Presentation Guidlines 020207
Download
Report
Transcript Presentation Guidlines 020207
Network Access Control
for Education
By Steve Hanna, Distinguished Engineer, Juniper
Co-Chair, Trusted Network Connect WG, TCG
Co-Chair, Network Endpoint Assessment WG, IETF
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Implications of Expanded Network Usage
Critical data at risk
As Access Increases
Mission-critical
network assets
Mobile and remote
devices transmitting the
LAN perimeter
Broader variety of
network endpoints
Perimeter security
ineffective
Endpoint infections
may proliferate
Network control
can be lost
Network Security Decreases
Faculty, staff, parent,
and/or student access
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Network Access Control Solutions
Features
Control Access
• to critical resources
• to entire network
Based on
• User identity and role
• Endpoint identity and health
• Other factors
With
• Remediation
• Management
Benefits
Consistent Access Controls
Reduced Downtime
• Healthier endpoints
• Fewer outbreaks
Safe Remote Access
Safe Access for
• Faculty, Staff
• Students, Parents
• Guests
• Devices
Network access control must be a key component of every network!
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
What is Trusted Network Connect (TNC)?
Open Architecture for Network Access Control
Suite of Standards to Ensure Interoperability
Work Group in Trusted Computing Group (TCG)
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TCG: The Big Picture
Applications
Desktops &
Notebooks
•Software Stack
•Operating Systems
•Web Services
•Authentication
•Data Protection
Printers &
Hardcopy
Mobile
Phones
Storage
TCG
Standard
s
Servers
Networking
Copyright © 2008 Juniper Networks, Inc.
Security
Hardware
www.juniper.net
‹#›
TNC Architecture Overview
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Wireless
Wired
Network
Perimeter
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Typical TNC Deployments
Uniform Policy
User-Specific Policies
TPM Integrity Check
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Uniform Policy
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Remediation
Network
Non-compliant System
Windows XP
SP2
x OSHotFix 2499
x OSHotFix 9288
AV - McAfee Virus Scan 8.0
Firewall
Production
Network
Compliant System
Windows XP
SP2
OSHotFix 2499
OSHotFix 9288
AV – Symantec AV 10.1
Firewall
Copyright © 2008 Juniper Networks, Inc.
Network
Perimeter
Client Rules
Windows XP
- SP2
- OSHotFix 2499
- OSHotFix 9288
- AV (one of)
- Symantec AV 10.1
- McAfee Virus Scan 8.0
- Firewall
www.juniper.net
‹#›
User-Specific Policies
Access
Requester (AR)
Guest
User
Ken –
Faculty
Linda –
Finance
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Guest
Network
Internet Only
Classroom
Network
Access Policies
- Authorized Users
- Client Rules
Finance
Network
Windows XP
OSHotFix 9345
OSHotFix 8834
AV – Symantec AV 10.1
Firewall
Copyright © 2008 Juniper Networks, Inc.
Network
Perimeter
www.juniper.net
‹#›
TPM Integrity Check
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
TPM – Trusted Platform Module
- Hardware module built into most
of today’s PCs
- Enables a hardware Root of Trust
- Measures critical components
during trusted boot
- PTS interface allows PDP to
verify configuration and remediate
as necessary
Production
Network
Compliant System
TPM Verified
BIOS
OS
Drivers
Anti-Virus Software
Copyright © 2008 Juniper Networks, Inc.
Client Rules
- BIOS
- OS
- Drivers
- Anti-Virus Software
Network
Perimeter
www.juniper.net
‹#›
TNC Architecture in Detail
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
(IF-M)
t Collector
IntegrityCollector
Measurement
Collectors (IMC)
Verifers
Integrity Verifiers
Measurement
Verifiers (IMV)
(IF-IMC)
(IF-IMV)
(IF-TNCCS)
TNC Server
(TNCS)
TNC Client (TNCC)
(IF-PTS)
Platform Trust
Service (PTS)
TSS
(IF-T)
Network
Access
Requestor
(IF-PEP)
Policy
Enforcement
Point (PEP)
Network Access
Authority
TPM
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Status
TNC Architecture and all specs released
• Available Since 2006 from TCG web site
Rapid Specification Development Continues
• New Specifications, Enhancements
Number of Members and Products
Growing Rapidly
Compliance and Interoperability Testing and
Certification Efforts under way
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Vendor Support
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Endpoint
Supplicant/VPN Client, etc.
Network Device
FW, Switch, Router, Gateway
AAA Server, Radius,
Diameter, IIS, etc.
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC/NAP/UAC Interoperability
Announced May 21, 2007 by TCG, Microsoft, and
Juniper
NAP products implement TNC specifications
• Included in Windows Vista, Windows XP SP 3, and
Windows Server 2008
Juniper UAC and NAP can interoperate
• Demonstrated at Interop Las Vegas 2007
• UAC will support IF-TNCCS-SOH in 1H2008
Customer Benefits
• Easier implementation – can use built-in Windows NAP client
• Choice and compatibility – through open standards
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
NAP Vendor Support
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
What About Open Source?
Several open source implementations of TNC
• University of Applied Arts and Sciences in Hannover, Germany
(FHH)
http://tnc.inform.fh-hannover.de
• libtnc
https://sourceforge.net/projects/lib/tnc
• OpenSEA 802.1X supplicant
http://www.openseaalliance.org
• FreeRADIUS
http://www.freeradius.org
TCG support for these efforts
• Liaison Memberships
• Open source licensing of TNC header files
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Summary
Network Access Control provides
• Strong Security and Safety
• Tight Control Over Network Access
• Reduced PC Administration Costs
Open Standards Clearly Needed for NAC
• Many, Many Vendors Involved in a NAC System
• Some Key Benefits of Open Standards
• Ubiquity, Flexibility, Reduced Cost
TNC = Open Standards for NAC
• Widely Supported – HP, IBM, Juniper, McAfee, Microsoft, Symantec, etc.
• Can Use TPM to Detect Root Kits
TNC: Coming Soon to a Network Near You!
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
For More Information
TCG Web Site
• https://www.trustedcomputinggroup.org
Juniper UAC Web Site
• http://www.juniper.net/products_and_services/
unified_access_control
Steve Hanna
•
•
•
•
•
Distinguished Engineer, Juniper Networks
Co-Chair, Trusted Network Connect Work Group, TCG
Co-Chair, Network Endpoint Assessment Working Group, IETF
email: [email protected]
Blog: http://www.gotthenac.com
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›