4 Network Access Control 4.1 IPsec Network Security Encapsulated security payload (ESP) 4.2 Internet Key Exchange (IKE)

Transcription

1 4 Network Access Control 4.1 IPsec Network Security Encapsulated security payload (ESP) 4.2 Internet Key Exchange (IKE) IKEv2 IKE_SA_INIT, IKE_AUTH, and CREATE_CHILD_SA messages IKEv2 with client & server certificates (A7) IKEv2 with pre-shared keys (A4) IKEv2 with EAP & server certificate (A6) IKEv2 with mutual EAP-TLS (A7) 4.3 Network Access Control (NAC) User authentication, configuration assessment, policy enforcement Policy enforcement point (PEP), policy decision point (PDP), remediation Proprietary NAC solutions Microsoft network access protection (NAP), statement of health (SoH) protocol Trusted network connect (TNC) standard (IETF and TCG) 4.4 Trusted Network Connect (TNC) PA-TNC (IF-MAP), PB-TNC (IF-TNCCS 2.0), PT-EAP/PT-TLS (IF-T) IF-IMC, IF-IMV: communication with dynamic libraries via C or Java API PB-TNC state machine based on client/server batches 4.5 Metadata Access Point (MAP) Centralized MAP Service Extended TNC Architecture IF-MAP Metadata for Network Security / SCADA IF-MAP SOAP 1.2 via HTTPS transport Commercial and open source IF-MAP products 1

2 2

3 3

4 ESP Overhead 3DES AES SPI 4 4 Sequence Number 4 4 IV 8 16 Padding (worst-case) 7 15 Pad Length / Next Header 2 2 Authentication Data IPsec Transport Mode bytes Outer IP Header IPsec Tunnel Mode bytes MTU bytes ==== ==== Usually Path MTU discovery based on "fragmentation needed" ICMP messages" automatically reduces the MTU from a standard LAN MTU of 1500 bytes down to a payload data size that does not lead to fragmentation when the IPsec overhead is added. 4

5 5

6 6

7 SA1 i KE i N i Suite of cryptographic proposals for the IKE SA Initiatior public factor for the Diffie-Hellman Key Exchange Initiator Nonce SA1 r Selection of a cryptographic proposal for the IKE SA KE r Responder public factor for the Diffie-Hellman Key Exchange N r Responder Nonce ID i Initiator ID Cert i Initiator Certificate (optional) ID r Desired Responder ID (optional) Auth i Initiator Authentication (RSA, PSK, or EAP) SA2 i Suite of cryptographic proposals for the Child SA (ESP and/or AH) TS i Initiator Traffic Selectors (subnets behind the Initiator) TS r Responder Traffic Selectors (subnets behind the Responder) ID r Responder ID Cert r Responder Certificate (optional) Auth r Responder Authentication (RSA, PSK, or EAP) SA2 r Selection of a cryptographic proposal for the Child SA (ESP and/or AH) TS i Initiator Traffic Selectors (subnets behind the Initiator, optional narrowing) TS r Responder Traffic Selectors (subnets behind the Responder, optional narrowing) 7

8 N SA i N i KE i TS i TS r Rekeying Notification (optional) Suite of cryptographic proposals for the Child SA (ESP and/or AH) Initiator Nonce Initiatior public factor for the Diffie-Hellman Key Exchange (optional PFS) Initiator Traffic Selectors (subnets behind the Initiator) Responder Traffic Selectors (subnets behind the Responder SA1 r Selection of a cryptographic proposal for the IKE SA N r Responder Nonce KE r Responder public factor for the Diffie-Hellman Key Exchange (optional PFS) TS i Initiator Traffic Selectors (subnets behind the Initiator) TS r Responder Traffic Selectors (subnets behind the Responder 8

9 9

10 10

11 11

12 12

13 13

14 14

15 15

16 16

17 17

18 18

19 19

20 Abbreviations AAA Authentication, Authorization & Accounting AR Access Requestor IF Interface IMC Integrity Measurement Collector IMV Integrity Measurement Verifier M Measurement PDP Policy Decision Point PEP Policy Enforcement Point T Transport TNC Trusted Network Connect IF-IMC / IF-IMV Interface C or JAVA API 20

21 21

22 Abbreviations PA Posture Attribute Protocol PB Posture Broker Protocol PT Posture Transport Protocol PA Subtypes 0 Testing 1 Operating System (OS) 2 Anti-Virus 3 Anti-Spyware 4 Ant-Malware 5 Firewall 6 Intrusion Detection and/or Prevention (IDPS) Software 7 Virtual Private Network (VPN) Software 8 NEA Client Software PT Protocols e.g. EAP-TLS via 802.1X (Layer 2) or IKEv2 (Layer 3) 22

23 23

24 PA-TNC IF-TNCCS 2.0 Batch Types CDATA ClientData SDATA ServerData CRETRY ClientRetry SRETRY ServerRetry RESULT Result CLOSE Close 24

25 25

26 26

27 27

28 28

29 Abbreviations IF Interface IMC Integrity Measurement Collector IMV Integrity Measurement Verifier M Measurement MAP Metadata Access Point PDP Policy Decision Point PEP Policy Enforcement Point PTS Platform Trust Service T Transport TCG Trusted Computing Group TNC Trusted Network Connect TNCCS TNC Client-Server TPM Trusted Platform Module TSS TCG Software Stack 29

30 30

31 31

32 32

33 33

34 34

35 Humanity has lost its current battle against malware (viruses, worms, trojans, etc.). Even cautious people can get their computers infected by just visiting apparently harmless web sites (drive-by infection e.g. due to enabled JavaScript). Therefore a host and its operating system plus all applications running on it have become part of the dangerous Internet and must therefore be regarded as potentially malicious. 35