Trusted Network Connect (TNC) HOWTO » History » Version 69

Andreas Steffen, 07.05.2015 08:07

1 28 Andreas Steffen
2 28 Andreas Steffen
3 1 Andreas Steffen
h1. Trusted Network Connect (TNC) HOWTO
4 1 Andreas Steffen
5 3 Andreas Steffen
The "Trusted Computing Group": (TCG) has defined and released an open architecture and a growing set of standards for endpoint integrity called "Trusted Network Connect":
6 1 Andreas Steffen
7 26 Andreas Steffen
h2. Architecture
8 26 Andreas Steffen
9 42 Andreas Steffen
10 2 Andreas Steffen
11 34 Andreas Steffen
strongSwan supports both the older XML-based "IF-TNCCS 1.1":  "TNC Client-Server Interface" and the latest "IF-TNCCS 2.0": "TLV Binding" but currently not the "IF-TNCCS SoH 1.0": "State of Health Protocol Bindings" used by Microsoft's Network Access Protection (NAP) framework. The new strongSwan "Test" and "Scanner" IMC/IMV pairs support the "IF-M 1.0": "TLV Binding" standard.
12 27 Andreas Steffen
13 38 Andreas Steffen
The TCG IF-M 1.0 protocol is equivalent to the IETF "Posture Attribute (PA) Protocol Compatible with Trusted Network Connect" (PA-TNC) defined by "RFC 5792": and the TCG IF-TNCCS 2.0 protocol is equivalent to the IETF "Posture Broker (PB) Protocol Compatible with Trusted Network Connect" (PB-TNC) defined by "RFC 5793": Both RFCs are part of the IETF's "Network Endpoint Assessment" (NEA) framework defined by "RFC 5209":
14 9 Andreas Steffen
15 1 Andreas Steffen
16 6 Andreas Steffen
17 1 Andreas Steffen
As a transport protocol to exchange IF-TNCCS 1.1 or IF-TNCCS 2.0 messages between TNC Client and TNC Server, strongSwan uses the EAP-TNC method defined by "IF-T": "Protocol Bindings for Tunneled EAP Methods 1.1". EAP-TNC as an inner non-secure protocol is then encapsulated in an outer encrypted and authenticated IKEv2-EAP-TTLS tunnel.
18 26 Andreas Steffen
19 44 Andreas Steffen
h2. TNC Configuration
20 9 Andreas Steffen
21 10 Andreas Steffen
By activating the appropriate plugins, a strongSwan VPN Client can act as a TNC Client and a strongSwan VPN Gateway can take on either the role of a "Policy Enforcement Point" (PEP) only which forwards all EAP-TTLS packets via EAP-RADIUS to an external AAA-Server or alternatively can additionally act as a TNC Server.
22 10 Andreas Steffen
23 9 Andreas Steffen
* [[TNCC|Configuration as a TNC Client]]
24 9 Andreas Steffen
25 9 Andreas Steffen
* [[TNCS|Configuration as a TNC Server]]
26 8 Andreas Steffen
27 10 Andreas Steffen
* [[PEP|Configuration as a PEP with EAP-RADIUS Interface]]
28 1 Andreas Steffen
29 52 Andreas Steffen
* [[OptimumTMC|Optimum PB-TNC Batch and PA-TNC Message Sizes]]
30 52 Andreas Steffen
31 44 Andreas Steffen
h2. TNC Integrity Measurement Collectors and Verifiers
32 44 Andreas Steffen
33 47 Andreas Steffen
strongSwan can dynamically load any number of Integrity Measurement Collectors (IMCs) and Integrity Measurement Verifiers (IMVs) that already comply with the draft *IF-IMC 1.3* and *IF-IMV 1.3* interface specifications, respectively. These interfaces are implemented by the *tnc-imc* and *tnc-imv* plugins, respectively.
34 1 Andreas Steffen
35 48 Andreas Steffen
* Attestation [[PTS-IMC]] / [[PTS-IMV]] : TPM-based Remote Attestation 
36 1 Andreas Steffen
37 48 Andreas Steffen
* Scanner IMC / IMV : Does a remote port scan and reports the results
38 48 Andreas Steffen
39 48 Andreas Steffen
* Test IMC / IMV : Tests the IF-TNCCS / IF-M protocols
40 44 Andreas Steffen
41 50 Andreas Steffen
The strongSwan IMC/IMV dynamic libraries can be used by any third party TNC Client/Server implementation possessing a standard IF-IMC/IMV interface and running under a Linux, Android, FreeBSD or Mac OS X operating system. The following [[Build-IMC-IMV-Only|HOWTO]] shows how to build the IMC/IMV libraries only, without the strongSwan IKE daemon.
42 49 Andreas Steffen
43 44 Andreas Steffen
h2. TNC Deployment
44 1 Andreas Steffen
45 23 Andreas Steffen
* *IF-TNCCS 1.1* support was first introduced in October 2010 with the strongSwan 4.5.0 release. The *tnccs-11* charon plugin originally used Mike McCauley's "libtnc": library but the code was refactored with the strongSwan 4.5.1 release to use the *tnc-imc* and *tnc-imv* plugins and now implements the IF-TNCCS 1.1 protocol directly by including Mike McCauley's *libxml* statements.
46 22 Andreas Steffen
A strongSwan VPN Gateway configured as a PEP can connect to a FreeRADIUS server running the "TNC@FHH": plugin.
47 1 Andreas Steffen
48 32 Andreas Steffen
 - "Example 1a": TNC Client - TNC Server with password-based EAP-MD5 client authentication
49 32 Andreas Steffen
 - "Example 1b": TNC Client - PEP - FreeRADIUS 
50 19 Andreas Steffen
51 23 Andreas Steffen
* *IF-TNCCS 2.0* support was introduced in February 2011 with the strongSwan 4.5.1 release. The *tnccs-20* charon plugin was implemented by HSR master student Sansar Choinyambuu and does not make use of the libtnc library at all. Communication with IMCs and IMVs is handled by the *tnc-imc* or *tnc-imv* plugin, respectively. 
52 1 Andreas Steffen
53 32 Andreas Steffen
  - "Example 2a": TNC Client - TNC Server with password-based EAP-MD5 client authentication
54 32 Andreas Steffen
  - "Example 2b": TNC Client - TNC Server with certificate-based EAP-TLS client authentication
55 19 Andreas Steffen
56 20 Andreas Steffen
* Using the *tnccs-dynamic* plugin, a strongSwan VPN gateway can act as a TNC Server handling both the *IF-TNCCS 1.1* and *IF-TNCCS 2.0* protocols by dynamically detecting the protocol version chosen by the TNC Client.
57 20 Andreas Steffen
58 1 Andreas Steffen
  - "Example 3": TNC Client - TNC Server with dynamic IF-TNCCS 1.1/2.0 protocol detection.
59 34 Andreas Steffen
60 45 Andreas Steffen
* *IF-M 1.0* support was introduced in August 2011 with the strongSwan 4.5.3 release. The strongSwan "Test" and "Scanner" IMC/IMV pairs which communicate with each other via the IF-M TLV-based protocol can be used either in conjunction with a strongSwan TNC Client or TNC Server, respectively, or as stand-alone dynamic libraries **, **, **, **, **, and ** with any third party TNC Client or TNC Server product having an *IF-IMC* or *IF-IMV* interface, respectively.
61 24 Andreas Steffen
62 68 Andreas Steffen
* *IF-MAP 2.0* prototype support was introduced in November 2011 with the strongSwan 4.6.0 release. Using the *tnc-ifmap* plugin strongSwan acts as a MAP Client sending IPsec authentication metadata to a MAP Server via an Apache Axis2/C SOAP interface. For details see our [[IfMap|TNC IF-MAP HOWTO]].
63 1 Andreas Steffen
64 69 Andreas Steffen
* Support of the "TCG Attestation PTS Protocol: Binding to IF-M": was introduced in February 2012 with the strongSwan 4.6.2 release and was developed by HSR master student Sansar Choinyambuu. Using the [[PTS-IMC|Attestation PTS-IMC]] / [[PTS-IMV|Attestation PTS-IMV]] pair, file and TPM-based functional component measurements can be executed remotely.
65 45 Andreas Steffen
66 46 Andreas Steffen
 - "Example 4": TNC Client with PTS-IMC - TNC Server with PTS-IMV.
67 43 Andreas Steffen
68 29 Andreas Steffen
h2. Certification
69 29 Andreas Steffen
70 31 Andreas Steffen
The *IF-IMC* interface of the strongSwan 4.5.2 TNC Client (*TNCC*) and the *IF-IMV* interface of the strongSwan 4.5.2 TNC Server (*TNCS*) were successfully "certified": by the Trusted Computing Group (TCG). We also participated in the May 2011 Plugfest in Chantilly, Virginia, USA, where we tested *IF-PEP* interoperability.
71 29 Andreas Steffen
72 54 Andreas Steffen
h2. Android BYOD Security based on the TNC framework
73 54 Andreas Steffen
74 54 Andreas Steffen
The following [[BYOD|link]] gives an overview of the BYOD security features of our Android VPN client.
75 54 Andreas Steffen
76 56 Andreas Steffen
h2. Endpoint Compliance Profile
77 56 Andreas Steffen
78 59 Andreas Steffen
* The following [[PT-TLS-SWID|scenario]] shows SWID tag requests via the PT-TLS transport protocol.
79 59 Andreas Steffen
80 64 Andreas Steffen
* An alternative [[PT-EAP-SWID|scenario]] shows SWID tag requests via the PT-EAP transport protocol.
81 63 Andreas Steffen
82 63 Andreas Steffen
* The strongSwan SWID IMC uses the open source "swidGenerator": python script to generate ISO/IEC 19770-2:2014 Software Identification Tags für all software packages managed by *dpkg* (which used e.g. by the Debian and Ubuntu Linux distributions) or *yum* (which is used by the RedHat and Fedora Linux distributions). A detailed HOWTO explaining the installation and use of the *swid_generator* function can be found [[swidGenerator|here]].
83 56 Andreas Steffen
84 24 Andreas Steffen
h2. Presentations
85 24 Andreas Steffen
86 67 Andreas Steffen
* TCG Demo at RSA Conference 2015 San Francisco: "Securing IoT with Trusted Computing":
87 67 Andreas Steffen
88 66 Andreas Steffen
* TCG Members Meeting June 2014 Barcelona: "TNC Endpoint Compliance and Network Access Control Profiles":
89 65 Andreas Steffen
90 65 Andreas Steffen
* Trusted Computing Conference September 2013 Orlando: "Android BYOD Security using Trusted Network Control Protocol Suite":
91 57 Andreas Steffen
92 55 Andreas Steffen
* TCG Members Meeting June 2013 Dublin: "strongSwan TNC Activities Update":
93 55 Andreas Steffen
94 53 Andreas Steffen
* Linux Security Summit August 30 2012 San Diego: "The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment":
95 51 Andreas Steffen
96 25 Andreas Steffen
* TCG Members Meeting June 2011 Munich: "The strongSwan IPsec Solution with TNC Support":