Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Open Standards for Network Access Control Trusted Network Connect (TNC)

2 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net What is Trusted Network Connect (TNC)?  Trusted Network Connect, or TNC, is: The name of a subgroup of the Trusted Computing Group (TCG) An open network access control architecture An open network access control standard Ensures interoperability From the Trusted Computing Group (TCG)

3 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net TNC in the TCG TCG Standard s TCG Standard s Applications Specifies standard set of APIs for application vendors who want to use TPM Storage Focuses on standards for security services on dedicated storage systems Mobile Enables trust for mobile devices including mobile phones, PDAs Servers Provides definitions, specifications, requirements for implementation of TCG in servers PC Client Provides common functionality, interfaces, security/privacy requirements for desktop, laptop clients, establishing root of trust Trusted Platform Module (TPM) Specifies silicon that securely stores digital keys, certificates, passwords Trusted Network Connect (TNC) Ensures endpoint compliance with integrity policies at, after network connection Infrastructure Defines architectural framework, interfaces needed to bridge infrastructure gaps

4 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Why Trusted Network Connect (TNC)?  Provides open standards for network access control (NAC)  Vendor-agnostic, multi-vendor compatibility Supports heterogeneous network environments  Reduces costs and deployment time Leverages existing, installed products – software and hardware Empowers choice, an advantage over single vendor lock-in Enables selection of best-of-breed products  Increases security Thorough and open technical review of all standards ALL endpoints are covered and secure  Higher, faster Return on Investment (ROI)

5 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Basic TNC Diagram VPN Access Requestor (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP)

6 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Collector IF-IMV IF-IMC IF-M IF-TNCCS Network Access Authority Integrity Measurement Verifiers TNC Server PDP IF-T IF-PEP Point Policy Enforcement PEPSwitch/ Firewall Firewall/ VPN Gateway ARTNC Client Network Access Requestor Supplicant/ VPN Client, etc. Integrity Measurement Collectors TNC Architecture

7 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net TNC Standards – Client  AR = Access Requestor – Entity attempting network access – can be device, supplicant, etc.  Integrity Measurement Collectors (IMCs) Software component that measures security aspects of the AR's integrity, including AV parameters, FW status, software versions, etc. Multiple IMCs can interact with 1+ TNC Client/Servers  TNC Client Software component running on AR that aggregates integrity measurements from IMCs Arranges reports on local platform and IMC measurements  Network Access Requestor (NAR) Establishes network access; can be an 802.1X supplicant, VPN client, etc. There can be several NARs on a single AR to handle connections to different networks. ARTNC Client Network Access Requestor Supplicant/ VPN Client, etc. Integrity Measurement Collectors

8 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net TNC Standards – Enforcement  PEP = Policy Enforcement Point - Entity enforcing the network access decisions  Policy Enforcement Point (PEP) Controls network access Consults with decision point, determines whether network access should be granted to AR Can be 802.1X Authenticator (802.1X switch, access point), firewall, VPN gateway, etc. Point Policy Enforcement PEPSwitch/ Firewall Firewall/ VPN Gateway

9 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net TNC Standards – Server  PDP = Policy Decision Point - Entity that recommends and decides on network access request from AR  Integrity Measurement Verifiers (IMVs) Verifies AR’s integrity based on measurements received from IMCs and/or other data  TNC Server Manages message flow between IMVs/IMCs, gathers IMV action recommendations, combines those policy- based recommendations into overall network access recommendation for Network Access Authority (NAA)  Network Access Authority (NAA) Decides whether network access should be granted AR Consults TNC Server, determines if AR’s integrity measurements comply with security policy NAA can be part of AAA Server Network Access Authority Integrity Measurement Verifiers TNC Server PDP

10 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net TNC Standards – Specifications/Protocols  IF-M (IMC-IMV Messaging Protocol) Specifies a standard way for the IMC and IMV to communicate  IF-TNCCS (TNC Client Server Protocol) Describes a standard way for the TNC Client and the TNC Server to exchange messages  IF-T (Transport Protocol) Specifies how TNC Client Server Protocol (IF-TNCCS) should be carried over EAP tunneled methods  IF-PEP (Policy Enforcement Point Protocol) Details how to use RADIUS for communications between a Network Access Authority – typically a AAA/RADIUS server – and a Policy Enforcement Point (PEP)  IF-IMC & IF-IMV (IMC/IMV Protocols) Communications method for gathering integrity measurements from IMCs, delivering measurements to IMVs, and for messaging between IMCs and IMVs

11 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net UAC/TNC/Partner Architecture AV / Anti Spyware Patch Management Classified Data Stores / Apps Network Perimeter OAC w/Infranet Agent (IA) or clientless IA Network Infrastructure Security Event Manager (SEMs) Juniper FW Enforcer AAA Servers Identity Stores AR PEP PDP

12 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net TNC, NAP & C-NAC Security Software Integrity Client Access Software Policy Server Integrity Server Net Access Authority Network Access Device Security Software AV Clients System Health Agents TNC Client Quarantine Agent Trust Agent Network Access Requester Enforcement Network Access Requester Policy Servers System Health Verifiers AV Servers TNC Server Quarantine Server ACS AAA RADIUS Network Access Authority  TNC, NAP, C-NAC - NOT head-to-head competitors Simply different ways to attain network access control  NAP, C-NAC = Proprietary  TNC = Open Standards = Interoperable  TNC compliant products – like UAC - work with NAP, C-NAC products - but, NOT other way around! GREEN = TNC YELLOW = NAP RED = C-NAC

13 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Summary  TNC is an open network access control architecture and standard  TNC is NOT a dead-on competitor to NAP or C-NAC TNC compliant offerings work with NAP and C-NAC products because they’re based on open, interoperable standards  TNC delivers: Vendor-agnostic, multi-vendor support for diverse, heterogeneous networking environments Cost and deployment time reductions by leveraging installed products An alternative to single vendor lock-in A thorough and open technical review of standards The ability to cover and secure ALL endpoints A higher, faster Return on Investment (ROI) CHOICE!

14 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net For More Information  TCG Web Site  TNC Web Site

15 Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Thank You!