Trusted Network Connect (TNC)

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Blanked the page)
 
Line 1: Line 1:
= Trusted Network Connect (TNC) =
 
  
== Summary ==
 
This feature provides Trusted Network Connect(TNC) framework that can be used to assess and verify clients' posture (or integrity measurements or configuration) and its compliance to a predefined policy with existing network access control (NAC) solutions.
 
 
== Owner ==
 
Name: [[User:Avesh| Avesh Agarwal]]
 
 
Email: avagarwa@redhat.com
 
 
== Current status ==
 
Targeted release: [[19 | Fedora 19 ]]
 
 
Last updated: 1/24/2013
 
 
Percentage of completion: 50%
 
 
== Detailed Description ==
 
Traditionally network access control (NAC) has lacked the ability in its decision making to asses endpoint's security posture and its compliance to enterprise policies. This lack of assessment may leave an enterprise's network vulnerable to malicious attacks. Trusted Computing Group (TCG) (and IETF too) has defined an open architecture called Trusted network connect (TNC) (IETF's Network Endpoint Assessment (NEA)) to fill this gap. TNC, as part of its architectural components, includes integrity measurement collectors (IMCs) and TNC client at endpoint and integrity measurement verifiers (IMVs) and TNC server at enterprise network side communicating over NAC solutions such as EAP with 802.1X to evaluate and verify the security posture of the endpoint against the enterprise policies before allowing network access. For this, TCG has released transport (IF-T), session (IF-TNCCS) and messaging (IF-M) standards which are open and interoperable. TNC architecture by virtue of it's IF-M protocol can leverage NIST's SCAP's (OpenSCAP) automated security aspects for measurement collection, verification and remediation. In addition, TCG has defined IF-PTS and PTS protocol specifications to integrate platform trust services (PTS) with TNC for TPM based attestation of integrity measurements. PTS protocol defines messaging payloads to be used over IF-M protocol.
 
 
This feature includes the aforementioned functionalities and aims to provide an end-to-end network based client assessment, verification and remediation.
 
 
== Benefit to Fedora ==
 
System and network administrators using fedora can now utilize the potential of open and interoperable TNC protocols over existing NAC solutions. It helps them reduce the possibility of allowing a vulnerable client accessing their network.
 
 
== Scope ==
 
This feature involves following packages as of now: tncfhh, openpts, wpa_supplicant, freeradius, tpm_tools, trousers
 
 
== Goals ==
 
TNC client and server functionality: TCG's IF-TNCCS 1.1 and IETF RFC 5973
 
 
Integrity measurements collector (IMC) and verifier (IMV) messaging protocol functionality: IF-M 1.2 and IETF RFC 5972
 
 
Implementation of Local IMC and IMV interfaces: IF-IMC 1.2, IF-IMV 1.2
 
 
A development library for building custom IMCc and IMVs.
 
 
OpenSCAP based IMC and IMV that follow IF-IMC, IF-IMV and IF-M specifications.
 
 
PTS protocol (PTS-IMC and PTS-IMV) functionality and its integration (IF-PTS) with platform trust services for TPM based attestation of integrity measurements.
 
 
== How To Test ==
 
Configure wpa_supplicant at client and Freeradius at server.
 
 
Configure 802.lX managed switch.
 
 
Configure tnc.
 
 
Configure policies at IMC (provided or custom built) client and IMV (provided or custom built) at server. 
 
 
Start network access.
 
 
Observe if network access is allowed or not.
 
 
If not, remediate the system, and try again.
 
 
== User Experience ==
 
Users should be able to see if their system is in compliance to their network's predfined policy and are able to gain access to the network. If their system is not compliant, they should remediate it before trying to access the network again.
 
 
== Dependencies ==
 
This feature requires EAP-TNC support with wpa_supplicant and freeradius.
 
 
== Contingency Plan ==
 
None.
 
 
== Documentation ==
 
http://people.redhat.com/avagarwa/files/tnc-details.pdf
 
 
http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifications
 
 
http://tools.ietf.org/html/rfc5209
 
 
https://tools.ietf.org/html/rfc5793
 
 
https://tools.ietf.org/html/rfc5792
 
 
http://www.trustedcomputinggroup.org/resources/tcg_attestation_pts_protocol_binding_to_tnc_ifm
 
 
http://www.trustedcomputinggroup.org/resources/tnc_and_scap_an_integrated_solution_for_automating_security
 
 
== Release Notes ==
 
Fedora 19 offers support for Trusted Network Connect protocols to be used with 802.1X framework. OpenSCAP based client (IMC) and server (IMV) plugins are provided to leverage SCAP based measurements collection, verification, and remediation. It offers PTS protocol functionality for TPM based attestation of integrity measurements. It also includes some basic prototype IMCs and IMVs and provides a development library to build custom IMCs and IMVs.
 
 
== Comments and Discussion ==
 
None yet.
 
 
[[Category:FeatureReadyForWrangler]]
 
<!-- When your feature page is completed and ready for review -->
 
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
 
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
 
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
 

Latest revision as of 22:26, 28 January 2013