1
IF-MAP: Open Standards for Coordinating Security
Presentation for SAAG
IETF 72, July 31, 2008
Steve Hanna [email protected]
2
Information Security Past - Isolation
Host FirewallHost IntrusionDetection & Prevention
Host Anti-VirusHostSecurity
NetworkFirewall
Network IntrusionDetection & Prevention
Virtual PrivateNetworks
Data LossPrevention
VulnerabilityScanners
Network Anti-Virus
NetworkSecurity
IdentityManagement
ServerSecurity
Web ServicesSecurity
Server/ServiceSecurity
3
NetworkFirewall
Network IntrusionDetection & Prevention
Virtual PrivateNetworks
Data LossPrevention
VulnerabilityScanners
Network Anti-Virus
NetworkSecurity
Information Security Present –Partial Coordination
Host FirewallHost IntrusionDetection & Prevention
Host Anti-VirusHostSecurity
IdentityManagement
ServerSecurity
Web ServicesSecurity
Server/ServiceSecurity
Network AccessControl (NAC)
4
NetworkFirewall
Network IntrusionDetection & Prevention
Virtual PrivateNetworks
Data LossPrevention
VulnerabilityScanners
Network Anti-Virus
NetworkSecurity
Information Security Future –Full Coordination
Host FirewallHost IntrusionDetection & Prevention
Host Anti-VirusHostSecurity
IdentityManagement
ServerSecurity
Web ServicesSecurity
Server/ServiceSecurity
NAC withIF-MAP
5
Basic NAC ArchitectureAccess
Requestor(AR)
PolicyEnforcement
Point(PEP)
PolicyDecision
Point(PDP)
VPN
6
Integrating Other Security Systems
AccessRequestor
(AR)
PolicyEnforcement
Point(PEP)
PolicyDecision
Point(PDP)
MetadataAccessPoint
(MAP)
Sensors,Flow
Controllers
VPN
7
TNC ArchitecturePolicy Decision
PointPolicy
EnforcementPoint
Access Requestor
VerifiersVerifiers
tCollector
CollectorIntegrity Measurement
Collectors (IMC)Integrity Measurement
Verifiers (IMV)
IF-M
IF-IMC IF-IMV
Network Access
RequestorPolicy
EnforcementPoint (PEP)
NetworkAccess
Authority
IF-T
IF-PEP
TNC Server (TNCS)
TNC Client (TNCC)
IF-TNCCS
TSS
TPM
Platform Trust
Service (PTS)
IF-PTS
MetadataAccessPoint
Sensorsand Flow
Controllers
MetadataAccessPoint
IF-MAP
IF-MAP
IF-MAP
IF-MAP
Sensor
IF-MAP
FlowController
IF-MAP
8
What is IF-MAP?
• Standard Published by Trusted Computing Group– https://www.trustedcomputinggroup.org/groups/network
• Standard Requests & Responses– Publish, Search, Subscribe, Poll
• Standard Identifiers– device, identity, ip-address, mac-address, access-request
• Standard Metadata– device-attribute, event, role, capability, layer2-information
• Standard Links (marked with metadata)– access-request-device, access-request-ip, access-request-mac,
authenticated-as, authenticated-by, ip-mac• Protocol Binding for SOAP• Ability to define optional vendor-specific extensions
9
Example IF-MAP Graph
ip-address=
192.0.2.60
role=finance and employee
ip-address =
192.0.2.55
identity =john.smith
mac-address=00:11:22:3
3:44:55
access-request = 111:33
authenticated-as
access-request-mac
layer2-informationVLAN=1234
Port=12capability =
access-finance-server-allowed
device-attribute = anti-virus-running
authenticated-by
device = 111:55
access-request-device
ip-address = 192.0.2.7
ip-mac
10
IF-MAP Benefits
• More Informed Sensors– Sensors can tune by role and other things– Should reduce false alarms
• Policy and Reports in Business Terms– User identity and role vs. IP address– Simpler, easier to manage
• Automated Response (if desired)– Faster response = stronger security– Less expense due to automation
• Customer Choice and Flexibility– No need to buy all security products from one vendor– Can reuse and integrate existing security systems
11
Security and PrivacyConsiderations
• MAP = Storehouse of Sensitive Data, Critical Nerve Center– MUST
• TLS with mutual auth for IF-MAP clients• publisher-id and timestamp to track changes
– SHOULD• authorization, DOS protection, anomaly detection,
physical and operational security, hardening, etc.• not keep historical data
12
Discussion