1 / 12

IF-MAP: Open Standards for Coordinating Security

IF-MAP: Open Standards for Coordinating Security. Presentation for SAAG IETF 72, July 31, 2008 Steve Hanna shanna@juniper.net. Server Security. Web Services Security. Identity Management. Server/Service Security. Network Intrusion Detection & Prevention. Network Anti-Virus.

kirti
Download Presentation

IF-MAP: Open Standards for Coordinating Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IF-MAP: Open Standards for Coordinating Security Presentation for SAAG IETF 72, July 31, 2008 Steve Hanna shanna@juniper.net

  2. ServerSecurity Web ServicesSecurity IdentityManagement Server/ServiceSecurity Network IntrusionDetection & Prevention Network Anti-Virus NetworkFirewall VulnerabilityScanners Virtual PrivateNetworks Data LossPrevention NetworkSecurity Host Anti-Virus Host Firewall Host IntrusionDetection & Prevention HostSecurity Information Security Past - Isolation

  3. ServerSecurity Web ServicesSecurity IdentityManagement Server/ServiceSecurity Network IntrusionDetection & Prevention Network Anti-Virus NetworkFirewall VulnerabilityScanners Virtual PrivateNetworks Data LossPrevention NetworkSecurity Host Anti-Virus Host Firewall Host IntrusionDetection & Prevention HostSecurity Information Security Present –Partial Coordination Network AccessControl (NAC)

  4. ServerSecurity Web ServicesSecurity IdentityManagement Server/ServiceSecurity Network IntrusionDetection & Prevention Network Anti-Virus NetworkFirewall VulnerabilityScanners Virtual PrivateNetworks Data LossPrevention NetworkSecurity Host Anti-Virus Host Firewall Host IntrusionDetection & Prevention HostSecurity Information Security Future –Full Coordination NAC withIF-MAP

  5. VPN Basic NAC Architecture Access Requestor (AR) Policy Decision Point (PDP) Policy Enforcement Point (PEP)

  6. VPN Integrating Other Security Systems Access Requestor (AR) Policy Decision Point (PDP) Sensors, Flow Controllers Policy Enforcement Point (PEP) Metadata Access Point (MAP)

  7. Policy Decision Point t IF-M Integrity Measurement Collector Integrity Measurement Verifiers (IMV) Verifiers Collector Verifiers Collectors (IMC) IF-MAP IF-IMC IF-IMV Sensor IF-MAP MetadataAccess Point IF-TNCCS TNC Client (TNCC) TNC Server (TNCS) IF-MAP IF-PTS FlowController Platform Trust IF-T IF-MAP Service (PTS) IF-MAP Network Access Requestor NetworkAccess Authority IF-PEP Policy Enforcement Point (PEP) TSS TPM IF-MAP TNC Architecture PolicyEnforcementPoint Sensors and Flow Controllers MetadataAccessPoint Access Requestor

  8. What is IF-MAP? • Standard Published by Trusted Computing Group • https://www.trustedcomputinggroup.org/groups/network • Standard Requests & Responses • Publish, Search, Subscribe, Poll • Standard Identifiers • device, identity, ip-address, mac-address, access-request • Standard Metadata • device-attribute, event, role, capability, layer2-information • Standard Links (marked with metadata) • access-request-device, access-request-ip, access-request-mac, authenticated-as, authenticated-by, ip-mac • Protocol Binding for SOAP • Ability to define optional vendor-specific extensions

  9. Example IF-MAP Graph

  10. IF-MAP Benefits • More Informed Sensors • Sensors can tune by role and other things • Should reduce false alarms • Policy and Reports in Business Terms • User identity and role vs. IP address • Simpler, easier to manage • Automated Response (if desired) • Faster response = stronger security • Less expense due to automation • Customer Choice and Flexibility • No need to buy all security products from one vendor • Can reuse and integrate existing security systems

  11. Security and PrivacyConsiderations • MAP = Storehouse of Sensitive Data, Critical Nerve Center • MUST • TLS with mutual auth for IF-MAP clients • publisher-id and timestamp to track changes • SHOULD • authorization, DOS protection, anomaly detection, physical and operational security, hardening, etc. • not keep historical data

  12. Discussion

More Related