Introduction of Trusted Network Connect Houcheng Lee houchen1@umbc.edu May 9, 2007 What is Trusted Computing? Trusted Computing Group (TCG) Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Promoters AMD Hewlett-Packard IBM Intel Corporation Microsoft Sun Microsystems, Inc. Contributors Adaptec, Inc. Agere Systems American Megatrends, Inc. ARM Atmel AuthenTec, Inc. AVAYA Broadcom Corporation Certicom Corp. Check Point Software, Inc. Citrix Systems, Inc. Comodo Dell, Inc. Endforce, Inc. Ericsson Mobile Platforms AB France Telecom Group Freescale Semiconductor Fujitsu Limited Fujitsu Siemens Computers Trusted Computing Group (TCG) Membership 170 Total Members as of January, 2007 Contributors Funk Software, Inc. General Dynamics C4 Systems Giesecke & Devrient Hitachi, Ltd. Infineon InfoExpress, Inc. InterDigital Communications iPass Lenovo Holdings Limited Lexmark International Lockheed Martin M-Systems Flash Disk Pioneers Maxtor Corporation Meetinghouse Data Communications Mirage Networks Motorola Inc. National Semiconductor nCipher NEC Nevis Networks, USA Nokia NTRU Cryptosystems, Inc. NVIDIA OSA Technologies, Inc Philips Phoenix Pointsec Mobile Technologies Renesas Technology Corp. Ricoh Company LTD RSA Security, Inc. Samsung Electronics Co. SanDisk Corporation SCM Microsystems, Inc. Adopters ConSentry Networks CPR Tools, Inc. Credant Technologies Fiberlink Communications Foundstone, Inc. GuardianEdge ICT Economic Impact Industrial Technology Research Institute Infosec Corporation Integrated Technology Express Inc. LANDesk Lockdown Networks Marvell Semiconductor, Inc. MCI Meganet Corporation Roving Planet SafeBoot Safend Sana Security Secure Elements Senforce Technologies, Inc SII Network Systems, Inc. Silicon Storage Technology, Inc. Softex, Inc. StillSecure Swan Island Networks, Inc. Symwave Telemidic Co. Ltd. Toppan Printing Co., Ltd. Trusted Network Technologies ULi Electronics Inc. Valicore Technologies, Inc. Websense Contributors Seagate Technology Siemens AG SignaCert, Inc. Silicon Integrated Systems Corp. Sinosun Technology Co., Ltd. SMSC Sony Corporation STMicroelectronics Symantec Symbian Ltd Synaptics Inc. Texas Instruments Toshiba Corporation TriCipher, Inc. Unisys UPEK, Inc. Utimaco Safeware AG VeriSign, Inc. Vernier Networks Vodafone Group Services LTD Wave Systems Winbond Electronics Corporation Adopters Advanced Network Technology Labs Apani Networks Apere, Inc. ATI Technologies Inc. BigFix, Inc. BlueRISC, Inc. Bradford Networks Caymas Systems Cirond Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. TCG Key Players Trusted Platform Module (TPM) Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Trusted Platform Module (TPM) Introduction What is a TPM? A Hardware What it does? V1.2 functions, including: • stores OS status information • generates/stores a private key • creates digital signatures • anchors chain of trust for keys, digital certificates, and other credentials Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. TPM – TCG Definition Asymmetric Key Module Generate, store & backup public/private key pairs Generate digital signatures, encrypt/decrypt data Trusted Boot Configuration Storage of software digests during boot process Anonymous Attestation Endorsement key used to establish properties of multiple identity keys TPM Management Turn it on/off, ownership / configure functions, etc. Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. TPM – Abstract Definition Root of Trust in a PC Operations or actions based on the TPM have measurable trust. Flexible usage model permits a wide range of actions to be defined. Doesn’t Control PC (About DRM) User still has complete control over platform. It’s OK to turn the TPM off (it ships disabled). User is free to install any software he/she pleases. Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners. Why Not Software? Software is hard to secure. Ultimately, it is usually based on something stored in a relatively insecure location (like the hard drive). Soft data can be copied. Lets an attacker take more time or apply more equipment to the attack procedure. Security can’t be measured. Two users running same software operation may see radically different risks. [...]... check integrity of objects accessing the network [Cisco] Network Admission Control (NAC) [Microsoft] Network Access Protocol (NAP) [TCG] Trusted Network Connect (TNC) Support multi-vendor interoperability Leverage existing standards Empower enterprises with choice Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners Trusted Network Connect Advantages... Measurement flow Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners Trusted Network Connection (TNC) What is TNC? Open Architecture for Network Access Control Suite of Standards Developed by Trusted Computing Group Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners Network Endpoint Problem... Incorporates Trusted Computing Concepts - guarding the guard Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners Controlling Integrity of What is on the Network Moving from “who” is allowed on the network User authentication To “who” and “what” is allowed on the network Adding Platform Integrity verification Copyright© 2007 Trusted Computing... software from Lenovo Obligation to preserve data; METI funded Fujitsu’s TNC deployment verifies HW and app config for session of broadband telemedicine Hitachi’s TPM-based system for home health care IBM’s Trusted Virtual Domains MicroSoft Vista BitLocker Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners Thank you Question? Copyright© 2007 Trusted. .. deleted/isolated What is your OS patch level Is unauthorized software present? Other - IDS logs, evidence of port scanning Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners Network Operator Access Policy Define policy for what must be checked e.g Virus, Spyware and OS Patch level and results of checks e.g Must run VirusC- version 3.2 or higher,... and verifies received values Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners TPM Integrity Check Access Requestor Policy Enforcement Point Policy Decision Point TPM – Trusted Platform Module • HW module built into most of today’s PCs • Enables a HW Root of Trust • Measures critical components during trusted boot • PTS-IMC interface allows PDP... increasingly targeting network via valid client infection Clients ‘innocently” infect entire networks Client scanning demands move from once/week to once/login New malware threats emerging at an increasing rate Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners Network Integrity Architectures Several Initiatives are pursuing Network Integrity... Computing Group - Other names and brands are properties of their respective owners Check at connect time QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture Can I connect? - Who are you - What is on your computer Enterprise Net User DB + Integrity DB Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners Access control dialog... •OSHotFix 2499 •OSHotFix 9288 •AV (one of) •Symantec AV 10.1 •McAfee Virus Scan 8.0 •Firewall Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners Customized Network Access Access Requestor Gu est Policy Enforcement Point Ne Inte r ne tO Guest User R&D N Ken – R&D two Policy Decision Point rk nl y etwo rk Finance Network Linda – Finance Windows XP... picture Quarantine Net Enterprise Net Can I connect? No I am quarantining you Try again when you’re fixed up User DB + Integrity DB Access control dialog data Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners TNC Architecture Copyright© 2007 Trusted Computing Group - Other names and brands are properties of their respective owners TNC Architecture . integrity of objects accessing the network [Cisco] Network Admission Control (NAC) [Microsoft] Network Access Protocol (NAP) [TCG] Trusted Network Connect. Introduction of Trusted Network Connect Houcheng Lee houchen1@umbc.edu May 9, 2007 What is Trusted Computing? Trusted Computing