The document discusses Trusted Network Connect (TNC), which is an open architecture for network access control developed by the Trusted Computing Group. TNC aims to control the integrity of systems connecting to a network by checking both who and what is accessing the network. It uses a client-server model where the TNC Client collects integrity measurements from the endpoint and sends them to the TNC Server for verification against policy rules. If any issues are found, the system may be quarantined or remediated before access is granted. The Trusted Platform Module is discussed as a way to establish the root of trust for integrity measurements collected by the TNC architecture.
Trusted computing is promoted by TCG (trusted computing group)
The Trusted Computing Group (TCG) is an industry standards body, comprised of computer and device manufacturers, software vendors and others with a stake in enhancing the security of the computing environment across multiple platforms and devices.
As you can see Cisco is not there
Connected to Platform
No dongles, keys or cards to lose or break.
Lower implementation cost (included in PC).
Few Limits
Number of keys (users), secured data, etc. limited only by disk space
Single ‘owner’ controls various policies of the TPM operation.
Common Criteria Certification
Third party measurement of security properties
Random Number Generator
Very high quality, can be used for many existing security and communications applications
Standard Algorithms
Can interoperate with software solutions running on existing platforms
Confidence in algorithms due to long analysis by cryptographic community
Security Requirements Interoperability Standards
Permit only authenticated users and devices to connect to the network
IEEE 802.1x, IETF RADIUS, IETF EAP
Enable administrator to establish security policies for anti-virus, patch levels, software versions, etc.
Measure device configuration against security policies before connection to the network is allowed
Identify devices that are not compliant
Quarantine non-compliant devices
Remediate non-compliant devices to ensure compliance to security policies
What the TNC Architecture adds to the field of AAA is the ability to measure and report on the security state of the endpoint platform as part of an authentication and authorization process. This measurement involves capturing the security-relevant operational state of the endpoint as integrity information that can be sent to a AAA Server. In communicating a client’s integrity information to a AAA Server, the TNC Architecture uses and extends existing protocols defined within the IETF so that it does not impact AAA architectures that are being deployed in the field today. Here, the TNC Architecture seeks to provide a richer set of security attributes for use in authorization policies. Thus, a Requestor can be given or denied network access based on a set of finer grain rules that peer deeper into the Requestor’s system state. In this way, a AAA Server can provide authorization to a Client not only on the basis of the Client’s network-related attributes (e.g. IP address, domain) and user-related attributes (e.g. user password, user certificate), but also on the Client platform integrity state (e.g. hardware configuration, BIOS, Kernel versions, OS patch level, Anti-Virus signatures, etc).
The TNC Architecture seeks to enhance AAA-related architectures and protocols developed in the IETF with increased security functions that are provided by Trusted Platforms. As such, the TNC Architecture does not exist in a vacuum, but rather relies on other established technologies that have been standardized in the IETF in the area of AAA. The broad aim of the TNC efforts is the same as and builds upon those of the AAA-related efforts in the IETF, namely to provide network access to endpoints that have been successfully authenticated and meet network-access endpoint integrity policies.
The work in the IETF in the area of AAA has proceeded for a number of years now, focusing on various aspects of AAA. These include efforts related to the architecture of a AAA system [15][16] and a AAA Authorization Framework [13] in the AAAARch Research Group [12], efforts in the AAA Working Group focusing on RADIUS, Diameter, the NAI and Network Access [14], as well as efforts in the Policy Framework Working Group
Access Requestor (AR):
Integrity Measurement Collector:
Measures aspects of the AR's integrity (e.g. AV, etc).
May use Platform Trust Services (PTS) to obtain integrity information regarding every component on the platform.
TNC Client:
Aggregates integrity measurements (from IMCs)
Assists the management of the integrity check handshakes
Assists in the measurement & reporting of platform and IMC integrity.
Network Access Requestor:
Network-layer negotiation & access onto a given network.
Network layer transport protocol.
End-to-end secure channel creation & management.
Policy Decision Point (PDP)
Integrity Measurement Verifier:
Verifies AR’s integrity based on measurements received from IMCs, against network security policy.
TNC Server:
Manages IMV-to-IMC (peer) message flows.
Gathers recommendations from IMVs.
Provides action-recommendation to the NAA.
Network Access Authority:
Decides whether a Access Requestor should be granted network access.
Network layer transport protocol.
End-to-end secure channel creation & management.
Ms vist bitlocker encrypted the whole disk, and when your laptop is stolen, the thieves cannot see the data in it