8Trust Network Connection
Trusted network connection (TNC) is an application of trusted computing technology in network access control (NAC) framework, and it is an open NAC solution that can strengthen the trustworthiness of network environment. TNC is designed by Trusted Computing Group (TCG) to be compatible with other network access control solutions. TCG proposes a complete series of standards and specifications, including architecture, component interfaces and supporting technology. Since the proposal of TNC architecture, a variety of TNC prototypes are implemented based on all kinds of network access technologies. In order to accelerate the commercialization of TNC, some TCG members have designed products in compliance with TNC specifications, and have applied these products in various industrial fields. In the aspect of standards, TCG is working hard to evolve TNC specifications to more popular international standards, and has made some achievements. In China, many manufacturers have proposed their network security solutions based on TNC.
In this chapter, we first introduce the background of TNC, including NAC framework and existing commercial solutions and their defects. Then we take an overview of TCG’s work on TNC, including TNC architecture, working principle, advantages and current problems of TNC in the aspect of NAC. We also review some research work in TNC, including our ISCAS TNC system. Finally, we introduce the development of TNC in industrial fields and development trends of TNC in the future.
8.1Background of TNC
The network access control framework, launched by CISCO and other network manufacturers, aims to protect the network security, especially the security of enterprise network. NAC framework requires verifying the terminal’s identity and security status before it accesses network, and guarantees that only legitimate and trusted terminals can access network. Because of the inherent advantages in protection of platform identity and trustworthiness, trusted computing technology is very suitable for NAC framework. In this background, the TNC architecture is proposed, which is the application of trusted computing technology to NAC framework. This section mainly introduces the TNC’s background, that is, the NAC framework, overviews popular commercial NAC solutions and summarizes the defects of the existing NAC solutions and TNC’s advantages in the aspect of NAC.
8.1.1Introduction to NAC
8.1.1.1Requirements of NAC Framework
With the development of network, more and more network attacks appear and the emergence of viruses, worms and Trojans threatens network users and enterprises. First, malicious attackers can illegally get resources or do some damage after they access the network without permission. Second, even a legitimate user might be infected accidentally in the external network and bring the malicious code into the internal network, which will infect the network.
Although traditional security solutions, such as firewalls and antivirus software, have been developing for years, they cannot control the spread of malicious codes in the network. This situation makes malicious codes (such as viruses, worms and Trojans) cause great losses every year and even lots of enterprise security accidents, which have great impact on economy. Therefore, the traditional security solutions alone cannot solve security problems caused by malicious codes. CISCO is the first enterprise that proposes the NAC framework, which combines terminals’ security status check and network control technology to ensure that all devices in the network meet security requirements.
The NAC framework improves the security of network by bringing in user’s identity authentication and status authentication mechanisms. First, it requires that users must provide their identity information when accessing network, and only allows legitimate users accessing the network. This identity authentication can effectively block unauthorized users. Second, it requires to authenticate the terminal’s security status, and the terminal should report its security status (e.g., whether the OS is updated, and whether antivirus and firewall start) to the network access server, and terminals are allowed to access the network only if they meet server’s security policy. The NAC framework can prevent illegal users and insecure terminals (such as terminals affected by malicious codes) by authenticating terminals’ identities and security status. In this way, the NAC guarantees the security of network environment.
8.1.1.2NAC Framework
The NAC framework is composed of four parts: NAC client agency, NAC policy enforcement point, NAC server and NAC policy server. The details of NAC framework are depicted in Figure 8.1. For the convenience of users, NAC provides an isolated domain that is used to repair terminals that fail to access the network. In the following, we will explain components in the NAC architecture.
(1)NAC client agency: It starts access request and collects security information of clients.
(2)NAC policy server: Network administrator gives security policies in this server, and this server performs user identity authentication and security status authentication.
(3)NAC server: It gives access decisions by authentication results of NAC policy server.
(4)NAC policy enforcement point: Usually it is a network access device, which enforces access policies given by the NAC server.
(5)Isolated domain: An isolated network domain, in which terminals that fail to access the network can remedy their system components that do not meet the security requirements.
Figure 8.1 depicts the processes that a terminal accesses the network:
(1)NAC client agency starts the access request.
(2)NAC policy enforcement point requires the terminal to send user identity and security status information of the terminal.
(3)NAC client agency collects terminal’s security status and identity information, and sends them to NAC policy enforcement point.
(4)NAC policy enforcement point transfers received information to the NAC server.
(5)NAC server transfers received information to the NAC policy server for authentication.
(6)NAC policy server gives authentication results based on user identity information and platform security information.
(7)NAC server gives access decisions based on authentication results: access allowed or access isolated.
(8)NAC policy enforcement point enforces access decisions and notifies the terminal.
8.1.2Commercial NAC Solutions
As the NAC framework can effectively improve the security of the network environment, many NAC products under various network access control frameworks have been put on the market. The most typical solutions are CISCO’s Network Admission Control (NAC) solution and Microsoft’s Network Access Protection (NAP) solution.
8.1.2.1CISCO’s Network Admission Control
The NAC framework is first proposed by CISCO, which launched the NAC project in 2003. After the project, CISCO finally proposed the NAC solution. This solution combines traditional security solutions such as antivirus, security enhancement with network access technology to ensure that all the terminals in the network meet the requirements of administrator’s security policies (such as the requirement of running latest version antivirus and firewall), and thus can greatly reduce security risks caused by malicious codes.
The CISCO’s NAC architecture is compatible with NAC framework, and its processes are as follows: When a terminal tries to access the network, the network access devices (such as switches, wireless access points or VPNs) demand the terminal to submit its security status information collected by the client agency. After the terminal submits its status information, the NAC server will compare the status information according to security policies, and gives access decision by the comparison results. The terminals meeting the security requirements are allowed to access the network directly. The terminals that do not meet the security requirements are usually isolated to some LAN or redirected to some LAN to restrict their network access. In addition, the isolated terminals can repair their components using the remedy server to meet security policies. After the terminals remedy their components, they are allowed to access the network if they meet the security policies.
The security policy of CISCO’s NAC solution includes the following aspects:
(1)Check whether the terminal runs OS with legitimate version.
(2)Check whether the OS installs the patches, and whether they are updated in time.
(3)Check whether the terminal is deployed with antivirus software.
(4)Ensure that the antivirus software is running.
(5)Check whether the terminal installs network security software such as firewall; check whether they are configured correctly.
(6)Check whether the images of the OS and firmware are tampered.
CISCO proposes the CISCO Clean Access series products based on the aforementioned NAC solution. The Clean Access products can be integrated with many antivirus and security management software and provide a powerful capability of network access control. Their advantages are as follows:
(1)Scalability: Clean Access can be directly deployed in the network access environment, and their components can be integrated into other CISCO’s network access control products.
(2)Rapid deployment: Provide a set of solutions that can be deployed rapidly and conveniently.
(3)Flexibility: A variety of operating systems in the network are supported.
8.1.2.2Microsoft’s Network Access Protection
Following CISCO, Microsoft proposed the NAP solution that is similar to the CISCO’s NAC solution. The NAP architecture is composed of system components added to Windows (Windows Server series, Windows Vista, Windows XP etc.), and provides security status authentication when terminal is trying to access the network. The NAP architecture ensures the security of clients in the network, and the clients not meeting the security requirement will be isolated to a network domain with constraint access privilege and cannot access the network until their running status meet the security requirements.
The NAP solution adds some components to Windows, including NAP client, policy enforcement point and policy decision point, and defines the interfaces that these components should provide. Users and enterprises can leverage the interfaces to implement products that are compatible with NAP. NAP does not specify network devices, and needs the support of physical network devices in the bottom layer. With the support of network infrastructure, Microsoft’s NAP solution provides the following functions:
(1)Security status verification: Check whether access terminals satisfy the security policy.
(2)Network access isolation: Isolate the terminals that do not satisfy the security policy.
(3)Auto remedy: Remedy the terminals that do not satisfy the security policy without participant of users.
(4)Auto update: Update terminals on time to satisfy the security policy that is updated continuously.
Currently, NAP solution can implement control for a variety of network access technologies:
(1)IPsec: Implement the control of security communication at network layer by managing IPsec certificates.
(2)802.1X: Provide access control based on port at the data link layer by leveraging 802.1X framework.
(3)VPN: Control remote VPN connection.
(4)DHCP: Implement the DHCP control by providing IP from a pool with limited permission for clients whose security status does not satisfy security requirements.
8.1.3Defects of Current Solutions and TNC Motivation
8.1.3.1Defects of Current Solutions
With the application of network access control products, defects of current products (such as CISCO’s NAC and Microsoft’s NAP) appear because of patents and technologies used by these products:
(1)Bad interoperability and scalability: Most manufacturers’ solutions are not compatible and do not support multiplatform. Due to the protection acts on intellectual property, critical source code and key interactive interfaces, mainstream products between different manufacturers are hard to interoperate, and the support for noncommercial operating system platform is extremely limited. For example, CISCO’s NAC architecture contains some special technology protected by patents, so the implementation of NAC architecture must rely on CISCO’s own network equipment; Microsoft’s NAP architecture leverages some non-public source codes and system calls, which do not support non-Windows platforms such as Linux.
(2)Status forgery: Due to lack of strong terminal status authentication mechanism, current schemes cannot prevent forgery behaviors. By ways such as forging system state, a client can meet the requirements of access control and then access the controlled network freely. In Black hat 2007, hackers gave an example of such attacks. Although such attacks require a certain level of technology and attack costs, the benefits of these attacks may be very high.
(3)Lacking control after access in network: Obtaining illegal benefits by changing configuration after access of the network is a much more practical way of attacking compared to the aforementioned forging attack, but current architectures lack control after clients are connected, so there exist security risks.
8.1.3.2Motivation of TNC
To solve the aforementioned security problems, TCG proposes an open network access control solution: Trusted Network Connection, and launches a series of standards. TNC highlights openness of the architecture, and does not limit the implementation technologies so as to support all kinds of popular computation platforms, network devices and OS. Another feature of TNC is that it combines with trusted computing technology.
In the aspect of openness, the interoperability of TNC products is obviously ensured by the nature of TCG as an industry alliance. Now, some TCG members have proposed products compliant with TNC specifications, especially Microsoft’s latest NAP version, which is also compatible with TNC.
In the aspect of combination with trusted computing technology, TNC uses security chips embedded on the platforms to implement identity authentication and integrity status verification, and solves the problems of terminal status authentication and network control after access:
(1)Platform identity authentication: By the non-migratable identity keys AIK (attestation identity key) provided by TPM, the TNC is capable of authenticating clients’ identities when they are trying to access the network.
(2)Platform integrity attestation: TPM measures key components of the platform when it powers on and stores the measurement results in the TPM. These integrity information can be used to verify the integrity status of the access terminal.
8.2Architecture and Principles of TNC
8.2.1 Standard Architecture
The TCG’s TNC workgroup designs an open network access control framework according to the existing requirements of network access applications, and develops a series of TNC specifications. TNC specifications consist of architecture, component and supporting technology specifications:
(1)Architecture specification [90]: This specification defines the overall architecture of TNC and basic communication process, analyzes the compatibility with other network access control systems and illustrates principles that how trusted computing technology can enhance the security of network access control.
(2)Component interoperability interface specifications [144–146]: These specifications define internal basic functions and interfaces of components in the TNC architecture.
(3)Supporting technology specifications [147, 148]: These specifications define special functions and components implemented by trusted computing technology. Although these specifications are not mandatory, they provide mature references and technical ideas for developers to implement trusted network access system.
The TNC specifications are developing continuously. TNC workgroup updates TNC specifications by improving and revising current specifications. TCG actively participates in the development of IETF standard, aiming to upgrade TNC specifications to international standards. TNC workgroup has made some achievements in this aspect: The TNC IF-TNCCS2.0 and IF-M specifications have been upgraded to RFC 5793 and RFC 5792, respectively. With the development of TNC technology, we believe that TNC specification family will attract more and more focus and support and be upgraded to international standards accepted by industrial fields.
8.2.2Overall Architecture
The architecture of TNC, as is shown in Figure 8.2, consists of three participants and three logic layers. The three participants are Access Requester (AR), Policy Enforcement Point (PEP) and Policy Decision Point (PDP). The AR is the terminal requesting access to the network, the PEP enforces network access and the PDP authenticates clients and gives access policy. TNC can be divided into three logic layers according to the roles in the network access: integrity measurement layer, integrity evaluation layer and network access layer. As there exists interoperability between participating entities and logic layers, TNC defines interface specifications between components at the same layer (such as the integrity measurement collector (IMC) and integrity measurement verifier (IMV) and the interface relationship between components in the same participant (such as the IMC and TNC clients).
8.2.2.1Main Participants
TNC has three participants: AR, PEP and PDP. AR is the client trying to access the network, which collects platform’s integrity information and actively transfers access request to PDP. PDP’s role is to check the security status of AR and determine AR’s access request according to security policy. PEP enforces the access decision given by the PDP. TNC splits the decision of access policy and access enforcement, which increases its elasticity and flexibility.
AR includes network access requester (NAR), TNC client (TNCC) and IMC. NAR issues the access request to apply for access to the network. TNCC calls IMC to collect the platform’s integrity measurement information and measures and reports IMC own integrity information. IMC measures each component’s integrity information in AR, and each AR can deploy multiple IMCs to collect integrity information of different components.
PDP includes three components: network access authority (NAA), trusted network connection server (TNCS) and integrity measurement verifier. NAA decides whether an AR should be granted access according to TNCS’s verification result. TNCS verifies whether AR’s integrity information satisfies PDP’s security policy, and returns the verification result to PDP. Besides, TNCS collects verification results from all of IMVs and then forms a global network access decision. IMV verifies integrity measurement information of AR’s components.
PEP controls network access. In particular, PEP performs some operation (allow, deny or isolation) according to the decision of PDP. For example, in 802.1X framework, PEP takes the role of authenticator, that is, switch or wireless AP.
8.2.2.2Logic Layer
TNC architecture consists of three layers: the integrity measurement layer, the integrity evaluation layer and the network access layer. The integrity measurement layer deals with original integrity measurement data, which has no relationship with specific access policy. In this layer, AR needs to collect platform integrity data, and the corresponding PDP needs to verify the correctness of the integrity data. The integrity evaluation layer deals with the network access policy and assessment of the integrity verification results. In this layer, AR finishes collection of integrity data by resolving the network access policy, and PDP gives access decision according to the access policy. The network access layer deals with the underlying network communication data. In this layer, AR and PDP establish a reliable communication channel, and PEP allows, denies or isolates AR’s network access according to PDP’s decision.
8.2.2.3Interoperate Interface
TNC architecture needs to define standard interoperate interface between components in the architecture, which can cooperate TNC’s overall function. On the one hand, functions for different layers in one participant are divided into different components, which enhances the elasticity and flexibility of architecture. These components require proper interoperate interface, such as IF-IMC and IF-IMV interface specifications defined by TNC. On the other hand, different participants in the same layer require indirect logic communication, which also require proper interoperate interface, such as IF-M, IF-TNCCS and IF-T interface specifications defined by TNC.
8.2.2.4Architecture with PTS Extension
TNC architecture is a general network access control framework, and the implementation of corresponding components does not always adopt trusted computing technology. However, the chain of trust and remote attestation mechanism based on security chips can effectively improve the integrity attestation and identity authentication for access terminals; so TCG has developed the platform trust service (PTS) specification [14] for TNC, which illustrates the combination of TNC and TPM’s integrity measurement and attestation. This specification provides technical guidance for implementation of TNC based on TPM.
The TNC architecturewith PTS extension is shown in Figure 8.3. There are two changes in the extended architecture: (1) AR is equipped with TPM security chip and trusted software stack (TSS), and other components of AR can invoke PTS; (2) in the original integrity measurement layer, TNC defines PTS protocol used by PTS to collect and verify integrity information above the IF-M interface, and the PTS protocol standardizes the PTS’s interoperate way in integrity collection and verification.
8.2.2.5Network Supporting Technology
As an open general specifications on trusted network access, TNC only specifies the overall architecture, component function, each layer’s interface and basic workflow. It does not make any mandatory requirement on the implementation technology. In fact, TNC architecture can smoothly integrate all kinds of network access technology. We can also implement network control compliant with TNC specification based on current network access technology.
From the TNC architecture, we can see that its underlying network access layer leverages existing network access control technology, which makes it convenient for TNC to be compatible with existing network access control system. In order to be compatible with other network technology, TCG proposes a series of TNC specifications on network protocol compatibility. For example, in order to be compatible with 802.1X framework and VPN, TCG defines a protocol standard used to exchange TNC data at IF-T layer, a protocol bound with EAP method [149] and a protocol bound with TLS under 802.1X framework. These specifications compatible with current network technologies greatly promote the development and application of TNC standards and technology. Currently, many open-source projects and network products on the market have begun to support TNC specifications such as IF-T protocol.
8.2.3Workflow
TNC framework ensures the terminals to access the network securely by a number of steps. Figure 8.4 describes the TNC access procedure, and the details are as follows:
(1)Before all terminals access the network, the TNCC must find and load each relevant IMC in the platform. Then TNCC initializes the IMC. Similar to TNCC, the TNCS must load and initialize each relevant IMV.
(2)When the user requires to access the network, the NAR sends an access request to PEP.
(3)Upon receiving a network access request from the NAR, the PEP sends a network access decision request to NAA.
(4)Usually the NAA is 3A authentication server, such as RADIUS and Diameter. The NAA authenticates the user, and then informs the TNCS that a new access request needs to be dealt with.
(5)The TNCS performs platform identity authentication with TNCC.
(6)After the successful completion of platform identity authentication, the TNCS notifies the IMV that a new access request has arrived. Similarly, the TNCC notifies IMCs that a new access request has arrived. IMCs respond to TNCC with some platform integrity information.
(7)This step is used by PDP to perform integrity authentication of AR, and is divided into three substeps:
(a)The TNCS and TNCC begin the exchange of messages related to the integrity check. These messages will be transferred through the NAR, PEP and NAA, and will continue until the TNCS collects enough integrity information sent by TNCC for integrity check.
(b)The TNCS passes each integrity information collected by IMC to the corresponding IMV for integrity check. Each IMV analyzes the IMC message. If an IMV needs TNCC to provide more messages, it sends integrity request message to the TNCS through the IF-IMV interface. If an IMV gives a check result, it gives it to the TNCS through the IF-IMV interface.
(c)The TNCC will forward integrity request from the TNCS to the corresponding IMC, and send integrity information returned from the IMC to the TNCS.
(8)When the TNCS has completed integrity check with TNCC, it sends network access decision to the NAA.
(9)The NAA then sends the network access decision to the PEP, which enforces network access control according to the access policy. The NAA also returns the access decision to the AR.
If the AR does not pass the integrity check, the TNCS will isolate the AR to the remedy network, and AR can rerequest to access the network after it remedies its integrity.
8.2.4The Advantages and Disadvantages of TNC
8.2.4.1The Advantages of TNC
(1)Openness: The TNC architecture, proposed by TCG, is an open general network access framework supporting heterogeneous network environment, and now has been supported by a series of complete technology specifications. The openness of TNC makes each manufacturer design and develop products compatible with TNC standard. TCG also launched the TNC product certification plan, so that manufacturers can perform the test on TNC specification compatibility for their products. At present, more and more manufacturers have announced support for TNC specifications in their products, and more and more products have passed the TNC certification [150].
(2)Standard completeness: TNC workgroup developed a complete set of standards and specifications, including the architecture, component interfaces and supporting technology. The completeness of the standard facilitates the TNC solution to be adopted by manufacturers, and promotes the development of TNC in industrial fields.
(3)Security chip support: Besides the traditional network access control, TNC adds platform identity authentication and integrity verification based on the security chip. These two functions not only provide platform status authentication based on hardware and prevent clients accessing the network by forging status information but also apply the trusted computing technology to the network. In this way, it extends the trustworthiness of client to the network environment.
(4)Technical compatibility: TNC architecture does not specify its network technology, which enables it to be implemented on current network technologies (such as 802.1X, IPsec, TLS). Compared with other network access control, TNC greatly reduces the development difficulties and also the user’s economic burden of updating user’s network devices.
8.2.4.2Problems of TNC
Currently, TNC lacks theoretical security proof. The technology of TNC proceeds ahead of its theory, and currently theoretical security model and proof method for TNC have not been built. How to extend the trust from terminals to network and construct a trustworthy network environment are problems that TNC need to solve urgently.
Privacy leakage problem caused by binary attestation: The TNC architecture, which is based on security chips such as TPM or TCM, adopts the binary attestation scheme [10] recommended by TCG specifications, which has some disadvantages: First, the integrity management of terminal platform is complex, which requires the network access server must manage all platforms’ integrity configuration status, and these integrity information must cover various software and different versions of the same software, which brings great management burden to the network access server; second, this scheme leaks the terminal’s integrity configuration information, leading that all platforms’ configuration information is completely exposed in the network, which can be used by malicious attackers to attack terminals by exploiting vulnerabilities of terminals’ configuration.
Lack of security protection after network access: TNC only provides identity and integrity authentication when clients connect the network, and provides no security protection after clients access the network. This protection mechanism only guarantees the security at the moment of network access, and cannot guarantee the security of network after terminals’ access.
8.3Research on Extension of TNC
8.3.1 Overview of the TNC Research
Since TCG releases the open TNC architecture and TNC specifications, a large number of open-source projects have begun to support TNC. A number of research institutions have started the research work on TNC. In the following, we will introduce some open-source projects related to TNC and TNC-based systems developed by research institutions.
With the wide application of TNC, a large number of open-source projects implement functions of TNC. In the following, we will introduce these projects:
(1)libTNC [151]: This project aims to build an OS-independent open-source TNC system, and now has supported Windows, some UNIX-like OS and Mac OS. libTNC has implemented interfaces of the integrity evaluation layer and the integrity measurement layer, and an integrity measurement component that assesses OS by setting security policies.
(2)Open1X [152]: This project is sponsored by the OpenSEA alliance [153], which aims to develop an open-source 802.1X supplicant supporting cross-platform. Open1X implements 802.1X framework and security standard of wireless LAN 802.11i. The product Xsupplicant in Open1X project now supports EAP-TNC method.
(3)strongSwan [154]: This project is an implementation of IPsec for Linux, and now has implemented the integrity evaluation layer of TNC and provides interfaces of integrity evaluation layer and integrity measurement layer. strongSwan has obtained TCG’s TNC certification.
The Trust@FHH [155] research group of Hochschule Hannover University of applied sciences and arts is a member of TNC workgroup, and implements the TNC@FHH and tNAC systems based on TNC, which are relatively comprehensive TNC solutions in open-source projects. Based on the TNC architecture, the Institute of Software, Chinese Academy of Sciences (ISCAS) proposes the ISCAS TNC system, which are based on user identity, platform identity and platform integrity authentication. This section focuses on tNAC and TNC@FHH systems implemented by TNC@FHH group, and the ISCAS TNC system implemented by ISCAS.
8.3.2Trust@FHH
8.3.2.1TNC@FHH
In order to test TNC’s functions, operability and usability, the Trust@FHH research team develops the open-source system TNC@FHH, which implements all core components and interfaces of the TNC architecture, and has passed TCG’s TNC certification tests.
The architecture of TNC@FHH is shown in Figure 8.5. TNC@FHH implements TNCS, some IMCs, some IMVs and EAP-TNC method, and also implements interfaces of IF-TNCCS, IF-M, IF-IMC and IF-IMV. The network access requester can adopt the open-source projects Xsupplicant or wpa_supplicant, and the network access authority adopts FreeRadius. which are widely deployed and has implemented EAP-TNC method in it.
TNC@FHH implements the whole TNC architecture based on open-source products Xsupplicant, wpa_supplicant and FreeRadius, and has the following features:
(1)The TNC server can run as an extension of FreeRadius.
(2)The system implements some IMCs and IMVs, and simple terminal integrity attestation can be performed.
(3)The system implements basic policy management.
(4)The system is compatible with other TNC products, such as Xsupplicant, wpa_supplicant and libtnc.
(5)The system is implemented by C++ language.
Since the TNC architecture requires the security policy maker to determine which part of the client’s integrity information is checked, PDP is able to examine all the configuration information of the platform, which leads to the privacy leakage issue of clients. To solve this issue, TNC@FHH proposes a privacy protection mechanism by extending a policy manager (PM) (and its communication interface IF-PM between TNCC and PM), which can communicate with TNCC on TNC architecture. Every time the TNCC sends a message to the TNCS, it first queries the PM using IF-PM interface. PM determines whether the message is allowed to be sent according to user’s policy and returns the decision result to TNCC. TNCC will decide whether the decision result can be sent. Users can use policy to guarantee that the TNCC can only send the integrity information of some components, and cannot send the integrity information of some other components. In this way, TNC@FHH achieves the goal of clients’ privacy protection.
8.3.2.2tNAC
The TNC@FHH project does not combine the TNC architecture with TPM. In 2008, the Trust@FHH workgroup proposes trusted network access control (tNAC) project, as is shown in Figure 8.6 which implements trusted network access control based on TNC@FHH and trusted platform Turaya. The TNC@FHH is responsible for network access control, and the Turaya ensures that the client cannot forge integrity data. In order to support TPM in the architecture, tNAC adds the following components to the original TNC architecture:
(1)Platform Trust Services (PTS): Both the client and the server require PTS support. At the client side, PTS obtains the client’s integrity report by querying the TPM. At the server side, PTS checks the integrity report sent by the client.
(2)PTS-IMC: This IMC informs the PTS to measure corresponding components and collect integrity report, and finally sends the integrity report to the IMV of server side.
(3)PTS-IMV: This IMV sends to the client a request of integrity measurement values of chain of trust and other components. When receiving the measurement values, it invokes PTS to perform integrity verification.
(4)Other IMVs: These IMVs can obtain measurement results of any file in the client by requesting PTS-IMC. When PTS-IMC receives the request, it notifies the PTS to perform measurement and then report the integrity report to the IMV. After the IMV receives the integrity report, it can invoke PTS to perform integrity verification.
8.3.3ISCAS Trusted Network Connection System
For the requirements of network access and network management of terminal platforms, we develop a trusted network connection system (ISCAS TNC) supporting TNC specifications, which is based on the ISCAS chain of trust system. This TNC system uses trust established by chain of trust of the platform to perform platform identity authentication and integrity attestation, and builds a trusted network computing environment. Taking the application requirement of Chinese TCM chip into account, the TNC system adds support for TCM, and it achieves the integrity attestation of terminal platforms and the trusted network connection based on two kinds of security chips: TPM and TCM. To deal with the privacy leakage of platform configuration during the binary integrity attestation of traditional trusted network connection system, we propose a method named property-based TNC that adds terminal configuration privacy protection to the general trusted network connection schemes.
8.3.3.1Architecture and Functions of ISCAS TNC System
ISCAS TNC system is a trusted network connection system, which follows TCG standards. When the terminal accesses the network, the system checks the security status of terminals based on TPM chips to achieve the end-to-end security, which ensures the security of terminals accessing the network. Figure 8.7 and Figure 8.8 show the architecture and user interface of ISCAS TNC system respectively.
ISCAS TNC system consists of three entities: network access terminal, network access device (PEP) and AAA server (PDP), and they correspond to access requester, policy enforcement point and policy decision point of TNC architecture, respectively. The internal design architecture and the communication logic of the three entities also follow TNC specifications. In the aspect of functions, ISCAS TNC system implements platform identity registration, trusted network connection and integrity component management functions based on trusted computing technology.
(1)Platform identity registration: A terminal needs to apply for a legitimate platform identity for the first network connection. It sends a platform identity request based on TPM/TCM identity to the TNC server, and the server will issue a TPM/TCM identity credential to a legitimate terminal.
(2)Trusted network connection: The TNC server first authenticates the user identity, the platform identity and the integrity state of the terminal, and then enforces the network access control of the terminal according to the authentication result.
(3)Integrity component management: This function is used to add, update and delete an integrity collector or an integrity verifier, and to query and manage the integrity of application components of a terminal.
ISCAS TNC system strengthens the terminal authentication function of traditional trusted network connection systems. In the aspect of identity authentication, ISCAS TNC implements a two-factor identity authentication method based on user identity and platform identity, and supports both TPM and TCM security chips. In the aspect of platform attestation, (1) the system verifies platform integrity collected during start-up process of the terminal based on its chain of trust; (2) the system leverages the dynamic measurement method to verify the running antivirus software and firewall in real time; (3) the system measures and verifies important system patches of Windows system.
8.3.3.2Technical Implementation and Characteristics of ISCAS TNC System
In order to meet different requirements of network connection control, the ISCAS TNC system implements two network connection schemes (the deployment of the network connection system is shown in Figure 8.9) in the network access layer based on the third layer of the network (i. e., the network layer) and the second layer of the network (i. e., the data link layer), respectively. The first scheme enforces the network access control at the network layer, and communication messages of system components are all forwarded at this layer. TNCS server provides iptables connection policy after authenticating a terminal, and then the policy enforcement point leverages the iptables policy to implement terminal control based on IP. The network connection control at data link layer follows the 802.1X framework. TNC server gives the final connection control policy based on VLAN, which is deployed on the ports of switch/router. In this way, the ISCAS TNC achieves isolation of terminals based on ports or VLAN.
The control granularity and the application scope of the connection control schemes at the network layer and the data link layer are different. The connection control scheme at network layer controls IP address, and it has low deployment costs, which is suitable for small-scale network connection. The connection control scheme at data link layer controls switch/router ports or VLAN, and it needs support of a certain type of switch/router, which is suitable for large-scale network connection. Figure 8.10 shows the trusted network access time and the authentication time of the two schemes. It can be seen from the figure that the data link layer scheme costs significantly less access time than the network layer scheme and enjoys better performance under the support of network devices such as switch/router.
8.4Application of Trusted Network Connection
In order to popularize TNC, TCG members Infoblox, Juniper Networks, Lumeta, OpenSEA Alliance and HP Networking jointly participated in the world’s largest professional network exhibition: American Information Industry Expo (Interop Las Vegas) in 2010. In the exhibition, they proposed a slogan “TNC Everywhere: Unified Security,” and showed how TNC guarantees network security through a series of demonstration. Since then, numerous TNC-supporting network equipment and network access authentication servers have been promoted and placed on the market.
TCG announced the TNC certification program the same year. The main content of the program is compliance test and interoperability test for products to be verified. Products must first pass an automated compliance test suite to ensure that they implement the TNC specifications correctly, and then they must pass interoperability test with other certified products for compatibility. This program aims to ensure for the user that the certified products implement the TNC specifications correctly. Many products of Juniper Networks Company have been certified. Readers can view the list of certified products in Ref. [150].
In China, Huawei, Topsec, AnchTech and other companies have launched their own network connection control solutions based on TNC. Huawei launched the EAD terminal connection control solution [156], which aims to create a trusted computing network environment. Topsec Company launched a trusted network framework TNA [157], which is now upgraded to version 2.0. TNA comprehensively improves the overall protection capability of a network by combining the trusted network connection control mechanism. AnchTech developed a Trusted Network Connection system based on the Chinese security chip TCM [158]. The system uses TCM chip to authenticate terminal users, and provide users with more secure access authentication method. It also uses TCM chips as platform identities to implement device authentication of terminals.
8.5Summary
This chapter first describes the network access control framework, and then focuses on the open network access control solution TNC proposed by TCG, and TNC’s open architecture and standards. TNC verifies the platform identity and integrity of access terminals to ensure the validity of their identities and the security of the terminals. Compared with other commercial network access control solutions, TNC has advantages of openness, standard completeness, security chip support and technology compatibility. But TNC is not perfect in theoretical security proof, integrity attestation and protection after connecting, and it still needs further research.
Currently, TNC is relatively mature, and research institutions have launched their own prototype systems. There are a variety of TNC-based network access control products designed by a number of manufacturers in industrial fields. To promote TNC continually, the TNC workgroup designs an architecture that combines PTS with TNC to facilitate the integrity management. To ensure compatibility of TNC products, the TNC workgroup launches the TNC certification program, which performs compliance test on TNC products and ensures the interoperability of TNC products on the market.