From Fedora Project Wiki

Line 22: Line 22:


== Benefit to Fedora ==
== Benefit to Fedora ==
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
System and network administrators using fedora can now utilize the potential of open and interoperable TNC protocols over existing NAC solutions. It helps them reduce the possibility of allowing a vulnerable client accessing their network.


== Scope ==
== Scope ==

Revision as of 21:13, 28 January 2013

Trusted Network Connect (TNC)

Summary

This feature provides Trusted Network Connect(TNC) framework that can be used to assess and verify clients' posture (or integrity measurements or configuration) and its compliance to a predefined policy with existing network access control (NAC) solutions.

Owner

Name: Avesh Agarwal

Email: avagarwa@redhat.com

Current status

Targeted release: Fedora 19

Last updated: 1/24/2013

Percentage of completion: 50%

Detailed Description

Traditionally network access control (NAC) has lacked the ability in its decision making to asses endpoint's security posture and its compliance to enterprise policies. This lack of assessment may leave an enterprise's network vulnerable to malicious attacks. Trusted Computing Group (TCG) (and IETF too) has defined an open architecture called Trusted network connect (TNC) (IETF's Network Endpoint Assessment (NEA)) to fill this gap. TNC, as part of its architectural components, includes integrity measurement collectors (IMCs) and TNC client at endpoint and integrity measurement verifiers (IMVs) and TNC server at enterprise network side communicating over NAC solutions such as EAP with 802.1X to evaluate and verify the security posture of the endpoint against the enterprise policies before allowing network access. For this, TCG has released transport (IF-T), session (IF-TNCCS) and messaging (IF-M) standards which are open and interoperable. TNC architecture by virtue of it's IF-M protocol can leverage NIST's SCAP's (OpenSCAP) automated security aspects for measurement collection, verification and remediation. In addition, TCG has defined IF-PTS and PTS protocol specifications to integrate platform trust services (PTS) with TNC for TPM based attestation of integrity measurements. PTS protocol defines messaging payloads to be used over IF-M protocol.

This feature includes the aforementioned functionalities and aims to provide an end-to-end network based client assessment, verification and remediation.

Benefit to Fedora

System and network administrators using fedora can now utilize the potential of open and interoperable TNC protocols over existing NAC solutions. It helps them reduce the possibility of allowing a vulnerable client accessing their network.

Scope

How To Test

User Experience

Dependencies

Contingency Plan

Documentation

Release Notes

Comments and Discussion