250 likes | 271 Views
Putting Trust into the Network: Securing Your Network through Trusted Access Control. Ned Smith Intel NCAC April 27 th , 2005. Agenda. TCG Model for Trusted Computing Establishing Endpoint Integrity / Identity Access Control Decisions Based on TPM
E N D
Putting Trust into the Network: Securing Your Network through Trusted Access Control Ned Smith Intel NCAC April 27th, 2005
Agenda • TCG Model for Trusted Computing • Establishing Endpoint Integrity / Identity • Access Control Decisions Based on TPM • Relating XACML with TCG Integrity Schema
Challenges of Trusted Computing • Assurance of safe computing environments • Viruses, Worms, Rootkits, Spyware, Adware etc… • Identifying the endpoint is ambiguous • The endpoint has a distinct boundary • Controllers, busses, networks and peripherals associated with a platform • Authentication protocols presume authorization tokens are bound to the endpoint • Control of resources in foreign environments • Infosec policy associated with data as it moves through different computing environments • The environment must follow the policy
TCG Model of a Trusted Computing Platform Protection Domain Policies Verification Engine Layer Services Measurement Engine Provided Services Storage Engine Metrics Trusted Engine Reporting Engine Enforcement Engine Layer Resources Dependent Services
Examples Secure Boot • A secure boot service implements Measurement and Reporting engines integrated with a Verification engine • The Verification engine evaluates measurements according to a policy to determine proper boot sequence • If the sequence is in error, an Enforcement engine is employed to terminate the boot process • Trusted Boot • Trusted boot service implements Measurement and Storage engines following the boot sequence • A Verification engine on a remote node (network server) evaluates the boot sequence at a later time
Decomposition for Network Access Control Access Requestor Domain Measurement Engine Measurement Attestation Access Request 2 1 Storage Engine Metrics Reporting Engine PDP Domain 3 Access Control 4 Policies Verification Engine PEP Domain 5 6 Apply Access Network Connect 7 Enforcement Engine
How to Define the Endpoint? • Authentication tokens • Keys, pass-phrases, certificates etc… • Boot sequence • Device enumeration • Software install / load • Running processes / threads • Manufacturer intrinsic attributes • Model, version, quality metrics
Three Vectors of Endpoint Integrity / Identity • Measurement • Hash of software/firmware captures platform state • Controllers and processors are enumerated and measured • Executing code may be scanned to determine its present state • Cryptographic Identity • Authentication keys • Reporting Engines use cryptographic keys to authenticate the reporting engine that by extension identifies the platform. • Origin Identity • MMV • Each component (device, platform, software package) can be identified by its Manufacturer, Model and Version (MMV) • Credentials issued by manufacturers contain MMV intrinsic assertions • Reference Measurements • Manufacturer provided signatures
TPM Example: Pre-Boot Integrity Measurement Collection Log of Extended Values Hash of Extended Values Measure = Hash of code or data Execute = Code is loaded into CPU
Platform Configuration Registers (PCRs) • Stores cumulative configuration • Update is an Extend operation: • [PCR] = SHA-1 {[PCR] + Extend value} • Value: • It is infeasible to calculate the value A such that: • PCRdesiredValue = Extend (A) • PCRs re-initialized at system reset • TPM_Init • Measurement Log contains
Collecting Measurements After System Boot • A Platform Trust Service (PTS) can be used to Measure Applications • Files • Read files from disk; compute a measurement • Processes • Ring 3 - DLL injection to read another processes memory • Ring 0 – Access pages in memory / DMA accesses
Example Platform Trust Service • Integrity of the PTS is established • Pre-boot by measuring PTS drivers included in OS image • Post-boot by measuring PTS process memory pages • PTS may measure processes and files • Determined by policy – e.g. protect integrity reporting infrastructure • Triggered by request – e.g. measure before connecting to the network Pre-boot
TNC Client TNC Server Tunnel Batch TCG Model for Exchanging Integrity Data Access Requestor Policy Decision Point Anti-Virus Verifier Anti-Virus Collector OK • IF-IMC & IF-IMV exchange messages containing posture information • Messages are batched for delivery by TNCC / TNCS • Either side may start a batched exchange • IMCs and IMVs may subscribe to multiple message types • Follow-on exchanges may continue indefinitely • But may be gated by the underlying transport Firewall Verifier Firewall Collector !OK Patch Mgmt Verifier Patch Mgmt Collector OK OK !OK Status TNC Integrity Verifier TNC Integrity Collector OK OK OK The TNC Server Makes the Final Decision
Evaluation of Integrity Reports • Integrity Reports ought to be shadowed by a Reference Value • Reference values • “Normal” boot sequence will have repeatable PCR values • Versioning “freezes” code changes so hash values don’t change • Authentication keys have trust anchors • Watchdogs have a schedule of expected events • Reference Values Should Come from an Authoritative Source • Manufacturer – to detect modification due to stolen source • Evaluation labs – who make assertions of quality and conformance • Platform Owner – the entity taking the risk!
TCG Integrity Schema Policy Authors Value-Added Provider Integrity Measurement Harvesters Integrity Signature Database = Anticipated TCG specification Integrity Harvesting Model • Harvesting gathers Assertions and Values from a trustworthy source • TCG Integrity Schema defined structure Policies / Rules Reference Integrity Measurements Policy Authoring Mechanism Submission Mechanism Harvesting Mechanism TCG Certificates Evaluation Mechanism Verifier (PDP)
TCG Integrity Schema • Consists of a tree of Assertions and hash Values • Reference measurements • Quality assertions • Development / Manufacturing processes • Trust related operations • E.g. Creation of platform endorsement key • Associated with a Target “Component” • Composite attributes form its “Identity” • Manufacture name / vendor ID • Model number / name • Version information • Patch level • Component Identity is unique with respect to a release • Not necessarily a particular copy or instance
Integrity Schema and XACML • Evaluation correlates reference and actual values with appropriate consequences • A policy structure such as XACML may be helpful • An XACML Policy is a tree of • PolicySet • Contains multiple Policies and policy references • Policy • Contains multiple Rules • Rule • Contains decision logic expressed in terms of Conditions and Effect • TCG Assertions may be mapped to XACML as Condition Attributes
Policy Authors Policy Sources Attribute Sources Policy Database Integrity Signature Database A Conceptual Model Policy Authoring Mechanism Reference Integrity Measurements TCG Certificates XACML Context XACML Request AR PEP PDP XACML Response XACML Policy or Attribute References
Attribute Sources Integrity Signature Database XACML Condition Attribute <xs:element name="AttributeValue" type="xacml:AttributeValueType" substitutionGroup="xacml:Expression"/> <xs:complexType name="AttributeValueType" mixed="true"> <xs:complexContent mixed="true"> <xs:extension base="xacml:ExpressionType"> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="DataType" type="xs:anyURI" use="required"/> <xs:anyAttribute namespace="##any" processContents="lax"/> </xs:extension> </xs:complexContent> </xs:complexType>
Summary • TCG model for Trusted Computing is centered around collection and verification of trust attributes • Trust attributes can be applied to network access control • The TCG is developing infrastructure for collecting reference trust attributes • XACML may be a viable framework for making access decisions involving TCG trust attributes
Questions? • Contact Information • The Trusted Computing Group • www.trustedcomputinggroup.org • admin@trustedcomputinggroup.org • Infrastructure Working Group Co-Chairs • Ned Smith / Intel • ned.smith@intel.com • Thomas Hardjono / Verisign • thomas.hardjono@verisign.com
Collection Reporting Decision Making Remediation Enforcement Steps of a Trusted Network Connection • Find out the condition of the platform • Communicate platform state when connecting • Decide what level of access is acceptable • Restrict the environment in accordance with access rights • Remediation may be required to reconcile denied access
TCG Trusted Network Connect Architecture AR PEP PDP Remediation Layer • Automated response and provisioning Collector Remediation Remediation Verifiers Collector Verifiers Applications Resources • Collection of integrity information • Authoring of rules Integrity Measurement Layer IF-V Collector Integrity Measurement Integrity Measurement Verifiers Collector Verifiers Collectors Verifiers IF-IMC IF-IMV • Reporting and transfer of integrity information • Access decision making Integrity Evaluation Layer IF-TNCCS TNC TNC Client Server • Enforcement mechanisms • Control of network boundary IF-Transport Network Network Access Layer Network Access Access Policy Enforcement Authority Requestor Point IF-PTS IF-PEP Supplicant/ Switch/ Firewall/ VPN Client, etc. VPN Gateway Platform Trust Service • PTS protects the integrity of TNC components • RTM protects PTS • TPM protects measurements and keys Trust Layer Integrity Log RTM / TPM
NAC Extensions Collector Verifier 802.1x PAE RADIUS Client AR – Access Requester AVP – Attribute Value Pair EAP – Extensible Authentication Protocol PAE – Port Access Entity PDP – Policy Decision Point PEP – Policy Enforcement Point NAC – Network Access Control TLV – Tag Length Value TNC with 802.1X at Link Layer Network Boundary AR PEP PDP TNC EAP EAP Peer EAP Peer RADIUS* 802.1x 802.1X 802.1x Access Agent RADIUS Server Requestor Switch / Access Point Verifier Verifier & Collector exchange posture information over EAP tunnel using EAP inner methods, AVPs or TLVs