Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 1 Network Access Control and Beyond By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted.

Published byNigel Bell Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2008 Juniper Networks, Inc. www.juniper.net 1 Network Access Control and Beyond By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted."— Presentation transcript:

1 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 1 Network Access Control and Beyond By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted Network Connect WG, TCG Co-Chair, Network Endpoint Assessment WG, IETF

2 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 2 Security Problems of Open Networks Critical data at risk Network can become unreliable Perimeter security ineffective Endpoint infections may proliferate Network Security Decreases As Access Increases Sensitive information, mission-critical network Mobile and remote devices and users Unmanaged or ill-managed endpoints Student, faculty, staff, and/or guest access

3 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 3 Network Access Control Solutions  Control Access to critical resources to entire network  Based on User identity and role Endpoint identity and health Other factors  With Remediation Management Features  Consistent Access Controls  Reduced Downtime Healthier endpoints Fewer outbreaks  Safe Remote Access  Safe Access for Students Faculty Staff Guests Benefits Network access control must be a key component of every network!

4 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 4 Sample Network Access Control Policy To Access the Production Network... 1.User Must Be Authenticated With Identity Management System 2.Endpoint Must Be Healthy Anti-Virus software running and properly configured Recent scan shows no malware Personal Firewall running and properly configured Patches up-to-date 3.Behavior Must Be Acceptable No port scanning, sending spam

5 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 5 State of Network Access Control  Many products and open source implementations  Several approaches MAC registration – accountability Identity – block unauthorized users Endpoint health – detect and fix unhealthy endpoints Behavior – track and block unauthorized behavior Combination of the above  Convergence on one architecture and standards TNC = Trusted Network Connect

6 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 6 What is Trusted Network Connect (TNC)?  Open Architecture for Network Access Control  Suite of Standards to Ensure Interoperability  Work Group in Trusted Computing Group

7 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 7 TNC Architecture Overview Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Wireless Wired Network Perimeter FW VPN PDP

8 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 8 Typical TNC Deployments  Uniform Policy  User-Specific Policies  TPM Integrity Check

9 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 9 Uniform Policy Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Network Perimeter Client Rules Windows XP - SP2 - OSHotFix 2499 - OSHotFix 9288 - AV (one of) - Symantec AV 10.1 - McAfee Virus Scan 8.0 - Firewall Remediation Network Production Network Non-compliant System Windows XP SP2 xOSHotFix 2499 xOSHotFix 9288 AV - McAfee Virus Scan 8.0 Firewall Compliant System Windows XP SP2 OSHotFix 2499 OSHotFix 9288 AV – Symantec AV 10.1 Firewall PDP

10 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 10 User-Specific Policies Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Network Perimeter Access Policies - Authorized Users - Client Rules Guest User Ken – Faculty Windows XP OSHotFix 9345 OSHotFix 8834 AV – Symantec AV 10.1 Firewall Linda – Finance Guest Network Internet Only Research Network Finance Network PDP

11 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 11 TPM Integrity Check Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Network Perimeter Client Rules - BIOS - OS - Drivers - Anti-Virus Software Production Network Compliant System TPM Verified BIOS OS Drivers Anti-Virus Software TPM – Trusted Platform Module ­Hardware module built into most of today’s PCs ­Enables a hardware Root of Trust ­Measures critical components during trusted boot ­PTS interface allows PDP to verify configuration and remediate as necessary PDP

12 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 12 Foiling Root Kits with TPM and TNC  Solves the critical “lying endpoint problem” User or rootkit causes endpoint to lie about health  TPM Measures Software in Boot Sequence Hash software into PCR before running it PCR value cannot be reset except via hard reboot  During TNC Handshake... PTS-IMV engages in crypto handshake with TPM TPM securely sends PCR value to PTS-IMV PTS-IMV compares to good configs If not listed, endpoint is quarantined and remediated

13 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 13 Why TNC?  Open standards Supports multi-vendor compatibility Enables customer choice Allows open technical review for better security  Supports Existing Networks wired and wireless, 802.1X and non-802.1X, firewalls, IPsec and SSL VPNs, dialup, etc.  Supports Optional Trusted Platform Module Basis for trusted endpoint Solves critical problem with existing products: root kits

14 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 14 TNC Architecture in Detail Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) (IF-PTS) TSS TPM Platform Trust Service (PTS) TNC Client (TNCC) (IF-TNCCS) TNC Server (TNCS) (IF-M) (IF-IMC) (IF-IMV) t Collector Collector Integrity Measurement Collectors (IMC) Verifers Verifiers Integrity Measurement Verifiers (IMV) Network Access Requestor Policy Enforcement Point (PEP) (IF-T) (IF-PEP) Network Access Authority

15 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 15 TNC Status  TNC Architecture and all specs released IF-IMC, IF-IMV, IF-PEP for RADIUS, IF-PTS, IF-TNCCS, IF-T for Tunneled EAP Methods Freely Available from TCG web site  Rapid Specification Development Continues New Specifications, Enhancements  Number of Members and Products Growing Rapidly  Compliance and Interoperability Testing and Certification effort under way

16 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 16 TNC Vendor Support Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Endpoint Supplicant/VPN Client, etc. Network Device FW, Switch, Router, Gateway AAA Server, Radius, Diameter, IIS, etc.

17 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 17 TNC/NAP Interoperability  IF-TNCCS-SOH Standard Enables Client-Server Interoperability between NAP and TNC NAP servers can health check TNC clients without extra software NAP clients can be health checked by TNC servers without extra software As long as all parties implement the open IF-TNCCS-SOH standard  Availability Built into Windows Vista, Windows Server 2008, Windows XP SP 3 Unix clients shipping from Avenda Systems and UNETsystem Other TNC vendors planning to ship support in 1H 2008  Implications Finally, an agreed-upon open standard client-server NAC protocol True client-server interoperability (like web browsers and servers) is here Industry (except Cisco) has agreed on TNC standards for NAC NAP or TNC Server NAP or TNC Client IF-TNCCS-SOH Switches, APs, Appliances, Servers, etc.

18 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 18 NAP Vendor Support

19 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 19 IETF and TNC  IETF NEA WG Goal: Universal Agreement on NAC Protocols Co-Chaired by Cisco rep and TNC-WG Chair Adopted TNC specs as WG drafts PA-TNC and PB-TNC Equivalent to IF-M 1.0 and IF-TNCCS 2.0 Cisco Engineer will Co-Edit

20 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 20 What About Open Source?  Lots of open source support for TNC University of Applied Arts and Sciences in Hannover, Germany (FHH) http://tnc.inform.fh-hannover.de libtnc https://sourceforge.net/projects/libtnc OpenSEA 802.1X supplicant http://www.openseaalliance.org FreeRADIUS http://www.freeradius.org  TCG support for these efforts Free Liaison Memberships Open source licensing of TNC header files

21 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 21 Moving Beyond NAC – Future Vision  Trusted Devices Trusted hardware and secure software provide trustworthy clients  Access Control Secure and reliable access to any service from any device across any network (in accordance with policy)  Coordinated Security Security systems cooperate through open standards to provide strong, autonomic, and efficient security at lower cost and complexity  Policy Security policies defined in business terms apply across all security systems Good tools for defining and analyzing policies

22 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 22 TCG – Working Toward The Future  Trusted Devices TPM – open standards for trusted hardware TSS and PTS – open standards for secure software (not enough)  Access Control TNC – working on broader access control standards  Coordinated Security New IF-MAP standard addresses this directly (see next slide)  Policy Important area for future work

23 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 23 IF-MAP – Problems to Be Solved  Manage unresponsive endpoints Printers, phones, other embedded devices Guest, student, and other systems with no NAC capability  Monitor endpoint behavior Detect and respond to unacceptable use  Integrate Security Systems Enable coordinated and automatic response Share information to improve security

24 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 24 TNC Architecture with IF-MAP Laptops, mobile, devices, other endpoints running TNC clients 802.1X switches, VPN gateways, edge firewalls RADIUS servers, VPN controllers, policy servers IF-MAP servers IDP/IDS systems, directories, DHCP servers, internal firewalls, SIM/SEM servers

25 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 25 IF-MAP Use Cases  PDP publishes info on new user & device to IF-MAP server IDS and NBAD use this info to adjust their settings (e.g. P2P allowed) Flow controller (e.g. interior firewall) uses info to adjust access controls PDP and flow controller subscribe to updates on user or device  IDS publishes event to an IF-MAP server Device X is attacking device Y PDP and/or flow controller receive notification of event They can respond by quarantining device X, warning user, etc.  PDP detects new unknown clientless device Z PDP posts info to IF-MAP server, subscribes to updates DHCP server, endpoint profiler, etc. publish info on device PDP receives notification, grants appropriate access

26 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 26 IF-MAP Benefits  Lower deployment and operating costs Integration of existing systems and investments Fewer false alarms since policies are tuned  Reduced deployment and operating complexity Standards based integration Automated responses  Stronger security Responses to both managed and unmanaged endpoints Management of the complete lifecycle of a network endpoint Coordinated response across many products Policies tuned per user or group  Better policies and reports Based on usernames and roles instead of IP addresses  Benefits of open standards Avoid vendor lock-in Reduce costs through competition Choose best products for each job

27 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 27 IF-MAP Status  IF-MAP Specification published April 28, 2008 Available at http://www.trustedcomputinggroup.org/groups/networkhttp://www.trustedcomputinggroup.org/groups/network Free to implement  Strong interest among customers, vendors, press, analysts, and open source implementers  Demonstrations in TCG booth at Interop Vegas 2008  Builds on existing standards (XML, SOAP, HTTP, SSL) Ongoing alignment work with Open Group and MITRE on event format  Work continues to expand and improve IF-MAP  Products to follow

28 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 28 How can you participate in TCG/TNC?  Review TCG/TNC specs and materials Available at http://www.trustedcomputinggroup.orghttp://www.trustedcomputinggroup.org Free to implement  Try deployments of TCG/TNC technology Commercial or open source  Contribute to open source implementations  Start related research projects  Apply for Mentor or Invited Expert status Mentor status supports researchers with advice (no NDA) Invited Expert status makes you a full TCG participant Josh Howlett of JANET is an Invited Expert

29 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 29 Thanks to Academic Community  Higher education pioneered most of these concepts Trusted computing Access control & NAC Coordinated security Policy “If I have seen further it is by standing on the shoulders of Giants.” -Sir Isaac Newton

30 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 30 Summary  Network Access Control (NAC) has clear benefits Controlling access to critical networks Detecting and fixing unhealthy endpoints Monitoring and addressing endpoint behavior  Open Standards Required for NAC Many, Many Products Involved  TNC = Open Standards for NAC  Many Advances in Network Security Coming Trusted Devices, Access Control, Coordinated Security, Policy  TCG Welcomes Your Input

31 Copyright © 2008 Juniper Networks, Inc. www.juniper.net 31 For More Information  TCG Web Site https://www.trustedcomputinggroup.org  TNC Co-Chairs Steve Hanna email: shanna@juniper.net Blog: http://www.gotthenac.comhttp://www.gotthenac.com Paul Sangster email: Paul_Sangster@symantec.com

Download ppt "Copyright © 2008 Juniper Networks, Inc. www.juniper.net 1 Network Access Control and Beyond By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted."

Similar presentations

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary 7 April 2010 Camas, WA – PWG F2F Meeting Ira McDonald (High.

1Copyright © 2010, Printer Working Group. All rights reserved. PWG Plenary TCG Activity Summary 7 April 2010 Camas, WA – PWG F2F Meeting Ira McDonald (High.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.

Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.

TCG Confidential Copyright© 2005 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 TNC EAP IETF EAP.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Putting Trust into the Network: Securing.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Information Security in Real Business

Information Security in Real Business
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect: Open.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Trusted Network Connect: Open.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

Similar presentations

Ads by Google