Intrusion Detection with Trusted Network Connect
By Barbara Nelson

In today’s computing environment where intrusion attempts are commonplace, protecting network systems from high-level risk is critical. Until recently, there was no industry security standard that completely protected a corporate network against threats from inadvertent or intentional intrusions. Thanks to the development by the Trusted Computing Group (TCG) of Trusted Network Connect (TNC) which was announced in May, 2005, a new standard has been established and network security is now attainable.

Historically, client network connection requests have been granted or denied based on the client’s ability to prove their credentials, including passwords, machine certificates and user certificates. This approach ignores the possibility that the client’s platform contains malicious code (e.g. viruses, Trojans, malware) that spreads through the network once IP connectivity is granted. Corporate computing systems and networks must have a fail-proof solution to protect against intruders.

Network Security is Critical
Increased costs to businesses from worms and viruses, as well as regulatory compliance initiatives, are forcing enterprise network operators to take control of their open corporate IP networks. Business trends such as outsourcing, B2B, telecommuting, workforce mobility and application requirements from corporate networks have proliferated in recent years. Because of the volume, these trends have diminished the ability of IT staff and security administrators to effectively protect their largest enterprise assets such as network availability, business continuity, and confidential information, as well as their ability to prove compliance during audits.

Mobile networking is further exacerbated by the rapid growth in computing mobility (laptops, handhelds and wireless), remote access virtual private networks (VPNs), dial-up services and high-speed cable and DSL. In most cases, the weakest links are the devices accessing the network (referred to as endpoints). When connected to the public Internet, these devices are at high risk of infection from a myriad of worms, viruses and spyware. Without attention, the vulnerable and incompliant endpoints introduce exposures and high levels of risk into the corporate network at next logon.

Trusted Network Connect to the Rescue
A year and a half ago, a number of industry vendors started a subgroup called Trusted Network Connect under TCG. Their charter was to develop open specifications for network security that would protect networks from intruders.

Endpoint integrity solutions developed by network security vendors have attempted to meet this challenge. However, a lack of interoperability among various industry initiatives and vendors’ security products was slowing the wide adoption of these solutions in enterprises that use products and software from many sources. TCG met this challenge head on through its Trusted Network Connect initiative.

TNC’s approach to resolving the problem was to define a set of client and server components and a corresponding set of application program interfaces (APIs). The APIs enabled products from multiple vendors to participate in the network access decision. When a client device attempts to connect to a protected network via some policy enforcement point (such as a router or VPN concentrator), the policy enforcement point queries a policy decision point to determine whether the client device should get full network access, isolated network access (sufficient to remediate), or no network access.

The network access decision is based on several pieces of information including:

1. User information (who is trying to connect and are they authorized to be on this network?)
2. Device information (is this a known client device?)
3. Client state information (what applications are running and are they patched and up-to-date; is the personal firewall correctly configured; are the AV definition files current, etc.?)

The TNC Architecture Explained
The TNC architecture facilitates the gathering of client state information in a vendor-independent manner by defining a pair of client-side components; the TNC-client (TNCC) and the integrity measurement collectors (IMCs). The TNCC aggregates integrity measurements from IMCs and sends them across the network to the policy decision point. The TNCC also assists with the management of the integrity check handshake and the measurement and reporting of platform and IMC integrity. The IMC is responsible for measuring some aspects of the client’s integrity. For example, one IMC might measure anti-virus parameters and report on the AV version, status and time of last scan. Another IMC might measure the personal firewall status reporting on the current firewall settings.

In the policy decision point there is a corresponding set of TNC components; the TNC-server (TNCS) and the integrity measurement verifiers (IMVs). The TNCS manages the flow of messages between IMVs and IMCs, gathers recommendations from IMVs, and combines those recommendations (based on policy) into an overall action-recommendation to the policy enforcement point. Each IMV verifies a particular aspect of the client’s integrity based on measurements received from IMCs and/or other data. There is typically one IMV corresponding to each client-side IMC that knows how to interpret the measurements being provided by that IMC. (See Figure 1 below for the components of the TNC architecture).

How Does TNC Protect the Network?
TNC protects networks from unwanted intrusions, viruses and Trojans by verifying the endpoint integrity of any devices that connect to the network prior to granting network access. The goal is that all clients allowed to connect will be validated, trustworthy, free of any malicious code, and have the required configuration and software. At the core of the TCG specification is the concept of endpoint integrity and trustworthiness. Endpoint integrity increases network security and protection by ensuring that only “healthy and safe systems” can connect to a network. This increased level of security can be achieved simply by ensuring that all endpoints that connect to the network are compliant with strict security policies and best practices such as running an up-to-date anti-virus application, having an active personal firewall and keeping the system current with the latest system and application patches.

To achieve this functionality one needs to link endpoint integrity determination with authorization for policy decision and network access control. In a typical network environment, many components from various vendors have to play together in an orchestrated fashion to achieve this level of functionality – hence the need for standards. Typically, access is granted based on user identity, however device identity and system configuration should be part of the total integrity credentials to be communicated to a back-end policy server for verification and authorization.

In this case, two open standard interfaces might be required; one interface to enable the client-side policy check between various security agents and a broker that collects the integrity measurements from these agents. The broker then forwards them to the policy decision point (PDP) for assessment of the status of the client before authorizing access. The second interface is from the server-side for policy verification components in order to assess the collected integrity measurements and to provide recommendations as to network access by the client.

When a client device attempts to connect to a protected network, the network access requestor calls the TNC client to request integrity measurements. The TNC client calls each IMC to get the initial set of measurements. These measurements are then conveyed from the TNC client to the TNC server within some underlying authentication protocol (802.1X, IPSEC, etc.) The TNC server delivers the measurements to the corresponding IMVs. An IMV may request more information from an IMC. This request is then conveyed back through the TNC server and the TNC client to the IMC. This request/response dialog continues until every IMC has received enough information to be able to make a recommendation. The TNC server then makes an overall recommendation, based on the input from the IMVs. With the release of these open-standard APIs, all application vendors can now participate in providing interoperable, end-to-end, trusted network computing solutions.

Trusted Network Connect Provides the Intrusion Detection Solution
TCG and its open TNC security specification provides the most reliable and secure method in the industry today to ascertain intrusion detection and end-point integrity for clients seeking connectivity to a network. Through trusted network connection protocols and trusted platform mechanisms, clients can be tested and authenticated before being allowed full network connectivity.

TCG led the industry’s vendor-neutral effort to establish an open-industry standard so that security products from many vendors that use the standard could participate in the decision-making process to determine what level of network access a device should be granted.

The Trusted Computing Group (TCG) was formed in 2003 to develop and promote open specifications to be used as building blocks for trusted computing, and now has about 110 members across the computing industry. The TNC standard was announced in May 2005. For more information, go to www.trustedcomputinggroup.com.

About the Author:
Barbara Nelson is the Senior Director of Advanced Technology for iPass. sident of Business Development for LogLogic.

<< Previous Page