Trusted Network Connect (TNC) HOWTO » History » Version 12
Andreas Steffen, 13.12.2010 19:03
| 1 | 1 | Andreas Steffen | h1. Trusted Network Connect (TNC) HOWTO |
|---|---|---|---|
| 2 | 1 | Andreas Steffen | |
| 3 | 12 | Andreas Steffen | h2. Overview |
| 4 | 12 | Andreas Steffen | |
| 5 | 3 | Andreas Steffen | The "Trusted Computing Group":http://www.trustedcomputinggroup.org/ (TCG) has defined and released an open architecture and a growing set of standards for endpoint integrity called "Trusted Network Connect":http://www.trustedcomputinggroup.org/developers/trusted_network_connect. |
| 6 | 1 | Andreas Steffen | |
| 7 | 4 | Andreas Steffen | !TNC_Architecture.png! |
| 8 | 2 | Andreas Steffen | |
| 9 | 1 | Andreas Steffen | strongSwan supports both the older XML-based "IF-TNCCS 1.1":http://www.trustedcomputinggroup.org/files/resource_files/64697C86-1D09-3519-ADE44ADD6B39B71D/TNC_IF-TNCCS_v1_1_r15.pdf "TNC Client-Server Interface" and the latest "IF-TNCCS-2.0":http://www.trustedcomputinggroup.org/files/resource_files/495CA3DD-1D09-3519-AD0043966E821ECB/IF-TNCCS_TLVBinding_v2_0_r16a.pdf "TLV Bindings" but currently not the "IF-TNCCS SoH 1.0":http://www.trustedcomputinggroup.org/files/resource_files/8D2DF7F3-1D09-3519-AD76CE4433FECE07/IF-TNCCS-SOH_v1.0_r8.pdf "State of Health Protocol Bindings" used by Microsoft's Network Access Protection (NAP) framework. |
| 10 | 1 | Andreas Steffen | |
| 11 | 12 | Andreas Steffen | The TCG IF-TNCCS 2.0 protocol is equivalent to the IETF "Posture Broker (PB) Protocol Compatible with Trusted Network Connect" (PB-TNC) defined by "RFC 5793":http://tools.ietf.org/html/rfc5793 which is part of the IETF's "Network Endpoint Assessment" (NEA) framework defined by "RFC 5209":http://tools.ietf.org/html/rfc5209. |
| 12 | 9 | Andreas Steffen | |
| 13 | 1 | Andreas Steffen | !NEA_Architecture_small.png! |
| 14 | 6 | Andreas Steffen | |
| 15 | 1 | Andreas Steffen | As a transport protocol to exchange IF-TNCCS 1.1 or IF-TNCCS 2.0 messages between TNC Client and TNC Server, strongSwan uses the EAP-TNC method defined by "IF-T":http://www.trustedcomputinggroup.org/files/resource_files/8CC75909-1D09-3519-ADA6958AA29CF223/TNC_IFT_v1_1_r10.pdf "Protocol Bindings for Tunneled EAP Methods 1.1". EAP-TNC as an inner non-secure protocol is then encapsulated in an outer encrypted and authenticated IKEv2-EAP-TTLS tunnel. |
| 16 | 9 | Andreas Steffen | |
| 17 | 10 | Andreas Steffen | By activating the appropriate plugins, a strongSwan VPN Client can act as a TNC Client and a strongSwan VPN Gateway can take on either the role of a "Policy Enforcement Point" (PEP) only which forwards all EAP-TTLS packets via EAP-RADIUS to an external AAA-Server or alternatively can additionally act as a TNC Server. |
| 18 | 10 | Andreas Steffen | |
| 19 | 9 | Andreas Steffen | * [[TNCC|Configuration as a TNC Client]] |
| 20 | 9 | Andreas Steffen | |
| 21 | 9 | Andreas Steffen | * [[TNCS|Configuration as a TNC Server]] |
| 22 | 8 | Andreas Steffen | |
| 23 | 10 | Andreas Steffen | * [[PEP|Configuration as a PEP with EAP-RADIUS Interface]] |
| 24 | 11 | Andreas Steffen | |
| 25 | 1 | Andreas Steffen | strongSwan can dynamically load any number of Integrity Measurement Collectors (IMCs) and Integrity Measurement Verifiers (IMVs) that adhere to the "IF-IMC 1.2":http://www.trustedcomputinggroup.org/files/resource_files/8CB977E1-1D09-3519-AD48484530EF6639/TNC_IFIMC_v1_2_r8.pdf and "IF-IMV 1.2":http://www.trustedcomputinggroup.org/files/static_page_files/646808C3-1D09-3519-AD2E60765779A42A/TNC_IFIMV_v1_2_r8.pdf interface specifications, respectively. |
| 26 | 12 | Andreas Steffen | |
| 27 | 12 | Andreas Steffen | h2. Deployment |
| 28 | 12 | Andreas Steffen | |
| 29 | 12 | Andreas Steffen | * IF-TNCCS 1.1 support was introduced in October 2010 with strongSwan 4.5.0. The tnccs_11 plugin uses Mike McCauley's "libtnc":http://sourceforge.net/projects/libtnc/ library. strongSwan as a PEP can connect to a FreeRADIUS server running the "TNC@FHH":http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh plugin |