802.1x support

802.1x is supported by the tNAC components to allow for port-based enforcements towards clients. This means, that the port a client device is connected to is closed until a successful TNC handshake is done. 

The components of a 802.1x architecture correspond to the overall tNAC components (Access Requestor, Policy Enforcement Point and Policy Decision Point) as follows:

- Supplicant = AR

- Authenticator = PEP (a 802.1x capable switch)

- Authentication Server = PDP (a server running FreeRADIUS, communicating via the RADIUS-protocol with the PEP)

VPN support

Adding VPN Support to tNAC
Image: Adding VPN Support to tNAC, click to enlarge in new window

The Integration of VPN is based upon the usage of the IF-T for TLS protocol. That is, instead of using IKEv2 to support the exchange of EAP-Packets this approach relies on the VPN-Tunnel to exchange TNC messages.

  • The Authentication is carried out in a two phase process:

    • Within the first phase, a "normal" VPN-Authentication takes place. The usage of arbitrary authentication mechanisms (certificates, phassphrases, etc.) is supported.

    • The second phase consists of the TNC Platform Authentication. The already established VPN-Tunnel is used for the communication between the AR and the PDP. There are no changes to the VPN-Subsystem necessary.

  • Only a few new components are needed in order to support the integration:

    • A packet filter, for example iptables. This component ensures, that communication to the protected network is only allowed after the two phases were successfully completed.

    • The so called PEPd. This component receives IF-PEP messages and controls the packet filter according to the content of the IF-PEP messages.

To top

XACML policy support

The XACML specification provides an extensible schema for defining policies. This can be used to define the different policies for each IMC/IMV pair and the TNC server itself. It supports user-specific policies and therefore fine grained policies.

Architecture:

To add the possibility of XACML evaluation there must be additions to the TNC PDP and the IMVs, as well as a new component called the XACML PDP, which evaluates incoming requests against given policies.

  • IMVs with support for XACML
    • After receiving all measurements from its corresponding IMC, the IMV has to encapsulate these measurements within a XACML request and send it to a known XACML PDP. After receiving a response, it has to parse the decision and pass it to the TNC server.
  • TNC PDP with support for XACML
    • The TNC server has to encapsulate all IMV recommendations within a XACML request. This request is then checked by the XACML PDP against a TNC server policy, that defines what recommendation each IMV has to fulfill, to grant network access to the AR.
  • XACML PDP
    • The XACML PDP is responsible for receiving incoming XACML requests, evaluate them against a appropriate policy (that holds policy entries for the specific user of the AR) and send the results back.

Flow of operations: 

  1. With the use of the EAP-TTLS and EAP-MD5 module of FreeRADIUS, the username of the AR's user is determined via MD5 in a TLS secured tunnel.
  2. The AR and PDP start the TNC handshake.
  3. When the values from the IMC are received by the IMV, these values are combined in a XACML request, together with the username for this connection.
  4. The request is then send to the XACML PDP.
  5. The XACML PDP evaluates the request by using the configured polices. All values as well as the username have to fulfill the policy.
  6. The XACML PDP then creates a XACML response, which can be a ''permit'' or ''deny''. Additional information like a ''isolate''-recommendation is encapsulated in so called ''obligations''.
  7. The response is send back to the PDP, who generates the recommendation for this IMV. When the XACML evaluation fails, a local evaluation can be done.
  8. When the TNC handshake ends, the TNC server evaluates all IMV recommendations, by also generating and sending a XACML request.
  9. After the XACML PDP evaluated the request and send back the response, the TNC server can generate a recommendation for the whole connection and thus enforce it through the PEP.

 

 

IMC/IMV pairs for tNAC

To achieve the different goals of the tNAC project, three different IMC/IMV pairs were created. They were created using the imunit-library of tnc@fhh.

 

IMC/IMV pair for ClamAV antivirus software

This IMC/IMV pair checks attributes of the ClamAV antivirus software. It recognizes if the software is installed and running, and also checks the version of its main engine and signatures. The values are then compared to values in a policy. If the state of the ClamAV on the AR is not compliant to the policy, the IMV will give a Isolate-recommendation; this would allow the AR to update ClamAV and to remediate itself.

 

IMC/IMV pair for Attestation

This IMC/IMV pair provides the functionality to securely obtain the measurements of the TPM and to validate them on the side of the PDP. To do so, the value of the Platform Configuration Register is quoted with an AIK by the IMC and send to the IMV, which compares the PCR and AIK to known values within its policy.

Parts of this policy look like the following:

# PCR values of reference system

# pcrX=<20 byte SHA-1 hash as 40 characters ASCII string>

pcr0=a234567890123456789012345678901234567890

...

 

# Known AIKs, identified by fingerprint of X.509 AIK credential

aik=DC:30:E6:EA:F1:97:5D:90:E6:AE:D0:A3:C8:62:5C:61:93:9B:96:4B

...

One can also specify, if all PCR values shall be send at once, or every PCR value within a single Tspi_TPM_Quote, which allows to check which PCR has caused the authentication to fail.

IMC/IMV pair for platform identification

The second IMC/IMV pair that makes use of the TPM is used to identify a device. It uses a non-migratable key whose private part is bound to the platform of the TPM. With the public part of that key, a X.509 certificate is generated and stored within an arbitrary key infrastructure within the tNAC network. Inside the authentication phase, it is checked if the AR owns an appropriate and therefore known key.

Integrating a TNC-Client into Turaya

Integration of tNAC into Turaya
Image: Integration of tNAC into Turaya

Turaya features a secure environment for any software through isolation. Integrating TNC into Turaya offers a secure base for trustworthy measurements.

  • The Integrity Measurement Collectors (IMCs) run in the same compartment as the software they monitor/measure, the TNC-Client (TNCC) runs in a separate - strictly isolated - compartment, all compartments are based on the conventional operating system.
  • Because therefore a direct communication between IMCs and TNCC is not possible, wrapper components (wTNCC and wIMC) are used to keep this isolation transparent. To establish communication between the components in different compartments anyway, the information exchange happens through interprocess communication (IPC).

To top

Policy Management

tNAC Policy Management
Image: tNAC Policy Management

For managing TNC guidelines following components are needed:

  • A Java service, which synchronizes the PDP and the Policy Manager
  • A server sided application which is running on a J2EE application server - e.g. JBoss - and a database, used for configuration data
  • A java "swing" GUI for managing the guidelines of the PDP or PDPs

Communication between Policymanager and PDP:

  • New or modified policies get pushed to the PDP by the Policy Manager using JMS

Guidelines:

  • Policies are written in XACML, where the useable functions are geared to the IMV-Policies of IF-M
  • Policies can be defined for single users or different groups

To top

Remediation

Remeditation in tNAC
Image: Remeditation in tNAC, click to enlarge in new window

Remediation Instructions

  • defined by the producer of the IMC-IMV pair
  • two types of remediation instructions: with / without requirement of resources
  • types: patch, update, install, configure, delete, start/stop services

Provisioning and Remediation Applications

These are Applications which execute the remediation instructions. They can be divided into the following categories:

  • embedded: The PRA is part of the IMC
  • component specific: The PRA is integrated in the component to remediate (e.g. update routine of an anti-virus solution
  • external: External Application, e.g. a Patch Client

Additional Components for Remediation

Needed for controlling the remediation and to grant the User the ability to control the remediation process. The remediation instructions are executed by the PRAs.

 

The User gets an overview of the remediation instructions and can choose which instructions should be executed and which are not. Finally the user can start the remediation process. To achieve this the following new components are needed:

  • Remediation Controller: Implemented as library
  • Report Generator: Implemented as library
  • Remediation Manager: Implemented as dialog application

The Interface between Remediation Controller and IMC is IF-RC and defines 4 new methods.

To top

System Management

System Management
Image: System Management, click to enlarge in new window

The System Management (SysMgmt) is a tNAC component which allows the management of any server sided tNAC entity (PEPs, PDPs, Policy Manager (PM) and maybe the Remediation Management System (RMS)) by the tNAC administrator.

At its current state the SysMgmt implements two features:

  • Configuration Management: Allows the administrator to create & modify the entity configuration

    • Java Swing or Web-based
    • Dynamically generate (text-based) configuration files based on XML configuration descriptions
    • Easy integration of any other manamgement interface, e.g. a WebGUI of a 802.1X switch

  • System monitoring: Monitoring of tNAC entities and report generation

    Two different types of information:

    • Basic information (any entity)
      • System load (mem, cpu)
      • Disk usage
      • etc.
    • Special information (entity specific)- e.g.:
      • PEP: Number of active connections and last policy update
      • PDP: Informations about accepted, isolated and rejected connection attempts
      • Policy-Manager: Last change of a policy

To top