Automated Mobile Security, Part 4

The following is the fourth, and final, post in a series of excerpts from NCP engineering‘s technical white paper, Automated Mobile Security: Leveraging Trusted Network Connect (TNC) IF-MAP to provide automated security for company networks and mobile devices. Part one of the series can be found here; part two of the series can be found here and part three of the series can be found here.

REAL TIME ENFORCEMENT USING IF-MAP

This example demo uses several of the ESUKOM developed IF-MAP compatible products. All open source products are available on www.esukom.de. The NCP VPN Server is still beta and not available on the web page, but can be made available for test environments by contacting tcg@ncp-e.com.

The following image shows a basic description of the network the demo uses:

The network is separated into an unsecure network that can be accessed via WiFi and an internal network, which requires a VPN connection to gain access. There is no direct access from the unsecure network to the internal network even though two components reside in both networks.

An Android device connects to the WiFi access point and receives a lease from an IF-MAP capable ISC DHCP Server. The IF-MAP Client will publish the lease information into the MAP database. The DHCP server has the information about which MAC address is connected to which IP address.

The IF-MAP graph will look like this after the information has been published:

Now, to gain access to the internal network, the device has to establish a VPN connection. The VPN Server will publish information about the username used for the VPN connection, the device that has authenticated the request and what internal IP address the connection received, and will then link that information to the already-available information published by the DHCP server.

The IF-MAP app on the android phone is then able to publish information about the device, for example, the IMEI or if bluetooth is enabled. Additionally, if a GPS signal is available, the client can publish information about its current location. Besides storing information, the VPN Server is able to react on events published into the IF-MAP server by an intrusion detection system like snort.

The VPN Server offers two possible reactions to an event published: Quarantine or Disconnect a device. The VPN Server can react to a specific kind of event or it can react on a magnitude value to each event it is assigned. The magnitude has a potential spectrum of 0 to 100, where 100 is the most severe event. A less severe event could restrict the access to an important file server for example, while a critical event could disconnect the client and maybe even lock the account for further investigation by an administrator.

For additional information about real time enforcement using IF-MAP, including additional graphics, see the whitepaper.

Automated Mobile Security, Part 3

The following is the third post in a series of excerpts from NCP engineering‘s technical white paper, Automated Mobile Security: Leveraging Trusted Network Connect (TNC) IF-MAP to provide automated security for company networks and mobile devices. Part one of the series can be found here; part two of the series can be found here.

WHAT IS ESUKOM ?

The ESUKOM research project aims at leveraging IF-MAP to provide security in mobile device environments. The project will bring IF-MAP support to several key open source products like Snort (intrusion detection), IPtables (firewall), Nagios, FreeRADIUS and ISC DHCP server, to the products of two commercial vendors: NCP engineering (VPN software) and Mikado Soft (NAC solution) and provide an IF-MAP Android client. With this diversity of IF-MAP enabled components, we try to provide example configurations for eight key features, which are the ultimate goal of this research project.

More information about this project can be found at http://www.esukom.de

Now that ESUKOM has been explained, stay tuned for the next post that will explain Realtime Enforcement Using IF-MAP. Also, for more information on the ESUKOM research project and NCP engineering’s role within it, see our three-part Q&A on the topic here.

Automated Mobile Security, Part 2

The following is the second post in a series of excerpts from NCP engineering‘s technical white paper, Automated Mobile Security: Leveraging Trusted Network Connect (TNC) IF-MAP to provide automated security for company networks and mobile devices. Part one of the series can be found here.

WHAT IS IF-MAP ?

IF-MAP stands for InterFace for Metadata Access Points. You can think of IF-MAP as a central database for your IT-systems where they can store information or retrieve information from to get a real-time representation of the status of your network.

There are three basic functionalities an IF-MAP enabled component can do:
► Publish: Clients can store information for other clients to see
► Search: Clients can search for published data using search patterns
► Subscribe: Clients can receive notification when other clients publish new data

To store information in the MAP there are two different data types available: Identifiers and Metadata. Identifiers act as “root hub” for information stored in the IF-MAP. There are only 5 identifiers available: Identity, IP address, MAC address, Access Request and Device.  The other type of data is metadata, which has to be linked to at least one identifier but can also connect two identifiers. Each client has to authenticate itself securely to the MAP Server either with username and password or certificate based authentication. All data is transmitted safely with SSL encryption.

Now that IF-MAP has been explained, stay tuned for the next post that dives into ESUKOM in more detail. Also, for more information on the ESUKOM research project and NCP engineering’s role within it, see our three-part Q&A on the topic here.

Automated Mobile Security, Part 1

The following the first in a series of excerpts from NCP engineering‘s technical white paper, Automated Mobile Security:  Leveraging Trusted Network Connect (TNC) IF-MAP to provide automated security for company networks and mobile devices.

The increasing use of mobile devices like smartphones and tablet PCs introduce new threats to enterprise IT networks. While most of the well known security programs such as desktop firewalls,  antivirus and harddrive encryption work pretty well for laptops, they are still not available for these kinds of mobile devices. The only way to keep your network secure is by providing additional security on the central IT infrastructure.

The problem is, most of today’s security systems work isolated from each other and if they offer interoperability they do so only to a limited extent, which is insufficient to counter the new threats network security faces every day. A new specification developed by the Trusted Computing Group (TCG) strives to solve this interoperability problem with the development of IF-MAP. IF-MAP provides the possibility to interconnect different IT-security systems and provide an accurate representation of the health status of your IT network. It even can automate security responses to network  threats and enforce security without the need for human interaction.
The support for IF-MAP is steadily increasing, as more and more vendors and open source products are supporting the IF-MAP technology.

Stay tuned for the next post that explains IF-MAP in more detail.

Q&A on ESUKOM with Jens Lucius, QA Manager and Trainer at NCP engineering, Part 2

Today, we continue our conversation with Jens Lucius, QA manager and trainer at NCP engineering on the ESUKOM project, which is an initiative that aims to develop a real-time security solution for enterprise networks that works based upon the correlation of metadata. As a core member of the project, NCP has  compiled a technical paper on the project, as well.

Q: NCP’s hybrid IPsec / SSL VPN gateway allows network administrators to block unauthorized VPN clients and supports the Trusted Computing Group’s (TCG) IF-MAP protocol. What’s the ultimate end-user benefit for this?

Jens: The network security right now is very static, and mostly, does not have the ability to act on information in real-time. Fixed defined access lists (mostly even distributed on several access systems), security violation reporting based on e-mail or web-reporting are the standard right now. Not all companies can afford a 24/7 administrator on standby for security problems.

Now we’re try to change that: intrusion detection systems, firewalls and VPNs or even door access systems are able to talk to each other and contribute to a real-time representation of the network. Companies using IF-MAP are able to receive more information about the status of their network and do enforcement based on that. The NCP VPN solution acts not only as a provider of information gathered from a user’s VPN access, but also can do enforcement based on that.

For example, an intrusion detection system could detect a security breach originating from a VPN user, report that to the IF-MAP Server and the NCP VPN solution will shut down or limit the VPN access for that user. No need for time-costly interaction of an administrator (and time is of the essence in case of an attack). Also automation of security enforcement can help take the load of the network administrator, whose task will get more taxing with the increase of mobile workers and their demands. Of course, automation has to be carefully weighed against the possibility of false positives.

Another benefit is the possibility to do single sign-on or federation with other security systems based on a common standard — and not proprietary protocols. Federation, for example, has already been successfully tested with Juniper at the last TCG Plugfest.

Stay tuned for Part 3, in which we talk to Jens about the VOGUE project.