Presentation Guidlines 020207

Download Report

Transcript Presentation Guidlines 020207 

Network Access Control
for Education
By Steve Hanna, Distinguished Engineer, Juniper
Co-Chair, Trusted Network Connect WG, TCG
Co-Chair, Network Endpoint Assessment WG, IETF
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Implications of Expanded Network Usage
Critical data at risk
As Access Increases
Mission-critical
network assets
Mobile and remote
devices transmitting the
LAN perimeter
Broader variety of
network endpoints
Perimeter security
ineffective
Endpoint infections
may proliferate
Network control
can be lost
Network Security Decreases
Faculty, staff, parent,
and/or student access
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Network Access Control Solutions
Features
 Control Access
• to critical resources
• to entire network
 Based on
• User identity and role
• Endpoint identity and health
• Other factors
 With
• Remediation
• Management
Benefits
 Consistent Access Controls
 Reduced Downtime
• Healthier endpoints
• Fewer outbreaks
 Safe Remote Access
 Safe Access for
• Faculty, Staff
• Students, Parents
• Guests
• Devices
Network access control must be a key component of every network!
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
What is Trusted Network Connect (TNC)?
 Open Architecture for Network Access Control
 Suite of Standards to Ensure Interoperability
 Work Group in Trusted Computing Group (TCG)
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TCG: The Big Picture
Applications
Desktops &
Notebooks
•Software Stack
•Operating Systems
•Web Services
•Authentication
•Data Protection
Printers &
Hardcopy
Mobile
Phones
Storage
TCG
Standard
s
Servers
Networking
Copyright © 2008 Juniper Networks, Inc.
Security
Hardware
www.juniper.net
‹#›
TNC Architecture Overview
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Wireless
Wired
Network
Perimeter
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Typical TNC Deployments
 Uniform Policy
 User-Specific Policies
 TPM Integrity Check
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Uniform Policy
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Remediation
Network
Non-compliant System
Windows XP
 SP2
x OSHotFix 2499
x OSHotFix 9288
 AV - McAfee Virus Scan 8.0
 Firewall
Production
Network
Compliant System
Windows XP
 SP2
 OSHotFix 2499
 OSHotFix 9288
 AV – Symantec AV 10.1
 Firewall
Copyright © 2008 Juniper Networks, Inc.
Network
Perimeter
Client Rules
Windows XP
- SP2
- OSHotFix 2499
- OSHotFix 9288
- AV (one of)
- Symantec AV 10.1
- McAfee Virus Scan 8.0
- Firewall
www.juniper.net
‹#›
User-Specific Policies
Access
Requester (AR)
Guest
User
Ken –
Faculty
Linda –
Finance
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Guest
Network
Internet Only
Classroom
Network
Access Policies
- Authorized Users
- Client Rules
Finance
Network
Windows XP
 OSHotFix 9345
 OSHotFix 8834
 AV – Symantec AV 10.1
 Firewall
Copyright © 2008 Juniper Networks, Inc.
Network
Perimeter
www.juniper.net
‹#›
TPM Integrity Check
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
TPM – Trusted Platform Module
- Hardware module built into most
of today’s PCs
- Enables a hardware Root of Trust
- Measures critical components
during trusted boot
- PTS interface allows PDP to
verify configuration and remediate
as necessary
Production
Network
Compliant System
TPM Verified
 BIOS
 OS
 Drivers
 Anti-Virus Software
Copyright © 2008 Juniper Networks, Inc.
Client Rules
- BIOS
- OS
- Drivers
- Anti-Virus Software
Network
Perimeter
www.juniper.net
‹#›
TNC Architecture in Detail
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
(IF-M)
t Collector
IntegrityCollector
Measurement
Collectors (IMC)
Verifers
Integrity Verifiers
Measurement
Verifiers (IMV)
(IF-IMC)
(IF-IMV)
(IF-TNCCS)
TNC Server
(TNCS)
TNC Client (TNCC)
(IF-PTS)
Platform Trust
Service (PTS)
TSS
(IF-T)
Network
Access
Requestor
(IF-PEP)
Policy
Enforcement
Point (PEP)
Network Access
Authority
TPM
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Status
 TNC Architecture and all specs released
• Available Since 2006 from TCG web site
 Rapid Specification Development Continues
• New Specifications, Enhancements
 Number of Members and Products
Growing Rapidly
 Compliance and Interoperability Testing and
Certification Efforts under way
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC Vendor Support
Access
Requester (AR)
Policy Enforcement
Point (PEP)
Policy Decision Point
(PDP)
Endpoint
Supplicant/VPN Client, etc.
Network Device
FW, Switch, Router, Gateway
AAA Server, Radius,
Diameter, IIS, etc.
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
TNC/NAP/UAC Interoperability
 Announced May 21, 2007 by TCG, Microsoft, and
Juniper
 NAP products implement TNC specifications
• Included in Windows Vista, Windows XP SP 3, and
Windows Server 2008
 Juniper UAC and NAP can interoperate
• Demonstrated at Interop Las Vegas 2007
• UAC will support IF-TNCCS-SOH in 1H2008
 Customer Benefits
• Easier implementation – can use built-in Windows NAP client
• Choice and compatibility – through open standards
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
NAP Vendor Support
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
What About Open Source?
 Several open source implementations of TNC
• University of Applied Arts and Sciences in Hannover, Germany
(FHH)
http://tnc.inform.fh-hannover.de
• libtnc
https://sourceforge.net/projects/lib/tnc
• OpenSEA 802.1X supplicant
http://www.openseaalliance.org
• FreeRADIUS
http://www.freeradius.org
 TCG support for these efforts
• Liaison Memberships
• Open source licensing of TNC header files
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
Summary
 Network Access Control provides
• Strong Security and Safety
• Tight Control Over Network Access
• Reduced PC Administration Costs
 Open Standards Clearly Needed for NAC
• Many, Many Vendors Involved in a NAC System
• Some Key Benefits of Open Standards
• Ubiquity, Flexibility, Reduced Cost
 TNC = Open Standards for NAC
• Widely Supported – HP, IBM, Juniper, McAfee, Microsoft, Symantec, etc.
• Can Use TPM to Detect Root Kits
 TNC: Coming Soon to a Network Near You!
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›
For More Information
 TCG Web Site
• https://www.trustedcomputinggroup.org
 Juniper UAC Web Site
• http://www.juniper.net/products_and_services/
unified_access_control
 Steve Hanna
•
•
•
•
•
Distinguished Engineer, Juniper Networks
Co-Chair, Trusted Network Connect Work Group, TCG
Co-Chair, Network Endpoint Assessment Working Group, IETF
email: [email protected]
Blog: http://www.gotthenac.com
Copyright © 2008 Juniper Networks, Inc.
www.juniper.net
‹#›