Copyright © 2008 Juniper Networks, Inc. www.juniper.net 1

Network Access Controlfor Education

By Steve Hanna, Distinguished Engineer, JuniperCo-Chair, Trusted Network Connect WG, TCG

Co-Chair, Network Endpoint Assessment WG, IETF

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 2

Implications of Expanded Network UsageCritical data at riskCritical data at risk

Perimeter security ineffectivePerimeter security ineffective

Endpoint infections Endpoint infections

may proliferatemay proliferate

Network control Network control

can be lostcan be lost

Network Security DecreasesNetwork Security Decreases

As Access Increases

Mission-critical

network assets

Mobile and remote

devices transmitting the LAN

perimeter

Broader variety of

network endpoints

Faculty, staff, parent,

and/or student access

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 3

Network Access Control Solutions

Control Access• to critical resources• to entire network

Based on• User identity and role• Endpoint identity and health• Other factors

With• Remediation• Management

FeaturesFeatures

Consistent Access Controls

Reduced Downtime• Healthier endpoints• Fewer outbreaks

Safe Remote Access

Safe Access for• Faculty, Staff• Students, Parents• Guests• Devices

BenefitsBenefits

Network access control must be a key component of every network!

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 4

What is Trusted Network Connect (TNC)?

Open Architecture for Network Access Control

Suite of Standards to Ensure Interoperability

Work Group in Trusted Computing Group (TCG)

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 5

TCG: The Big Picture

TCG Standar

ds

TCG Standar

ds

Applications•Software Stack•Operating Systems•Web Services•Authentication•Data Protection

Storage

Mobile Phones

Servers

Desktops & Notebooks

Security Hardware

Networking

Printers & Hardcopy

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 6

TNC Architecture Overview

Access Access Requester (AR)Requester (AR)

Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)

Policy Decision Point Policy Decision Point (PDP)(PDP)

Wireless

Wired

NetworkPerimeter

FW

VPN

PDP

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 7

Typical TNC Deployments

Uniform Policy

User-Specific Policies

TPM Integrity Check

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 8

Uniform Policy

Access Access Requester (AR)Requester (AR)

Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)

Policy Decision Point Policy Decision Point (PDP)(PDP)

NetworkPerimeter

Client RulesWindows XP- SP2- OSHotFix 2499- OSHotFix 9288- AV (one of) - Symantec AV 10.1 - McAfee Virus Scan 8.0- Firewall

RemediationNetwork

ProductionNetwork

Non-compliant SystemWindows XP

SP2x OSHotFix 2499x OSHotFix 9288 AV - McAfee Virus Scan 8.0 Firewall

Compliant SystemWindows XP

SP2 OSHotFix 2499 OSHotFix 9288 AV – Symantec AV 10.1 Firewall

PDP

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 9

User-Specific Policies

Access Access Requester (AR)Requester (AR)

Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)

Policy Decision Point Policy Decision Point (PDP)(PDP)

NetworkPerimeter

Access Policies- Authorized Users- Client Rules

GuestUser

Ken –Faculty

Windows XP OSHotFix 9345 OSHotFix 8834 AV – Symantec AV 10.1 Firewall

Linda –Finance

Guest NetworkInternet Only

ClassroomNetwork

FinanceNetwork

PDP

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 10

TPM Integrity Check

Access Access Requester (AR)Requester (AR)

Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)

Policy Decision Point Policy Decision Point (PDP)(PDP)

NetworkPerimeter

Client Rules- BIOS- OS- Drivers- Anti-Virus Software

ProductionNetwork

Compliant SystemTPM Verified

BIOS OS Drivers Anti-Virus Software

TPM – Trusted Platform Module

Hardware module built into most of today’s PCs

Enables a hardware Root of Trust

Measures critical components during trusted boot

PTS interface allows PDP to verify configuration and remediate as necessary

PDP

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 11

TNC Architecture in Detail

Access Access Requester (AR)Requester (AR)

Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)

Policy Decision Point Policy Decision Point (PDP)(PDP)

(IF-PTS)

TSS

TPM

Platform TrustService (PTS)

TNC Client (TNCC)(IF-TNCCS)

TNC Server(TNCS)

(IF-M)

(IF-IMC) (IF-IMV)

t CollectorCollectorIntegrity Measurement

Collectors (IMC)

VerifersVerifiersIntegrity Measurement

Verifiers (IMV)

NetworkAccess

Requestor PolicyEnforcementPoint (PEP)

(IF-T)

(IF-PEP) Network AccessAuthority

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 12

TNC Status

TNC Architecture and all specs released• Available Since 2006 from TCG web site

Rapid Specification Development Continues• New Specifications, Enhancements

Number of Members and Products Growing Rapidly

Compliance and Interoperability Testing and Certification Efforts under way

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 13

TNC Vendor Support

Access Access Requester (AR)Requester (AR)

Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)

Policy Decision Point Policy Decision Point (PDP)(PDP)

EndpointSupplicant/VPN Client, etc.

Network DeviceFW, Switch, Router, Gateway

AAA Server, Radius,Diameter, IIS, etc.

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 14

TNC/NAP/UAC Interoperability Announced May 21, 2007 by TCG, Microsoft, and

Juniper

NAP products implement TNC specifications• Included in Windows Vista, Windows XP SP 3, and

Windows Server 2008

Juniper UAC and NAP can interoperate• Demonstrated at Interop Las Vegas 2007• UAC will support IF-TNCCS-SOH in 1H2008

Customer Benefits• Easier implementation – can use built-in Windows NAP client• Choice and compatibility – through open standards

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 15

NAP Vendor Support

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 16

What About Open Source? Several open source implementations of TNC

• University of Applied Arts and Sciences in Hannover, Germany (FHH)

http://tnc.inform.fh-hannover.de• libtnc

https://sourceforge.net/projects/lib/tnc• OpenSEA 802.1X supplicant

http://www.openseaalliance.org• FreeRADIUS

http://www.freeradius.org

TCG support for these efforts• Liaison Memberships• Open source licensing of TNC header files

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 17

Summary Network Access Control provides

• Strong Security and Safety• Tight Control Over Network Access• Reduced PC Administration Costs

Open Standards Clearly Needed for NAC• Many, Many Vendors Involved in a NAC System• Some Key Benefits of Open Standards

• Ubiquity, Flexibility, Reduced Cost

TNC = Open Standards for NAC• Widely Supported – HP, IBM, Juniper, McAfee, Microsoft, Symantec, etc.• Can Use TPM to Detect Root Kits

TNC: Coming Soon to a Network Near You!

Copyright © 2008 Juniper Networks, Inc. www.juniper.net 18

For More Information TCG Web Site

• https://www.trustedcomputinggroup.org

Juniper UAC Web Site• http://www.juniper.net/products_and_services/

unified_access_control

Steve Hanna• Distinguished Engineer, Juniper Networks• Co-Chair, Trusted Network Connect Work Group, TCG• Co-Chair, Network Endpoint Assessment Working Group, IETF• email: shanna@juniper.net• Blog: http://www.gotthenac.com