Introduction of Trusted Network Connect pptx

Trang 1

Introduction of Trusted Network Connect

Houcheng Lee

houchen1@umbc.edu

May 9, 2007

Trang 2

What is Trusted Computing?

Trang 3

Trusted Computing Group

(TCG)

Trang 4

Check Point Software, Inc.

Citrix Systems, Inc.

Comodo

Dell, Inc

Endforce, Inc

Ericsson Mobile Platforms AB

France Telecom Group

Freescale Semiconductor

Fujitsu Limited

Fujitsu Siemens Computers

Trusted Computing Group (TCG) Membership

170 Total Members as of January, 2007

Contributors

Funk Software, Inc

General Dynamics C4 Systems Giesecke & Devrient

Hitachi, Ltd

Infineon InfoExpress, Inc

InterDigital Communications iPass

Lenovo Holdings Limited Lexmark International Lockheed Martin M-Systems Flash Disk Pioneers Maxtor Corporation

Meetinghouse Data Communications Mirage Networks Motorola Inc

National Semiconductor nCipher

NEC Nevis Networks, USA Nokia

NTRU Cryptosystems, Inc

NVIDIA OSA Technologies, Inc Philips

Phoenix Pointsec Mobile Technologies Renesas Technology Corp

Ricoh Company LTD RSA Security, Inc

Samsung Electronics Co.

Adopters

ConSentry Networks CPR Tools, Inc

Credant Technologies Fiberlink Communications Foundstone, Inc.

GuardianEdge ICT Economic Impact Industrial Technology Research Institute Infosec Corporation

Integrated Technology Express Inc LANDesk

Lockdown Networks Marvell Semiconductor, Inc.

MCI Meganet Corporation Roving Planet SafeBoot Safend Sana Security Secure Elements Senforce Technologies, Inc SII Network Systems, Inc.

Silicon Storage Technology, Inc

Softex, Inc

StillSecure Swan Island Networks, Inc.

Symwave Telemidic Co Ltd

Toppan Printing Co., Ltd.

Trusted Network Technologies ULi Electronics Inc

Valicore Technologies, Inc.

Contributors

Seagate Technology Siemens AG

SignaCert, Inc

Silicon Integrated Systems Corp.

Sinosun Technology Co., Ltd

SMSC Sony Corporation STMicroelectronics Symantec

Symbian Ltd Synaptics Inc

Texas Instruments Toshiba Corporation TriCipher, Inc

Unisys UPEK, Inc.

Utimaco Safeware AG VeriSign, Inc

Vernier Networks Vodafone Group Services LTD Wave Systems

Winbond Electronics Corporation

Adopters

Advanced Network Technology Labs

Apani Networks Apere, Inc.

ATI Technologies Inc

BigFix, Inc.

BlueRISC, Inc.

Bradford Networks

Trang 5

TCG Key Players

Trang 6

Trusted Platform Module

(TPM)

Trang 7

Trusted Platform Module (TPM)

•stores OS status information

•generates/stores a private key

•creates digital signatures

•anchors chain of trust for keys,

digital certificates, and other

credentials

Trang 8

TPM – TCG Definition

 Trusted Boot Configuration

multiple identity keys

Trang 9

the TPM off (it ships disabled).

Trang 10

Why Not Software?

 Software is hard to secure.

relatively insecure location (like the hard drive).

 Soft data can be copied.

equipment to the attack procedure.

 Security can’t be measured.

radically different risks.

Trang 11

TPM Measurement flow

Trang 12

Trusted Network Connection

(TNC)

Trang 13

Trang 14

Network Endpoint Problem

 Motivated Attackers (Bank Crackers)

 Any vulnerable computer is a stepping stone

Trang 15

Key Computing Trends Drive the Need

for TNC

TREND

 Increasing network span to

mobile workers, customers,

partners, suppliers

 Network clients moving to

wireless access

 Malware increasingly targeting

network via valid client

infection

emerging at an increasing rate

IMPLICATION

 Less reliance on physical access identity verification (i.e guards & badges)

easily monitored, cloned

 Clients ‘innocently” infect entire networks

move from once/week to once/login

Trang 16

Network Integrity Architectures

 Several Initiatives are pursuing Network Integrity Architectures

 All provide the ability to check integrity of objects accessing the network

 [Cisco] Network Admission Control (NAC)

 [Microsoft] Network Access Protocol (NAP)

Trang 17

Trusted Network Connect Advantages

Open standards

 multi-vendor compatibility

 open technical review

 Integrates with established protocols like EAP, TLS, 802.1X, and IPsec

Incorporates Trusted Computing Concepts

- guarding the guard

Trang 18

 Moving from “who” is allowed on the network

 User authentication

 To “who” and “what” is allowed on the network

 Adding Platform Integrity verification

Controlling Integrity of What is on the Network

Trang 19

Check at connect time

- Who are you -

- What is on your computer User DB

+ Integrity DB

Can I connect?

Access control dialog

Enterprise Net

QuickTime™ and a

TIFF (Uncompressed) decompressor

are needed to see this picture.

Trang 20

Quarantine and Remediation

No I am quarantining you

Try again when you’re fixed up

Remediation Server

Access control dialog

User DB + Integrity DB

Can I connect?

Enterprise Net

Quarantine Net

QuickTime™ and a

TIFF (Uncompressed) decompressor

are needed to see this picture.

Trang 21

TNC Architecture

Trang 22

TNC Architecture

Verifiers

t Collector Collector

Integrity Measurement

Collectors (IMC)

Integrity Measurement Verifiers (IMV)

Network Access Requestor

Policy Enforcement Point (PEP)

Network Access Authority

TNC Server (TNCS)

(IF-PTS)

(IF-PEP)

Trang 23

Endpoint Integrity Policy

 Machine Health

 Anti-Virus software running and properly

configured

 Personal Firewall running and properly configured

Trang 24

Examples of Integrity Checks

 Virus scan

 What is your OS patch level

 Is unauthorized software present?

 Other - IDS logs, evidence of port scanning

Trang 25

Network Operator Access Policy

 Define policy for what must be checked

and results of checks

 e.g Must run

Trang 26

TNC Client

Anti-Virus Services

AV-IMC

Network Access Requestor

Network Access Authority

Policies

2

Integrity Measurements

4

Control Request 6

Policy Decision

5

Baseline Measurements

1

Embedded

AV configuration

AV engine

AV definitions

Trang 27

Patch mgt Verifier

firewall Verifier

Platform trust Verifier

- Messages are batched by TNCC/ TNCS

- Either side can start batched exchange

- IMC/IMV may subscribe to multiple message types - Exchanges of TNC batches called

handshake

TNC Model for Exchanging Integrity Data

Trang 28

Authorized Access Only

Access Denied Access Denied

Trang 29

n N etw ork

Trang 30

Customized Network Access

et On ly

Access Policies

•Authorized Users

•Client Rules

Trang 31

Platform Trust Services PTS

 IF-PTS evaluates the integrity of TNC

components and makes integrity reports

available to the TNCC and TNCS

 The PTS establishes the integrity state of the

TNC framework and binds this state to the

platform transitive-trust chain

 PTS IMC collects integrity information about

TNC elements and sends to PTS IMV

 PTS IMV has information (probably from

vendors) on expected values for IMCs and other TNC and verifies received values

Trang 32

TPM – Trusted Platform Module

• HW module built into most of

today’s PCs

• Enables a HW Root of Trust

• Measures critical components

during trusted boot

• PTS-IMC interface allows

PDP to verify configuration

and remediate as necessary

Trang 33

TNC Architecture – Existing Support

Endpoint

Supplicant/VPN Client, etc.

Network Device

FW, Switch, Router, Gateway

Access Requestor Policy Enforcement Point Policy Decision Point

AAA Server, Radius, Diameter, IIS, etc

Trang 34

TPM Use Cases - Government &

Regulatory

 National Security Agency

 Full drive encryption

 TCG for compatibility

 U.S Army

requires TPM 1.2 on new computers

 F.D.I.C.

Trang 35

TPM Use Cases – Realistic Projects

session of broadband telemedicine

 MicroSoft Vista BitLocker

Trang 36

Thank you

Question?

Trang 37

Reference

 Trusted Computing Group (TCG) - https://www.trustedcomputinggroup.org/home

 Trusted Network Connection (TNC) -

https://www.trustedcomputinggroup.org/groups/network/

Tiêu đề	Introduction of Trusted Network Connect
Tác giả	Houcheng Lee
Trường học	University of Maryland, Baltimore County
Chuyên ngành	Computer Security
Thể loại	Lecture presentation
Năm xuất bản	2007
Thành phố	Baltimore

Định dạng
Số trang	37
Dung lượng	2,93 MB