1

IF-MAP: Open Standards for Coordinating Security

Presentation for SAAG

IETF 72, July 31, 2008

Steve Hanna shanna@juniper.net

2

Information Security Past - Isolation

Host FirewallHost IntrusionDetection & Prevention

Host Anti-VirusHostSecurity

NetworkFirewall

Network IntrusionDetection & Prevention

Virtual PrivateNetworks

Data LossPrevention

VulnerabilityScanners

Network Anti-Virus

NetworkSecurity

IdentityManagement

ServerSecurity

Web ServicesSecurity

Server/ServiceSecurity

3

NetworkFirewall

Network IntrusionDetection & Prevention

Virtual PrivateNetworks

Data LossPrevention

VulnerabilityScanners

Network Anti-Virus

NetworkSecurity

Information Security Present –Partial Coordination

Host FirewallHost IntrusionDetection & Prevention

Host Anti-VirusHostSecurity

IdentityManagement

ServerSecurity

Web ServicesSecurity

Server/ServiceSecurity

Network AccessControl (NAC)

4

NetworkFirewall

Network IntrusionDetection & Prevention

Virtual PrivateNetworks

Data LossPrevention

VulnerabilityScanners

Network Anti-Virus

NetworkSecurity

Information Security Future –Full Coordination

Host FirewallHost IntrusionDetection & Prevention

Host Anti-VirusHostSecurity

IdentityManagement

ServerSecurity

Web ServicesSecurity

Server/ServiceSecurity

NAC withIF-MAP

5

Basic NAC ArchitectureAccess

Requestor(AR)

PolicyEnforcement

Point(PEP)

PolicyDecision

Point(PDP)

VPN

6

Integrating Other Security Systems

AccessRequestor

(AR)

PolicyEnforcement

Point(PEP)

PolicyDecision

Point(PDP)

MetadataAccessPoint

(MAP)

Sensors,Flow

Controllers

VPN

7

TNC ArchitecturePolicy Decision

PointPolicy

EnforcementPoint

Access Requestor

VerifiersVerifiers

tCollector

CollectorIntegrity Measurement

Collectors (IMC)Integrity Measurement

Verifiers (IMV)

IF-M

IF-IMC IF-IMV

Network Access

RequestorPolicy

EnforcementPoint (PEP)

NetworkAccess

Authority

IF-T

IF-PEP

TNC Server (TNCS)

TNC Client (TNCC)

IF-TNCCS

TSS

TPM

Platform Trust

Service (PTS)

IF-PTS

MetadataAccessPoint

Sensorsand Flow

Controllers

MetadataAccessPoint

IF-MAP

IF-MAP

IF-MAP

IF-MAP

Sensor

IF-MAP

FlowController

IF-MAP

8

What is IF-MAP?

• Standard Published by Trusted Computing Group– https://www.trustedcomputinggroup.org/groups/network

• Standard Requests & Responses– Publish, Search, Subscribe, Poll

• Standard Identifiers– device, identity, ip-address, mac-address, access-request

• Standard Metadata– device-attribute, event, role, capability, layer2-information

• Standard Links (marked with metadata)– access-request-device, access-request-ip, access-request-mac,

authenticated-as, authenticated-by, ip-mac• Protocol Binding for SOAP• Ability to define optional vendor-specific extensions

9

Example IF-MAP Graph

ip-address=

192.0.2.60

role=finance and employee

ip-address =

192.0.2.55

identity =john.smith

mac-address=00:11:22:3

3:44:55

access-request = 111:33

authenticated-as

access-request-mac

layer2-informationVLAN=1234

Port=12capability =

access-finance-server-allowed

device-attribute = anti-virus-running

authenticated-by

device = 111:55

access-request-device

ip-address = 192.0.2.7

ip-mac

10

IF-MAP Benefits

• More Informed Sensors– Sensors can tune by role and other things– Should reduce false alarms

• Policy and Reports in Business Terms– User identity and role vs. IP address– Simpler, easier to manage

• Automated Response (if desired)– Faster response = stronger security– Less expense due to automation

• Customer Choice and Flexibility– No need to buy all security products from one vendor– Can reuse and integrate existing security systems

11

Security and PrivacyConsiderations

• MAP = Storehouse of Sensitive Data, Critical Nerve Center– MUST

• TLS with mutual auth for IF-MAP clients• publisher-id and timestamp to track changes

– SHOULD• authorization, DOS protection, anomaly detection,

physical and operational security, hardening, etc.• not keep historical data

12

Discussion