Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing Your Network through Trusted Access Control Ned Smith Intel NCAC April 27 th, 2005

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #2 Agenda TCG Model for Trusted Computing Establishing Endpoint Integrity / Identity Access Control Decisions Based on TPM Relating XACML with TCG Integrity Schema

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #3 Challenges of Trusted Computing Assurance of safe computing environments –Viruses, Worms, Rootkits, Spyware, Adware etc… –Identifying the endpoint is ambiguous The endpoint has a distinct boundary –Controllers, busses, networks and peripherals associated with a platform Authentication protocols presume authorization tokens are bound to the endpoint Control of resources in foreign environments –Infosec policy associated with data as it moves through different computing environments –The environment must follow the policy

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #4 TCG Model of a Trusted Computing Platform Layer Resources Measurement Engine Layer Services Provided Services Storage Engine Verification Engine Reporting Engine Enforcement Engine Policies Protection Domain Metrics Dependent Services Trusted Engine

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #5 Examples Secure Boot –A secure boot service implements Measurement and Reporting engines integrated with a Verification engine –The Verification engine evaluates measurements according to a policy to determine proper boot sequence –If the sequence is in error, an Enforcement engine is employed to terminate the boot process Trusted Boot –Trusted boot service implements Measurement and Storage engines following the boot sequence –A Verification engine on a remote node (network server) evaluates the boot sequence at a later time

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #6 PEP Domain PDP Domain Decomposition for Network Access Control Access Requestor Domain Measurement Engine Measurement Attestation Storage Engine Verification Engine Reporting Engine Policies Metrics Access Request Network Connect 5 Enforcement Engine Apply Access 3 Access Control

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #7 How to Define the Endpoint? Authentication tokens –Keys, pass-phrases, certificates etc… Boot sequence Device enumeration Software install / load Running processes / threads Manufacturer intrinsic attributes –Model, version, quality metrics

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #8 Three Vectors of Endpoint Integrity / Identity Measurement –Hash of software/firmware captures platform state Controllers and processors are enumerated and measured Executing code may be scanned to determine its present state Cryptographic Identity –Authentication keys Reporting Engines use cryptographic keys to authenticate the reporting engine that by extension identifies the platform. Origin Identity –MMV Each component (device, platform, software package) can be identified by its Manufacturer, Model and Version (MMV) Credentials issued by manufacturers contain MMV intrinsic assertions –Reference Measurements Manufacturer provided signatures

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #9 Log of Extended Values Example: Pre-Boot Integrity Measurement Collection TPM TPM Hash of Extended Values Measure = Hash of code or data Execute = Code is loaded into CPU

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #10 Platform Configuration Registers (PCRs) Stores cumulative configuration Update is an Extend operation: –[PCR] = SHA-1 {[PCR] + Extend value} –Value: It is infeasible to calculate the value A such that: –PCRdesiredValue = Extend (A) PCRs re-initialized at system reset –TPM_Init Measurement Log contains

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #11 Collecting Measurements After System Boot A Platform Trust Service (PTS) can be used to Measure Applications –Files Read files from disk; compute a measurement –Processes Ring 3 - DLL injection to read another processes memory Ring 0 – Access pages in memory / DMA accesses

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #12 Example Platform Trust Service Integrity of the PTS is established –Pre-boot by measuring PTS drivers included in OS image –Post-boot by measuring PTS process memory pages PTS may measure processes and files –Determined by policy – e.g. protect integrity reporting infrastructure –Triggered by request – e.g. measure before connecting to the network Pre-boot

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #13 Policy Decision PointAccess Requestor TCG Model for Exchanging Integrity Data IF-IMC & IF-IMV exchange messages containing posture information –Messages are batched for delivery by TNCC / TNCS –Either side may start a batched exchange –IMCs and IMVs may subscribe to multiple message types –Follow-on exchanges may continue indefinitely But may be gated by the underlying transport TNC Client TNC Server Tunnel Batch Anti-Virus Collector Firewall Collector Patch Mgmt Collector TNC Integrity Collector Anti-Virus Verifier Firewall Verifier Patch Mgmt Verifier TNC Integrity Verifier Status OK !OK OK !OK OK OK OK The TNC Server Makes the Final Decision

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #14 Evaluation of Integrity Reports Integrity Reports ought to be shadowed by a Reference Value –Reference values “Normal” boot sequence will have repeatable PCR values Versioning “freezes” code changes so hash values don’t change –Authentication keys have trust anchors –Watchdogs have a schedule of expected events Reference Values Should Come from an Authoritative Source –Manufacturer – to detect modification due to stolen source –Evaluation labs – who make assertions of quality and conformance –Platform Owner – the entity taking the risk!

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #15 Integrity Measurement Harvesters Integrity Signature Database Value-Added Provider Reference Integrity Measurements Harvesting Mechanism Submission Mechanism = Anticipated TCG specification Integrity Harvesting Model Harvesting gathers Assertions and Values from a trustworthy source TCG Integrity Schema defined structure TCG Certificates Evaluation Mechanism Policies / Rules Verifier (PDP) Policy Authoring Mechanism TCG Integrity Schema Policy Authors

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #16 TCG Integrity Schema Consists of a tree of Assertions and hash Values –Reference measurements –Quality assertions –Development / Manufacturing processes –Trust related operations E.g. Creation of platform endorsement key Associated with a Target “Component” – Composite attributes form its “Identity” Manufacture name / vendor ID Model number / name Version information –Patch level –Component Identity is unique with respect to a release Not necessarily a particular copy or instance

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #17 Integrity Schema and XACML Evaluation correlates reference and actual values with appropriate consequences –A policy structure such as XACML may be helpful An XACML Policy is a tree of –PolicySet Contains multiple Policies and policy references –Policy Contains multiple Rules –Rule Contains decision logic expressed in terms of Conditions and Effect TCG Assertions may be mapped to XACML as Condition Attributes

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #18 A Conceptual Model Reference Integrity Measurements TCG Certificates XACML Context PDP Policy Authoring Mechanism Policy Authors PEPAR Policy Database Policy Sources Integrity Signature Database Attribute Sources XACML Response XACML Request XACML Policy or Attribute References

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #19 XACML Condition Attribute Integrity Signature Database Attribute Sources

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #20 Summary TCG model for Trusted Computing is centered around collection and verification of trust attributes Trust attributes can be applied to network access control The TCG is developing infrastructure for collecting reference trust attributes XACML may be a viable framework for making access decisions involving TCG trust attributes

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #21 Questions? Contact Information –The Trusted Computing Group –Infrastructure Working Group Co-Chairs Ned Smith / Intel Thomas Hardjono / Verisign

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #22 Backup

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #23 Steps of a Trusted Network Connection Find out the condition of the platform Communicate platform state when connecting Decide what level of access is acceptable Restrict the environment in accordance with access rights Remediation may be required to reconcile denied access Collection Enforcement Decision Making Reporting Remediation

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #24 TCG Trusted Network Connect Architecture ARPEP IF-IMCIF-IMV Network Access Requestor Policy Enforcement Point Network Access Authority TNC Server IF-TNCCS PDP Supplicant/ VPN Client, etc. Switch/ Firewall/ VPN Gateway IF-Transport RTM / TPM Platform Trust Service TNC Client Verifiers Collector Integrity Measurement Collectors Integrity Measurement Verifiers IF-V Remediation Layer Integrity Measurement Layer Integrity Evaluation Layer Network Access Layer Verifiers Collector Remediation Applications Remediation Resources Integrity Log IF-PTS IF-PEP PTS protects the integrity of TNC components RTM protects PTS TPM protects measurements and keys Enforcement mechanisms Control of network boundary Reporting and transfer of integrity information Access decision making Collection of integrity information Authoring of rules Automated response and provisioning Trust Layer

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #25 TNC with 802.1X at Link Layer RequestorSwitch / Access Point EAP Peer 802.1x Access Agent 802.1x PAE RADIUS Client RADIUS Server EAP Peer Verifier 802.1x RADIUS* AR PDP PEP Verifier & Collector exchange posture information over EAP tunnel using EAP inner methods, AVPs or TLVs AR – Access Requester AVP – Attribute Value Pair EAP – Extensible Authentication Protocol PAE – Port Access Entity PDP – Policy Decision Point PEP – Policy Enforcement Point NAC – Network Access Control TLV – Tag Length Value CollectorVerifier NAC Extensions EAP Network Boundary 802.1X TNC