Standardizing Network Access Control: TNC and Microsoft NAP to Interoperate

Similar documents
Putting Trust Into The Network Securing Your Network Through Trusted Access Control

Security Enhancements

R E F E R E N C E TCG. Trusted Multi-Tenant Infrastructure Work Group. Use Cases. Version 1.1. November 15, 2013

Trusted Computing Today: Benefits and Solutions

Windows Server Network Access Protection. Richard Chiu

Symantec Network Access Control Starter Edition

TNC EVERYWHERE. Pervasive Security

Trusted Network Connect (TNC) 3rd European Trusted Infrastructure Summer School September 2008

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

Symantec Network Access Control Starter Edition

Trusted Network Access Control Experiences from Adoption

Guest Access Made Easy

Integrate Microsoft Antimalware. EventTracker v8.x and above

Symantec Network Access Control Starter Edition

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems

Executive Summery. Siddharta Saha. Downloaded from

802.1X: Port-Based Authentication Standard for Network Access Control (NAC)

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

WorldExtend Environment Preparation Guide

How to Configure ASA 5500-X Series Firewall to send logs to EventTracker. EventTracker

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Understanding Network Access Control: What it means for your enterprise

TCG. TCG Certification Program. TNC Certification Program Suite. Document Version 1.1 Revision 1 26 September 2011

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Deploying Windows Server 2003 Internet Authentication Service (IAS) with Virtual Local Area Networks (VLANs)

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

802.1X: Port-Based Authentication Standard for Network Access

Integrating Microsoft Forefront Threat Management Gateway (TMG)

CA Security Management

Securing Your Environment with Dell Client Manager and Symantec Endpoint Protection

Break Through Your Software Development Challenges with Microsoft Visual Studio 2008

Network Access Control Whitepaper

Mile Terms of Use. Effective Date: February, Version 1.1 Feb 2018 [ Mile ] Mileico.com

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Make security part of your client systems refresh

MyCreditChain Terms of Use

How to Create, Deploy, & Operate Secure IoT Applications

Trusted Computing Group

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

HP Fortify Software Security Center

Troubleshooting Microsoft Windows XP-based Wireless Networks in the Small Office or Home Office

The Business Case for a Web Content Management System. Published: July 2001

Mohit Saxena Senior Technical Lead Microsoft Corporation

BUFFERZONE Advanced Endpoint Security

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

IBM Internet Security Systems Proventia Management SiteProtector

Network Service Description

Microsoft 365 powered device webinar series Microsoft 365 powered device Assessment Kit. Alan Maddison, Architect Amit Bhatia, Architect

Securing BYOD With Network Access Control, a Case Study

Integrate Viper business antivirus EventTracker Enterprise

IFIP World Computer Congress (WCC2010)

Achieving Digital Transformation: FOUR MUST-HAVES FOR A MODERN VIRTUALIZATION PLATFORM WHITE PAPER

VMware Cloud Operations Management Technology Consulting Services

Mobile Network Access Control Extending corporate security policies to mobile devices

3 Ways Businesses Use Network Virtualization. A Faster Path to Improved Security, Automated IT, and App Continuity

McAfee Public Cloud Server Security Suite

Integrating Microsoft Forefront Unified Access Gateway (UAG)

Integrate Palo Alto Traps. EventTracker v8.x and above

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Software-Defined Secure Networks in Action

GSE/Belux Enterprise Systems Security Meeting

Overview. Business value

Data Retrieval Firm Boosts Productivity while Protecting Customer Data

ForeScout ControlFabric TM Architecture

McAfee epolicy Orchestrator

Creating the Complete Trusted Computing Ecosystem:

BUFFERZONE Advanced Endpoint Security

GDPR Update and ENISA guidelines

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

SIEM: Five Requirements that Solve the Bigger Business Issues

Yubico with Centrify for Mac - Deployment Guide

TCG Compliance TNC IF-MAP Metadata for Network Security Compliance Test Plan

MODERNIZE INFRASTRUCTURE

SOLO NETWORK. Windows 7 At-A-Glance. For Enterprise and Mid Market SI Partners

Agent Installation Using Smart Card Credentials Detailed Document

FOUR WAYS TO IMPROVE ENDPOINT SECURITY: MOVING BEYOND TRADITIONAL APPROACHES

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

Port Configuration. Configure Port of EventTracker Website

Client Health Key Features Datasheet. Client Health Key Features Datasheet

Cognizant Cloud Security Solution

Comprehensive Database Security

Windows IoT Security. Jackie Chang Sr. Program Manager

CHECK PROCESSING. A Select Product of Cougar Mountain Software

White Paper February McAfee Policy Enforcer. Securing your endpoints for network access with McAfee Policy Enforcer.

Accelerate Your Enterprise Private Cloud Initiative

Open Text Notice. Deployment Guidance Solutions for Microsoft Office SharePoint Server 2007 and Open Text Services A Joint White Paper

Secure Government Computing Initiatives & SecureZIP

Security Architecture

A POLYCOM SOLUTION BROCHURE Polycom Open Telepresence Experience

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Steel-Belted Radius Installation Instructions for EAP-FAST Security Patch

ForeScout Extended Module for Carbon Black

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Centrify for Dropbox Deployment Guide

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

POWERING DIGITAL MARKETING WITH SPEED AND REACH

locuz.com SOC Services

HOSTED SECURITY SERVICES

Transcription:

Standardizing Network Access Control: TNC and Microsoft NAP to Interoperate May 2007 Trusted Computing Group 3855 SW 153 rd Dr. Beaverton, OR 97006 TEL: (503) 619-0563 FAX: (503) 664-6708 admin@trustedcomputinggroup.org www.trustedcomputinggroup.org Microsoft Corporation One Microsoft Way Redmond, WA 98072 asknap@microsoft.com www.microsoft.com

Standardizing Network Access Control: TNC and Microsoft NAP to Interoperate Table of Contents: Current State of Network Access Control... 3 Benefits from TNC and NAP Interoperability... 3 How TNC and NAP Interoperate... 4 Controlling Network Access with TNC and NAP... 5 Minimum Technology Requirements... 5 Utilize Existing Infrastructure... 6 Roadmap to Increased TNC/NAP Interoperability... 6 Interoperability Payoffs... 6 Ongoing Benefits... 7 Learn More... 7 Copyright 2007 Microsoft Corporation and Trusted Computing Group All Rights Reserved 2

Standardizing Network Access Control: TNC and Microsoft NAP to Interoperate Two leading network access control standards TCG s Trusted Network Connect (TNC) and Microsoft s Network Access Protection (NAP) will now interoperate, providing enterprises with simpler, more cost-effective, scalable, and interoperable endpoint integrity and network access control. To improve endpoint and network security, enterprises have been quick to embrace the notion of network access control. The concept is simple: when a device also known as an endpoint connects to a network, the user s identity and the health of the endpoint are checked. If they comply with the network s policies, access to the network is granted. If not, the endpoint may be remediated by applying the latest patches or scanning for viruses. By improving endpoint security, companies can better defend against a number of increasingly complex Internet-borne attacks. Attackers including organized criminal rings now often utilize advanced malware which combines rootkits, Trojan applications, and operating system backdoors to exploit endpoints and steal sensitive data. Attackers goals include extortion, identity theft, fraud, and even corporate espionage. Organizations must respond with more advanced endpoint security to effectively safeguard valuable information, comply with regulations, and avoid costly data breach notifications. Yet since network access control products came to market, implementers have faced an uphill battle. First, they had to navigate a wide variety of often incompatible appliance, software, and infrastructure-based options. Then they had to select a proprietary approach, attempt to cobble multiple products together into a workable solution, or opt for one of several incompatible network access control frameworks. As a result, even though network access control is a top enterprise spending priority Forrester Research reports at least 40 percent of organizations will invest in such technology this year many organizations have delayed their investments until discussions of network access controls evolve from point technologies to broad frameworks comprising interoperable products that deliver network access control in a cost-effective and scalable manner. Now, however, network access control frameworks are reaching maturity. In particular, the Trusted Computing Group (TCG), an industry standards body focused on open security technologies, and Microsoft Corporation, a TCG member and active participant in TCG standards development, have announced that their respective network access control frameworks Trusted Network Connect (TNC) and Network Access Protection (NAP) will interoperate through the statement of health (IF-TNCCS-SOH) protocol, a new and open standard. In short, beginning in 2008 with the release of products supporting the standard, products compatible with either of these two dominant network access control architectures will be able to interoperate in 1H 2008 when products supporting the standard are made commercially available. As a result, network access control implementers benefit from more product choices, enhanced interoperability, future-proof network access control investments, lower cost of implementation, Benefits from TNC & NAP Interoperability 1. Increased interoperability and customer choice 2. Simplified network access control frameworks and protocols 3. Investment protection 4. Single network access control client Copyright 2007 Microsoft Corporation and Trusted Computing Group All Rights Reserved 3

and with Windows Vista and soon Windows XP the potential for a single and consistent network access control agent. Sharing a Statement of Health Exactly how will TNC/NAP interoperability work? Microsoft has contributed its SOH protocol to TCG, which has published it as a new TNC specification, IF-TNCCS-SOH (available at https://www.trustedcomputinggroup.org/groups/network), and it is now an open standard available for anyone to freely download or implement. Briefly, IF-TNCCS-SOH is a client/server protocol for reporting on the health that is, security state of a client before providing a network connection. In particular, the IF-TNCCS-SOH protocol complements IF-TNCCS, which is the existing TNC protocol for such checks. Some examples of health checks might include: Good health: Security agent present Firewall running BIOS intact Latest OS patches Up-to-date antivirus No malware detected Only approved applications installed On the other hand, the health check can detect problems, including: Disabled security agent No firewall running BIOS irregularities Missing patches Outdated antivirus signatures Scans detect malware This integration now enables multiple network access control permutations: Use NAP products in TNC-protected networks and TNC products in NAP-protected networks Combine TNC and NAP servers NAP partners can support TNC clients and servers TNC implementers can support NAP clients, servers and protocols How TNC & NAP Interoperate Microsoft NAP and the TCG TNC architecture interoperate at three points in either a TNCcompliant or NAP-protected network: Endpoint: When requesting access, an endpoint (a PC or other network-connected device) sends information about its security state (such as antivirus signature version, patches present, or BIOS integrity) to a Policy Decision Point, along with the user s identity credentials, via the IF-TNCCS-SOH protocol. Because of this standard protocol, the endpoint can be a NAP client or a TNC client. Policy Decision Point (PDP): The PDP evaluates the user identity credentials and endpoint security state against policy and decides what access, if any, to grant the endpoint. The PDP then provides remediation instructions to endpoints via the IF- Copyright 2007 Microsoft Corporation and Trusted Computing Group All Rights Reserved 4

TNCCS-SOH protocol and access instructions to the Policy Enforcement Point, typically via the RADIUS protocol. Again, the PDP can be either a NAP server or a TNC server. Policy Enforcement Point (PEP): Based on the PDP s instructions, the PEP (which may be a switch, router, gateway, or firewall) denies or grants network access to the endpoint. If remediation is required, the endpoint may be placed into a network quarantine receiving access only to needed updates until the endpoint remediates and resubmits its security state. In either a TNC- or NAP-protected network, endpoints must share their state of health (SOH) information. Endpoints which comply with health policies (specified by the PDP) receive relevant access (via the PEP). Endpoints which fail are shunted into a network quarantine with limited access, until remediated and reassessed. Minimum Technology Requirements To create either a NAP- or TNC-protected network, organizations must implement each of the above three elements. Thanks to TNC and NAP interoperability, organizations will only need a single PDP server, regardless of whether they choose a NAP server (such as Microsoft Network Policy Server) that is TNC-compatible; or a TNC server (such as a Juniper Infranet Controller appliance or similar products) that is NAP-compatible. Some organizations, however, may opt to use multiple PDP servers, perhaps to leverage existing infrastructure (and especially after mergers and acquisitions introduce parallel, non-unified infrastructures), or simply to mirror organizational structure. For example, a company s desktop management team might prefer to manage a PDP which evaluates endpoint security policy compliance, while the networking team might manage a PDP devoted to network quarantine, user identification, and policy enforcement. Copyright 2007 Microsoft Corporation and Trusted Computing Group All Rights Reserved 5

Utilize Existing Infrastructure In spite of the TNC and NAP framework revisions, enterprises will not need to burn their current IT infrastructure switches, routers, and so on to take advantage of the improvements. Rather, existing network access control technology will become compatible with a much wider array of products, thus providing organizations with increased flexibility for implementing costeffective network access control solutions. Likewise, product developers can reach a much wider audience. What will TNC or NAP users need to upgrade? In general, Policy Enforcement Points including switches, routers, and gateways) will not need to be upgraded, as they do not need to support IF- TNCCS-SOH. Network access control clients and Policy Decision Point servers, however, may require software upgrades. Expect widespread IF-TNCCS-SOH adoption by the 75 TNC member companies and 115 NAP partners. Already, Microsoft has announced that all Microsoft Windows Vista and Microsoft Windows Server Code Name Longhorn products include out-of-the-box IF-TNCCS-SOH support and that support in Microsoft Windows XP systems is forthcoming. Furthermore, Juniper Networks has announced that support for the protocol will be added to its Unified Access Control solution in the first half of 2008. Roadmap to Increased TNC/NAP Interoperability Products compatible with both the TNC and NAP frameworks will arrive in the first half of 2008. In the meantime, how should organizations interested in pursuing network access controls and taking advantage of TNC and NAP interoperability prepare? 1) Study the network. Which resources does the organization need to protect? 2) Catalog endpoints. Assess whether currently deployed security clients will work with desired network access control products and tell vendors that TNC and NAP are important to the future of enterprise network security. 3) Define healthy. Network access controls will not be effective or enforceable unless organizations create written policies to specify access levels granted, based on user identity and endpoint health. Begin by identifying which endpoints most urgently need protection, and crafting related policies. 4) Begin NAP and/or TNC deployment. NAP and TNC-based products provide the best foundation for implementing network access controls today, because they are all based on the strong, secure TNC architecture, and the growing body of related standards. Organizations that deploy such products now will immediately enhance enterprise security while also positioning themselves to benefit from increasing NAP/TNC interoperability and product compatibility. Interoperability Payoffs Network access control practitioners will realize four immediate business and security benefits from TNC and NAP interoperability: Improved interoperability and choice: Users have an even greater choice of architecture and product options. They can select the best, most cost-effective components, infrastructure, and technology from any of the 75 TNC member companies or 115 NAP partners. Furthermore, because of the open IF-TNCCS-SOH client/server protocol for network access control, whatever they select will remain compatible with a wide range of other technology. Simplified approach: The days of confusing and competing network access control architectures and products are over. Two of the most important network access Copyright 2007 Microsoft Corporation and Trusted Computing Group All Rights Reserved 6

control industry participants Microsoft and TCG have agreed on common network access standards: the TNC specifications, including the IF-TNCCS-SOH protocol. Single network access control client: Windows Vista, as noted, includes a built-in NAP client, thus allowing all Vista PCs to interoperate with TNC-compliant technology. In other words, organizations running Windows Vista and soon, Windows XP will not need to install a new, standalone network access control client; it comes preinstalled. Investment protection: Thanks to TNC and NAP interoperability, companies can pursue network access control investments today and know this technology will continue to meet their needs and remain compatible with network access control frameworks as standards evolve. Ongoing Benefits The SOH interoperability between TNC and NAP is just the first step in an ongoing process of further integration and interoperability between the two frameworks. Expect future announcements, including details of enhanced protocols and improved integration with the tens of millions of Trusted Platform Modules (TPM) already installed in endpoints, helping to better identify individual users, thwart rootkits, and enhance overall network security. More information on rootkit prevention is available at https://www.trustedcomputinggroup.org/news/industry_data/whitepaper_rootkit_strom_v3.pdf. Learn More about TNC and NAP For more information about the Trusted Computing Group and the TNC, including membership details and the organization s specifications, see: https://www.trustedcomputinggroup.org/groups/network/ For more information on Microsoft NAP, including details of the policy enforcement capabilities built into Microsoft Windows Vista and Windows Server Code Name Longhorn, see: http://www.microsoft.com/technet/network/nap/default.mspx Copyright 2007 Microsoft Corporation and Trusted Computing Group All Rights Reserved 7

The information contained in this document represents the current view of Microsoft Corporation and the Trusted Computing Group on the issues discussed as of the date of publication. Because Microsoft and the Trusted Computing Group must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft or the Trusted Computing Group, and neither Microsoft nor the Trusted Computing Group can guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT AND THE TRUSTED COMPUTING GROUP MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation and the Trusted Computing Group. Microsoft and Trusted Computing Group members may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from the patent holder, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2007 Microsoft Corporation and the Trusted Computing Group. All rights reserved. Microsoft, Windows Vista, Windows Server Code Name Longhorn, Windows XP, and Microsoft s Network Access Protection are trademarks of the Microsoft group of companies. Juniper Networks, Infranet Controller, and Unified Access Control are trademarks of Juniper Networks, Inc. Copyright 2007 Microsoft Corporation and Trusted Computing Group All Rights Reserved 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback