1 / 18

Network Access Control for Education

Network Access Control for Education. By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted Network Connect WG, TCG Co-Chair, Network Endpoint Assessment WG, IETF. As Access Increases Mission-critical network assets Mobile and remote devices transmitting the LAN perimeter

bonita
Download Presentation

Network Access Control for Education

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network Access Controlfor Education By Steve Hanna, Distinguished Engineer, Juniper Co-Chair, Trusted Network Connect WG, TCG Co-Chair, Network Endpoint Assessment WG, IETF

  2. As Access Increases Mission-critical network assets Mobile and remote devices transmitting the LAN perimeter Broader variety ofnetwork endpoints Faculty, staff, parent,and/or student access Implications of Expanded Network Usage Critical data at risk Perimeter security ineffective Endpoint infections may proliferate Network control can be lost Network Security Decreases

  3. Control Access • to critical resources • to entire network • Based on • User identity and role • Endpoint identity and health • Other factors • With • Remediation • Management • Consistent Access Controls • Reduced Downtime • Healthier endpoints • Fewer outbreaks • Safe Remote Access • Safe Access for • Faculty, Staff • Students, Parents • Guests • Devices Features Benefits Network Access Control Solutions Network access control must be a key component of every network!

  4. What is Trusted Network Connect (TNC)? • Open Architecture for Network Access Control • Suite of Standards to Ensure Interoperability • Work Group in Trusted Computing Group (TCG)

  5. TCG: The Big Picture • Applications • Software Stack • Operating Systems • Web Services • Authentication • Data Protection Desktops & Notebooks Printers & Hardcopy Security Infrastructure Storage TCG Standards Mobile Phones Servers Networking Security Hardware

  6. PDP TNC Architecture Overview Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) VPN Wireless FW Wired Network Perimeter

  7. Typical TNC Deployments • Uniform Policy • User-Specific Policies • TPM Integrity Check

  8. PDP Uniform Policy Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Remediation Network • Non-compliant System Windows XP • SP2 • OSHotFix 2499 • OSHotFix 9288 • AV - McAfee Virus Scan 8.0 • Firewall Client Rules Windows XP - SP2 - OSHotFix 2499 - OSHotFix 9288 - AV (one of) - Symantec AV 10.1 - McAfee Virus Scan 8.0 - Firewall Production Network • Compliant System Windows XP • SP2 • OSHotFix 2499 • OSHotFix 9288 • AV – Symantec AV 10.1 • Firewall Network Perimeter

  9. PDP User-Specific Policies Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Guest User Guest Network Internet Only Ken – Faculty Classroom Network Access Policies - Authorized Users - Client Rules Linda – Finance Finance Network Windows XP • OSHotFix 9345 • OSHotFix 8834 • AV – Symantec AV 10.1 • Firewall Network Perimeter

  10. PDP TPM Integrity Check Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) • TPM – Trusted Platform Module • Hardware module built into most of today’s PCs • Enables a hardware Root of Trust • Measures critical components during trusted boot • PTS interface allows PDP to verify configuration and remediate as necessary Client Rules - BIOS - OS - Drivers - Anti-Virus Software Production Network • Compliant System TPM Verified • BIOS • OS • Drivers • Anti-Virus Software Network Perimeter

  11. Integrity Measurement Collectors (IMC) Integrity Measurement Verifiers (IMV) TNC Server (TNCS) Collector Verifiers (IF-M) t Collector Verifers (IF-IMC) (IF-IMV) (IF-TNCCS) TNC Client (TNCC) (IF-PTS) (IF-T) Platform Trust Service (PTS) (IF-PEP) Network Access Requestor Network Access Authority Policy Enforcement Point (PEP) TSS TPM TNC Architecture in Detail Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP)

  12. TNC Status • TNC Architecture and all specs released • Available Since 2006 from TCG web site • Rapid Specification Development Continues • New Specifications, Enhancements • Number of Members and Products Growing Rapidly • Compliance and Interoperability Testing and Certification Efforts under way

  13. TNC Vendor Support Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) EndpointSupplicant/VPN Client, etc. Network Device FW, Switch, Router, Gateway AAA Server, Radius,Diameter, IIS, etc.

  14. TNC/NAP/UAC Interoperability • Announced May 21, 2007 by TCG, Microsoft, and Juniper • NAP products implement TNC specifications • Included in Windows Vista, Windows XP SP 3, and Windows Server 2008 • Juniper UAC and NAP can interoperate • Demonstrated at Interop Las Vegas 2007 • UAC will support IF-TNCCS-SOH in 1H2008 • Customer Benefits • Easier implementation – can use built-in Windows NAP client • Choice and compatibility – through open standards

  15. NAP Vendor Support

  16. What About Open Source? • Several open source implementations of TNC • University of Applied Arts and Sciences in Hannover, Germany (FHH) http://tnc.inform.fh-hannover.de • libtnc https://sourceforge.net/projects/lib/tnc • OpenSEA 802.1X supplicant http://www.openseaalliance.org • FreeRADIUS http://www.freeradius.org • TCG support for these efforts • Liaison Memberships • Open source licensing of TNC header files

  17. Summary • Network Access Control provides • Strong Security and Safety • Tight Control Over Network Access • Reduced PC Administration Costs • Open Standards Clearly Needed for NAC • Many, Many Vendors Involved in a NAC System • Some Key Benefits of Open Standards • Ubiquity, Flexibility, Reduced Cost • TNC = Open Standards for NAC • Widely Supported – HP, IBM, Juniper, McAfee, Microsoft, Symantec, etc. • Can Use TPM to Detect Root Kits • TNC: Coming Soon to a Network Near You!

  18. For More Information • TCG Web Site • https://www.trustedcomputinggroup.org • Juniper UAC Web Site • http://www.juniper.net/products_and_services/unified_access_control • Steve Hanna • Distinguished Engineer, Juniper Networks • Co-Chair, Trusted Network Connect Work Group, TCG • Co-Chair, Network Endpoint Assessment Working Group, IETF • email: shanna@juniper.net • Blog: http://www.gotthenac.com

More Related