNCS) TNC Client (TNCC) IF-TNCCS Network Access Requestor Policy Enforcement Point (PEP) Network Access Authority IF-T IF-PEP This represents the basic TNC architecture. Note that interfaces run both horizontally (between different endpoints) as well as vertically (connecting components within a single endpoint) http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications

TNC Architecture PA-TNC PB-TNC PT-TLS PT-EAP Policy Enforcement Point Policy Decision Point Access Requestor PA-TNC Verifiers t Collector Integrity Measurement Collectors (IMC) Verifiers (IMV) IF-M IF-IMC IF-IMV TSS TPM Platform Trust Service (PTS) IF-PTS PB-TNC TNC Server (TNCS) TNC Client (TNCC) IF-TNCCS PT-TLS PT-EAP Network Access Requestor Policy Enforcement Point (PEP) Network Access Authority IF-T IF-PEP The NEA workgroup took three of the horizontal interfaces and developed compatible IETF interfaces for them http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications

Posture Transport Client Posture Transport Server TNC Architecture Policy Enforcement Point NEA Client NEA Server PA-TNC Verifiers t Collector Integrity Measurement Collectors (IMC) Verifiers (IMV) IF-M IF-IMC IF-IMV Posture Collectors Posture Validators TSS TPM Platform Trust Service (PTS) IF-PTS PB-TNC TNC Server (TNCS) TNC Client (TNCC) IF-TNCCS Posture Broker Client Posture Broker Server PT-TLS PT-EAP Network Access Requestor Policy Enforcement Point (PEP) Network Access Authority IF-T IF-PEP Posture Transport Client Posture Transport Server It also defined NEA components compatible with the TNC components http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications

The TNC Architecture provides the following capabilities for SACM Collection of posture attributes from an endpoint Evaluation of posture attributes against network policy or guidance A secure channel for exchanging of posture assessment information

TNC Architecture in SACM Policy Enforcement Point NEA Client NEA Server Secure Exchange of Posture Assessment Information Between Providers and Consumers SACM Evaluator (Provider/Consumer) PA-TNC Verifiers t Collector Integrity Measurement Collectors (IMC) Verifiers (IMV) IF-M IF-IMC IF-IMV Posture Collectors Posture Validators TSS TPM Platform Trust Service (PTS) IF-PTS PB-TNC TNC Server (TNCS) TNC Client (TNCC) IF-TNCCS Posture Broker Client Posture Broker Server PT-TLS PT-EAP SACM Internal Collector (Provider/Consumer) SACM Controllers Network Access Requestor Policy Enforcement Point (PEP) Network Access Authority IF-T IF-PEP Posture Transport Client Posture Transport Server This shows how the NEA components, compatible with the TNC Architecture, map to the SACM Architecture. In the SACM Architecture, NEA Posture Collectors are SACM Internal Collectors which can be either Posture Assessment Information Consumers (Cs) or Posture Assessment Information Providers (P). NEA Posture Validators are SACM Evaluators which can also be Posture Assessment Information Consumers (Cs) or Posture Assessment Information Providers (P) depending on the context in which they are used. The NEA Posture Broker Client and Posture Broker Server both facilitate the sharing of information between the client and server and provider Controller (Cr) capabilities. Lastly, the PA-TNC, PB-TNC, and PT-TLS/PT-EAP protocols provide management capabilities and a secure communication channel between Posture Assessment Providers and Posture Assessment Consumers in which to exchange Posture Assessment Information. http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications

Still many places where additional standardization could be helpful Standardize intra-endpoint/inter-component interfaces Standardize collections and transmission of specific types of attributes Standardize bootstrap activities

TNC has standards towards these ends Standardize intra-endpoint/inter-component interfaces IF-IMC – standard interface between IMC (Posture Collector) and TNCC (Posture Broker Client) IF-IMV – standard interface between IMV (Posture Verifier) and TNCS (Posture Broker Server) Standardize collections and transmission of specific types of attributes SWID Message and Attributes for IF-M – standard behaviors for exposing endpoint SWID tag collection Standardize bootstrap activities Server Discovery and Validation – located and verify appropriate TNC (NEA) Servers

Why pull standards from TNC? xkcd: ©2011 Randal Munroe We want to avoid this!

Why pull standards from TNC? TNC already defines many parts of a security automation solution Solution is aligned with NEA… … which is aligned with SACM We don’t want to (or need to) re-invent wheels With TNC’s permission, we can extend relevant TNC specs to meet SACM needs Unification rather than bifurcation The running code is there – use what has been proven to work and fix what doesn’t There is prior art here. TNC’s security automation solution has existed for many years and been implemented in multiple tools. NEA already agreed on the utility and created a unification spec with TNC’s blessing – the NEA specs are compatible with TNC while moving the relevant capabilities forward. TNC has agreed that future evolution of the relevant standards should happen in IETF. IETF NEA codified useful standards without re-inventing TNC’s solution. Instead, the two development paths (IETF and TNC) are now unified. SACM already closely aligns with NEA. It makes sense, as SACM develops a larger security automation/continuous monitoring solution to continue on a path of unification when the opportunity exists to incorporate useful, demonstrated standards.

Proposal Request TNC submit relevant standards to SACM TNC membership appears to be receptive Within SACM, adapt the TNC standards to support aligned SACM requirements But retain compatibility with TNC to the extent appropriate Result will be significant progress towards the standards needed by the SACM architecture while unifying (rather than further bifurcating) practices

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.