Trusted Network Connect (TNC) HOWTO » History » Version 72
Andreas Steffen, 25.07.2015 18:24
Created link to HCD-IMV
1 | 28 | Andreas Steffen | {{>toc}} |
---|---|---|---|
2 | 28 | Andreas Steffen | |
3 | 1 | Andreas Steffen | h1. Trusted Network Connect (TNC) HOWTO |
4 | 1 | Andreas Steffen | |
5 | 3 | Andreas Steffen | The "Trusted Computing Group":http://www.trustedcomputinggroup.org/ (TCG) has defined and released an open architecture and a growing set of standards for endpoint integrity called "Trusted Network Connect":http://www.trustedcomputinggroup.org/developers/trusted_network_connect. |
6 | 1 | Andreas Steffen | |
7 | 26 | Andreas Steffen | h2. Architecture |
8 | 26 | Andreas Steffen | |
9 | 42 | Andreas Steffen | !TCG_TNC_Architecture.png! |
10 | 2 | Andreas Steffen | |
11 | 34 | Andreas Steffen | strongSwan supports both the older XML-based "IF-TNCCS 1.1":http://www.trustedcomputinggroup.org/files/resource_files/64697C86-1D09-3519-ADE44ADD6B39B71D/TNC_IF-TNCCS_v1_1_r15.pdf "TNC Client-Server Interface" and the latest "IF-TNCCS 2.0":http://www.trustedcomputinggroup.org/files/resource_files/495CA3DD-1D09-3519-AD0043966E821ECB/IF-TNCCS_TLVBinding_v2_0_r16a.pdf "TLV Binding" but currently not the "IF-TNCCS SoH 1.0":http://www.trustedcomputinggroup.org/files/resource_files/8D2DF7F3-1D09-3519-AD76CE4433FECE07/IF-TNCCS-SOH_v1.0_r8.pdf "State of Health Protocol Bindings" used by Microsoft's Network Access Protection (NAP) framework. The new strongSwan "Test" and "Scanner" IMC/IMV pairs support the "IF-M 1.0":http://www.trustedcomputinggroup.org/files/resource_files/495862FF-1D09-3519-AD8977DC98C1167C/TNC_IFM_TLVBinding_v1_0_r37a.pdf "TLV Binding" standard. |
12 | 27 | Andreas Steffen | |
13 | 38 | Andreas Steffen | The TCG IF-M 1.0 protocol is equivalent to the IETF "Posture Attribute (PA) Protocol Compatible with Trusted Network Connect" (PA-TNC) defined by "RFC 5792":http://tools.ietf.org/html/rfc5792 and the TCG IF-TNCCS 2.0 protocol is equivalent to the IETF "Posture Broker (PB) Protocol Compatible with Trusted Network Connect" (PB-TNC) defined by "RFC 5793":http://tools.ietf.org/html/rfc5793. Both RFCs are part of the IETF's "Network Endpoint Assessment" (NEA) framework defined by "RFC 5209":http://tools.ietf.org/html/rfc5209. |
14 | 9 | Andreas Steffen | |
15 | 1 | Andreas Steffen | !NEA_Architecture_small.png! |
16 | 6 | Andreas Steffen | |
17 | 1 | Andreas Steffen | As a transport protocol to exchange IF-TNCCS 1.1 or IF-TNCCS 2.0 messages between TNC Client and TNC Server, strongSwan uses the EAP-TNC method defined by "IF-T":http://www.trustedcomputinggroup.org/files/resource_files/8CC75909-1D09-3519-ADA6958AA29CF223/TNC_IFT_v1_1_r10.pdf "Protocol Bindings for Tunneled EAP Methods 1.1". EAP-TNC as an inner non-secure protocol is then encapsulated in an outer encrypted and authenticated IKEv2-EAP-TTLS tunnel. |
18 | 26 | Andreas Steffen | |
19 | 44 | Andreas Steffen | h2. TNC Configuration |
20 | 9 | Andreas Steffen | |
21 | 10 | Andreas Steffen | By activating the appropriate plugins, a strongSwan VPN Client can act as a TNC Client and a strongSwan VPN Gateway can take on either the role of a "Policy Enforcement Point" (PEP) only which forwards all EAP-TTLS packets via EAP-RADIUS to an external AAA-Server or alternatively can additionally act as a TNC Server. |
22 | 10 | Andreas Steffen | |
23 | 9 | Andreas Steffen | * [[TNCC|Configuration as a TNC Client]] |
24 | 9 | Andreas Steffen | |
25 | 9 | Andreas Steffen | * [[TNCS|Configuration as a TNC Server]] |
26 | 8 | Andreas Steffen | |
27 | 10 | Andreas Steffen | * [[PEP|Configuration as a PEP with EAP-RADIUS Interface]] |
28 | 1 | Andreas Steffen | |
29 | 52 | Andreas Steffen | * [[OptimumTMC|Optimum PB-TNC Batch and PA-TNC Message Sizes]] |
30 | 52 | Andreas Steffen | |
31 | 44 | Andreas Steffen | h2. TNC Integrity Measurement Collectors and Verifiers |
32 | 44 | Andreas Steffen | |
33 | 47 | Andreas Steffen | strongSwan can dynamically load any number of Integrity Measurement Collectors (IMCs) and Integrity Measurement Verifiers (IMVs) that already comply with the draft *IF-IMC 1.3* and *IF-IMV 1.3* interface specifications, respectively. These interfaces are implemented by the *tnc-imc* and *tnc-imv* plugins, respectively. |
34 | 1 | Andreas Steffen | |
35 | 48 | Andreas Steffen | * Attestation [[PTS-IMC]] / [[PTS-IMV]] : TPM-based Remote Attestation |
36 | 1 | Andreas Steffen | |
37 | 48 | Andreas Steffen | * Scanner IMC / IMV : Does a remote port scan and reports the results |
38 | 48 | Andreas Steffen | |
39 | 48 | Andreas Steffen | * Test IMC / IMV : Tests the IF-TNCCS / IF-M protocols |
40 | 44 | Andreas Steffen | |
41 | 50 | Andreas Steffen | The strongSwan IMC/IMV dynamic libraries can be used by any third party TNC Client/Server implementation possessing a standard IF-IMC/IMV interface and running under a Linux, Android, FreeBSD or Mac OS X operating system. The following [[Build-IMC-IMV-Only|HOWTO]] shows how to build the IMC/IMV libraries only, without the strongSwan IKE daemon. |
42 | 49 | Andreas Steffen | |
43 | 44 | Andreas Steffen | h2. TNC Deployment |
44 | 1 | Andreas Steffen | |
45 | 23 | Andreas Steffen | * *IF-TNCCS 1.1* support was first introduced in October 2010 with the strongSwan 4.5.0 release. The *tnccs-11* charon plugin originally used Mike McCauley's "libtnc":http://sourceforge.net/projects/libtnc/ library but the code was refactored with the strongSwan 4.5.1 release to use the *tnc-imc* and *tnc-imv* plugins and now implements the IF-TNCCS 1.1 protocol directly by including Mike McCauley's *libxml* statements. |
46 | 22 | Andreas Steffen | A strongSwan VPN Gateway configured as a PEP can connect to a FreeRADIUS server running the "TNC@FHH":http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh plugin. |
47 | 1 | Andreas Steffen | |
48 | 32 | Andreas Steffen | - "Example 1a":http://www.strongswan.org/uml/testresults/tnc/tnccs-11/: TNC Client - TNC Server with password-based EAP-MD5 client authentication |
49 | 32 | Andreas Steffen | - "Example 1b":http://www.strongswan.org/uml/testresults/tnc/tnccs-11-radius/: TNC Client - PEP - FreeRADIUS |
50 | 19 | Andreas Steffen | |
51 | 23 | Andreas Steffen | * *IF-TNCCS 2.0* support was introduced in February 2011 with the strongSwan 4.5.1 release. The *tnccs-20* charon plugin was implemented by HSR master student Sansar Choinyambuu and does not make use of the libtnc library at all. Communication with IMCs and IMVs is handled by the *tnc-imc* or *tnc-imv* plugin, respectively. |
52 | 1 | Andreas Steffen | |
53 | 32 | Andreas Steffen | - "Example 2a":http://www.strongswan.org/uml/testresults/tnc/tnccs-20/: TNC Client - TNC Server with password-based EAP-MD5 client authentication |
54 | 32 | Andreas Steffen | - "Example 2b":http://www.strongswan.org/uml/testresults/tnc/tnccs-20-tls/: TNC Client - TNC Server with certificate-based EAP-TLS client authentication |
55 | 19 | Andreas Steffen | |
56 | 20 | Andreas Steffen | * Using the *tnccs-dynamic* plugin, a strongSwan VPN gateway can act as a TNC Server handling both the *IF-TNCCS 1.1* and *IF-TNCCS 2.0* protocols by dynamically detecting the protocol version chosen by the TNC Client. |
57 | 20 | Andreas Steffen | |
58 | 1 | Andreas Steffen | - "Example 3":http://www.strongswan.org/uml/testresults/tnc/tnccs-dynamic/: TNC Client - TNC Server with dynamic IF-TNCCS 1.1/2.0 protocol detection. |
59 | 34 | Andreas Steffen | |
60 | 45 | Andreas Steffen | * *IF-M 1.0* support was introduced in August 2011 with the strongSwan 4.5.3 release. The strongSwan "Test" and "Scanner" IMC/IMV pairs which communicate with each other via the IF-M TLV-based protocol can be used either in conjunction with a strongSwan TNC Client or TNC Server, respectively, or as stand-alone dynamic libraries *imc-test.so*, *imc-scanner.so*, *imc-attestation.so*, *imv-test.so*, *imv-scanner.so*, and *imv-attestation.so* with any third party TNC Client or TNC Server product having an *IF-IMC* or *IF-IMV* interface, respectively. |
61 | 24 | Andreas Steffen | |
62 | 68 | Andreas Steffen | * *IF-MAP 2.0* prototype support was introduced in November 2011 with the strongSwan 4.6.0 release. Using the *tnc-ifmap* plugin strongSwan acts as a MAP Client sending IPsec authentication metadata to a MAP Server via an Apache Axis2/C SOAP interface. For details see our [[IfMap|TNC IF-MAP HOWTO]]. |
63 | 1 | Andreas Steffen | |
64 | 69 | Andreas Steffen | * Support of the "TCG Attestation PTS Protocol: Binding to IF-M":http://www.trustedcomputinggroup.com was introduced in February 2012 with the strongSwan 4.6.2 release and was developed by HSR master student Sansar Choinyambuu. Using the [[PTS-IMC|Attestation PTS-IMC]] / [[PTS-IMV|Attestation PTS-IMV]] pair, file and TPM-based functional component measurements can be executed remotely. |
65 | 45 | Andreas Steffen | |
66 | 46 | Andreas Steffen | - "Example 4":http://www.strongswan.org/uml/pts/: TNC Client with PTS-IMC - TNC Server with PTS-IMV. |
67 | 43 | Andreas Steffen | |
68 | 29 | Andreas Steffen | h2. Certification |
69 | 29 | Andreas Steffen | |
70 | 31 | Andreas Steffen | The *IF-IMC* interface of the strongSwan 4.5.2 TNC Client (*TNCC*) and the *IF-IMV* interface of the strongSwan 4.5.2 TNC Server (*TNCS*) were successfully "certified":http://www.trustedcomputinggroup.org/certification/tnc_certified_products_list by the Trusted Computing Group (TCG). We also participated in the May 2011 Plugfest in Chantilly, Virginia, USA, where we tested *IF-PEP* interoperability. |
71 | 29 | Andreas Steffen | |
72 | 54 | Andreas Steffen | h2. Android BYOD Security based on the TNC framework |
73 | 54 | Andreas Steffen | |
74 | 54 | Andreas Steffen | The following [[BYOD|link]] gives an overview of the BYOD security features of our Android VPN client. |
75 | 54 | Andreas Steffen | |
76 | 56 | Andreas Steffen | h2. Endpoint Compliance Profile |
77 | 56 | Andreas Steffen | |
78 | 59 | Andreas Steffen | * The following [[PT-TLS-SWID|scenario]] shows SWID tag requests via the PT-TLS transport protocol. |
79 | 59 | Andreas Steffen | |
80 | 64 | Andreas Steffen | * An alternative [[PT-EAP-SWID|scenario]] shows SWID tag requests via the PT-EAP transport protocol. |
81 | 63 | Andreas Steffen | |
82 | 63 | Andreas Steffen | * The strongSwan SWID IMC uses the open source "swidGenerator":https://github.com/strongswan/swidGenerator python script to generate ISO/IEC 19770-2:2014 Software Identification Tags für all software packages managed by *dpkg* (which used e.g. by the Debian and Ubuntu Linux distributions) or *yum* (which is used by the RedHat and Fedora Linux distributions). A detailed HOWTO explaining the installation and use of the *swid_generator* function can be found [[swidGenerator|here]]. |
83 | 56 | Andreas Steffen | |
84 | 72 | Andreas Steffen | h2. Hardcopy Device Health Assessment |
85 | 72 | Andreas Steffen | |
86 | 72 | Andreas Steffen | * [[HCD-IMV]] - Hardcopy Device Integrity Measurement Collector |
87 | 72 | Andreas Steffen | |
88 | 24 | Andreas Steffen | h2. Presentations |
89 | 24 | Andreas Steffen | |
90 | 71 | Andreas Steffen | * TCG Members Meeting June 2015 Edinburgh: "Mutual Attestation of IoT Devices":http://www.strongswan.org/docs/TCG_Edinburgh_2015.pdf. |
91 | 70 | Andreas Steffen | |
92 | 67 | Andreas Steffen | * TCG Demo at RSA Conference 2015 San Francisco: "Securing IoT with Trusted Computing":https://www.youtube.com/watch?t=45&v=Eozph-Y4_5Q |
93 | 67 | Andreas Steffen | |
94 | 66 | Andreas Steffen | * TCG Members Meeting June 2014 Barcelona: "TNC Endpoint Compliance and Network Access Control Profiles":http://www.strongswan.org/tcg/TCG_Barcelona_2014.pdf. |
95 | 65 | Andreas Steffen | |
96 | 65 | Andreas Steffen | * Trusted Computing Conference September 2013 Orlando: "Android BYOD Security using Trusted Network Control Protocol Suite":http://www.strongswan.org/tcg/TCC_Orlando_2013.pdf. |
97 | 57 | Andreas Steffen | |
98 | 55 | Andreas Steffen | * TCG Members Meeting June 2013 Dublin: "strongSwan TNC Activities Update":http://www.strongswan.org/tcg/TCG_Dublin_2013.pdf. |
99 | 55 | Andreas Steffen | |
100 | 53 | Andreas Steffen | * Linux Security Summit August 30 2012 San Diego: "The Linux Integrity Subsystem and TPM-based Network Endpoint Assessment":http://www.strongswan.org/lss2012.pdf. |
101 | 51 | Andreas Steffen | |
102 | 25 | Andreas Steffen | * TCG Members Meeting June 2011 Munich: "The strongSwan IPsec Solution with TNC Support":http://www.strongswan.org/tcg/tcg_munich_2011.pdf. |