180 likes | 378 Views
Network Access Control for Education. By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted Network Connect WG, TCG Co-Chair, Network Endpoint Assessment WG, IETF. As Access Increases Mission-critical network assets Mobile and remote devices transmitting the LAN perimeter
E N D
Network Access Controlfor Education By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted Network Connect WG, TCG Co-Chair, Network Endpoint Assessment WG, IETF
As Access Increases Mission-critical network assets Mobile and remote devices transmitting the LAN perimeter Broader variety ofnetwork endpoints Faculty, staff, parent,and/or student access Implications of Expanded Network Usage Critical data at risk Perimeter security ineffective Endpoint infections may proliferate Network control can be lost Network Security Decreases
Control Access • to critical resources • to entire network • Based on • User identity and role • Endpoint identity and health • Other factors • With • Remediation • Management • Consistent Access Controls • Reduced Downtime • Healthier endpoints • Fewer outbreaks • Safe Remote Access • Safe Access for • Faculty, Staff • Students, Parents • Guests • Devices Features Benefits Network Access Control Solutions Network access control must be a key component of every network!
What is Trusted Network Connect (TNC)? • Open Architecture for Network Access Control • Suite of Standards to Ensure Interoperability • Work Group in Trusted Computing Group (TCG)
TCG: The Big Picture • Applications • Software Stack • Operating Systems • Web Services • Authentication • Data Protection Desktops & Notebooks Printers & Hardcopy Security Infrastructure Storage TCG Standards Mobile Phones Servers Networking Security Hardware
PDP TNC Architecture Overview Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) VPN Wireless FW Wired Network Perimeter
Typical TNC Deployments • Uniform Policy • User-Specific Policies • TPM Integrity Check
PDP Uniform Policy Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Remediation Network • Non-compliant System Windows XP • SP2 • OSHotFix 2499 • OSHotFix 9288 • AV - McAfee Virus Scan 8.0 • Firewall Client Rules Windows XP - SP2 - OSHotFix 2499 - OSHotFix 9288 - AV (one of) - Symantec AV 10.1 - McAfee Virus Scan 8.0 - Firewall Production Network • Compliant System Windows XP • SP2 • OSHotFix 2499 • OSHotFix 9288 • AV – Symantec AV 10.1 • Firewall Network Perimeter
PDP User-Specific Policies Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Guest User Guest Network Internet Only Ken – Faculty Classroom Network Access Policies - Authorized Users - Client Rules Linda – Finance Finance Network Windows XP • OSHotFix 9345 • OSHotFix 8834 • AV – Symantec AV 10.1 • Firewall Network Perimeter
PDP TPM Integrity Check Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) • TPM – Trusted Platform Module • Hardware module built into most of today’s PCs • Enables a hardware Root of Trust • Measures critical components during trusted boot • PTS interface allows PDP to verify configuration and remediate as necessary Client Rules - BIOS - OS - Drivers - Anti-Virus Software Production Network • Compliant System TPM Verified • BIOS • OS • Drivers • Anti-Virus Software Network Perimeter
Integrity Measurement Collectors (IMC) Integrity Measurement Verifiers (IMV) TNC Server (TNCS) Collector Verifiers (IF-M) t Collector Verifers (IF-IMC) (IF-IMV) (IF-TNCCS) TNC Client (TNCC) (IF-PTS) (IF-T) Platform Trust Service (PTS) (IF-PEP) Network Access Requestor Network Access Authority Policy Enforcement Point (PEP) TSS TPM TNC Architecture in Detail Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP)
TNC Status • TNC Architecture and all specs released • Available Since 2006 from TCG web site • Rapid Specification Development Continues • New Specifications, Enhancements • Number of Members and Products Growing Rapidly • Compliance and Interoperability Testing and Certification Efforts under way
TNC Vendor Support Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) EndpointSupplicant/VPN Client, etc. Network Device FW, Switch, Router, Gateway AAA Server, Radius,Diameter, IIS, etc.
TNC/NAP/UAC Interoperability • Announced May 21, 2007 by TCG, Microsoft, and Juniper • NAP products implement TNC specifications • Included in Windows Vista, Windows XP SP 3, and Windows Server 2008 • Juniper UAC and NAP can interoperate • Demonstrated at Interop Las Vegas 2007 • UAC will support IF-TNCCS-SOH in 1H2008 • Customer Benefits • Easier implementation – can use built-in Windows NAP client • Choice and compatibility – through open standards
What About Open Source? • Several open source implementations of TNC • University of Applied Arts and Sciences in Hannover, Germany (FHH) http://tnc.inform.fh-hannover.de • libtnc https://sourceforge.net/projects/lib/tnc • OpenSEA 802.1X supplicant http://www.openseaalliance.org • FreeRADIUS http://www.freeradius.org • TCG support for these efforts • Liaison Memberships • Open source licensing of TNC header files
Summary • Network Access Control provides • Strong Security and Safety • Tight Control Over Network Access • Reduced PC Administration Costs • Open Standards Clearly Needed for NAC • Many, Many Vendors Involved in a NAC System • Some Key Benefits of Open Standards • Ubiquity, Flexibility, Reduced Cost • TNC = Open Standards for NAC • Widely Supported – HP, IBM, Juniper, McAfee, Microsoft, Symantec, etc. • Can Use TPM to Detect Root Kits • TNC: Coming Soon to a Network Near You!
For More Information • TCG Web Site • https://www.trustedcomputinggroup.org • Juniper UAC Web Site • http://www.juniper.net/products_and_services/unified_access_control • Steve Hanna • Distinguished Engineer, Juniper Networks • Co-Chair, Trusted Network Connect Work Group, TCG • Co-Chair, Network Endpoint Assessment Working Group, IETF • email: shanna@juniper.net • Blog: http://www.gotthenac.com