From Fedora Project Wiki

(Blanked the page)
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Trusted Network Connect (TNC) =
 
  
== Summary ==
 
This feature provides Trusted Network Connect(TNC) framework that can be used to assess and verify clients' posture (or integrity measurements or configuration) and its compliance to a predefined policy with existing network access control (NAC) solutions.
 
 
== Owner ==
 
Name: [[User:Avesh| Avesh Agarwal]]
 
 
Email: avagarwa@redhat.com
 
 
== Current status ==
 
Targeted release: [[19 | Fedora 19 ]]
 
 
Last updated: 1/24/2013
 
 
Percentage of completion: 50%
 
 
== Detailed Description ==
 
Traditionally network access control (NAC) has lacked the ability in its decision making to asses endpoint's security posture and its compliance to enterprise policies. This lack of assessment may leave an enterprise's network vulnerable to malicious attacks. Trusted Computing Group (TCG) (and IETF too) has defined an open architecture called Trusted network connect (TNC) (IETF's Network Endpoint Assessment (NEA)) to fill this gap. TNC, as part of its architectural components, includes integrity measurement collectors (IMCs) and TNC client at endpoint and integrity measurement verifiers (IMVs) and TNC server at enterprise network side communicating over NAC solutions such as EAP with 802.1X to evaluate and verify the security posture of the endpoint against the enterprise policies before allowing network access. For this, TCG has released transport (IF-T), session (IF-TNCCS) and messaging (IF-M) standards which are open and interoperable. TNC architecture by virtue of it's IF-M protocol can leverage NIST's SCAP's (OpenSCAP) automated security aspects for measurement collection, verification and remediation. In addition, TCG has defined IF-PTS and PTS protocol specifications to integrate platform trust services (PTS) with TNC for TPM based attestation of integrity measurements. PTS protocol defines messaging payloads to be used over IF-M protocol.
 
 
This feature includes the aforementioned functionalities and aims to provide an end-to-end network based client assessment, verification and remediation.
 
 
== Benefit to Fedora ==
 
System and network administrators using fedora can now utilize the potential of open and interoperable TNC protocols over existing NAC solutions. It helps them reduce the possibility of allowing a vulnerable client accessing their network.
 
 
== Scope ==
 
This feature involves following packages as of now: tncfhh, openpts, wpa_supplicant, freeradius, tpm_tools, trousers
 
 
== Goals ==
 
TNC client and server functionality: TCG's IF-TNCCS 1.1 and IETF RFC 5973
 
 
Integrity measurements collector (IMC) and verifier (IMV) messaging protocol functionality: IF-M 1.2 and IETF RFC 5972
 
 
Implementation of Local IMC and IMV interfaces: IF-IMC 1.2, IF-IMV 1.2
 
 
A development library for building custom IMCc and IMVs.
 
 
OpenSCAP based IMC and IMV that follow IF-IMC, IF-IMV and IF-M specifications.
 
 
PTS protocol (PTS-IMC and PTS-IMV) functionality and its integration (IF-PTS) with platform trust services for TPM based attestation of integrity measurements.
 
 
== How To Test ==
 
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.
 
 
Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.
 
 
A good "how to test" should answer these four questions:
 
 
0. What special hardware / data / etc. is needed (if any)?
 
1. How do I prepare my system to test this feature? What packages
 
need to be installed, config files edited, etc.?
 
2. What specific actions do I perform to check that the feature is
 
working like it's supposed to?
 
3. What are the expected results of those actions?
 
-->
 
 
== User Experience ==
 
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
 
 
== Dependencies ==
 
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
 
 
== Contingency Plan ==
 
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
 
 
== Documentation ==
 
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
 
*
 
 
== Release Notes ==
 
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
 
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
 
*
 
 
== Comments and Discussion ==
 
* See [[Talk:Features/Your_Feature_Name]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
 
 
 
[[Category:FeaturePageIncomplete]]
 
<!-- When your feature page is completed and ready for review -->
 
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
 
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
 
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
 

Latest revision as of 22:11, 28 January 2013