Trust@FHH at LinuxTag 2009
The Trust@FHH Team Member Joerg Vieweg gave a talk about Trusted Network Access Control based on Open Source Software - Experiences from Adoption at the LinuxTag 2009 in Berlin.
The talk was aimed to explain how open source software based upon Trusted Computings Trusted Network Connect can help to increase the security of today’s IT systems, especially in the area of modern networks.
In the first part, we gave a general introduction into the concepts of Trusted Network Connect as proposed by the Trusted Computing Group.
The second part presented projects of the Trust@FHH research group that deal with open source software and Trusted Computing as proposed by the TCG, especially the Trusted Network Connect approach.
Three active projects that were presented in the talk:
- IF-MAP@FHH, an implementation of the IF-MAP specification
- TNC@FHH, an implementation of the TNC architecture
- tNAC, a project that aims to develop a TNC compatible NAC solution that uses the capabilities of Trusted Computing platforms.
All software that is developed within these projects is completely open source.
The talk finished with an outlook of current challenges and unsolved problems in the area of Trusted Computing and Trusted Network Connect.
27 Jul 2009
Redesigning the Redesign - TNC@FHH IML Components Version 0.6.0 Alpha released
TNC@FHH’s components of the Integrity Measurement Layer (IML) are now available for download in an updated version.
We have redesigned all TNC@FHH components that are located in the Integrity Measurement Layer (IML). The downloadable package includes:
- IMUnit: a framework for developing IMC/IMV pairs
- DummyIMC/IMV: a simple IMC/IMV pair that just sends some messages around before a recommendation is provided
- HostScannerIMC/IMV: an IMC/IMV pair that scans and evaluates the port status of an endpoint
Major changes to version 0.5.0 are:
- TNCUtil was removed
- Log4cxx is now used for logging purposes
- IMUnit has now a more object oriented approach
- Bug 0000015 was fixed
These IML components are fully compatible with NAA-TNCS version 0.5.0.
22 Jun 2009
tnc@fhh 0.5.0 released
The new version 0.5.0 of tnc@fhh is available for download.
This version includes major changes regarding the build process. We switched to cmake as our new build environment. The HowTos in the Wiki will be updated shortly. Furthermore, we are now providing all tnc@fhh components in one tarball.
The build process now looks basically as follows:
switch to <new directory>/build
The FreeRADIUS EAP-TNC patch is not affected by the cmake-switch and therefore not included in this tarball.
25 May 2009
tnc@fhh participates in TCG Plugfest 2009
tnc@fhh was successfully tested with other open-source projects at the TCG Plugfest 2009.
The plugfest was hosted by the University of New Hampshire InterOperability Lab. We were able to participate remotely thanks to the great virtual environment that was provided by the organizers of the Plugfest. Several TNC interfaces were sucessfully tested, including
See the news entry and the short overview by Lisa Lorenzin from Juniper for more information.
08 May 2009
Trust@FHH registered an IANA Private Enterprise Number
The University of Applied Sciences and Arts Hanover has registered an IANA Private Enterprise Number.
The PEN is 32939 decimal. The Trust@FHH research group will use this PEN as Vendor ID within TNC.
Updated versions of the IMC/IMV pairs are available in the download section.
13 Mar 2009
Architecture of tnc@fhh 0.4.x
This article describes the architecture of tnc@fhh 0.4.x.
Therefore, the components which are used are listed and described, as well as the sequence of an EAP-TNC-authentication.
For a more basic overview of TNC, see Trusted Computing and Trusted Network Connect in a Nutshell.
For concrete contents of the mentioned configuration files and/or for detailed installation instructions, see the HowTos in the wiki.
tnc@fhh in its actual version (TNCUtil v0.4.4, NAA-TNCS v0.4.4, FreeRADIUS EAP-TNC-patch v0.4.5) consists of several components.
There are modules for external programs, dynamic libraries and configuration files, which the most of are in relation to some other components.
- TNCUtil (libTNCUtil.a, header-files in /usr/local/include/TNCUtil/):
TNCUtil delivers some utility functions that are use by other components.
Furthermore, it includes a framework for developing IMC/IMV pairs.
- NAA-TNCS (libNAA-TNCS.so, header-file naatncs.h in /usr/local/include/):
NAA-TNCS is the implementation of both the NAA and TNC-Server component as proposed by the TNC architecture.
It is implemented as shared object that is plugged into a FreeRADIUS server.
- EAP-TNC-module: This plug-in mechanism is realised by extending FreeRADIUS with a new EAP-module called EAP-TNC.
This module is responsible for exchanging EAP-TNC packets between FreeRADIUS and NAA-TNCS.
- IMVs & IMCs (libIMV/IMC[…].so):
IMVs are the validating components who communicate with the IMCs on the clientside, and return a recommendation regarding to a IMV/IMC-pair-specific policy.
- FreeRADIUS: FreeRADIUS is a open-source Radius-server, which has EAP-functionality.
- wpa_supplicant: Currently, wpa_supplicant is used as NAR and TNCC cause it natively supports TNC and does not need any modification.
Additionally there are several configuration files for all of the components.
- /etc/tnc_config: defines the location of the shared objects of the installed IMVs.
- /etc/tnc/imv_[…].policy: the policy-file for a specific IMV
- /usr/local/etc/raddb/eap.conf: holds the configuration of the EAP-module, which includes EAP-TTLS and EAP-TNC.
- /usr/local/etc/raddb/dictionary.tnc: defines a new attribute TNC-Status, and three values (Access, Isolate, None)
- /usr/local/etc/raddb/dictionary: includes the TNC dictionary file
- /usr/local/etc/raddb/sites-enabled/default: configuration that is used after an successful authentication for mapping an TNC-Status (Access, Isolate, None) to a VLAN-ID
1. Initiation of the modules
On the startup of FreeRADIUS, the EAP-module and the corresponding configuration file are loaded.
In the course of loading the EAP-module, the EAP-TTLS and the EAP-TNC-modules are also loaded.
The default-type for EAP is EAP-TTLS, as EAP-TNC has to be run inside of a secure tunnel.
Therefore, EAP-TTLS is configured to use EAP-TNC as its inner method, and it is also configured to send the reply-attributes from the inner method to the NAS, as EAP-TNC holds the result of the authentication.
2. Initiation of the TNC-authentication
When the first EAP_IDENTITY_RESPONSE (with EAP-TNC as the EAP-type) was received by FreeRADIUS, the method tnc_initiate from the EAP-TNC-module is called, which initiates the EAP-TNC-session.
In the beginning it checks if the packet is inside TTLS.
Afterwards an connection ID is calculated and the connection is created.
This is done by a method of NAA-TNCS, which is located in an shared object and provided via a header-file.
The method first loads all installed IMVs which are listed in /etc/tnc_config and informs them that a new handshake has begun.
tnc_initiate then builds the EAP-TNC-packet by setting all attributes in the request-structure of FreeRADIUS and settings the current stage to AUTHENTICATE.
Finally, the first EAP_TNC_RESPONSE is send to the peer.
3. Ongoing TNC-authentication
When a EAP_TNC_RESPONSE (and the current stage is AUTHENTICATE) is received, the tnc_authenticate-method within the EAP-TNC-module is called.
It basically forwards the EAP-TNC-data to the NAA-TNCS and forms an appropriate EAP_RESPONSE.
Again, the NAA-TNCS-shared object is used to send the EAP-TNC-message to the TNC-Server where all the messages from the EAP-TNC packet are extracted (from TNCCS-Batch to TNCCS-messages and IMC/IMV-messages).
The IMC/IMV messages are forwarded to the respective IMVs, which in turn can send a response or provide a recommendation to the TNCS.
Regarding to the resulting connection state, the handshake is either still ongoing (when one or more IMCs/IMVs have to exchange more messages) or the handshake is finished.
In the last case, the internal FreeRADIUS server-side-attribute TNC-Status is set.
TNC-Status is defined in the dictionary-file dictionary.eaptnc and has the values “Access”, “Isolate” or “None”.
Finally, an EAP-Response-Package is send back to the client/AR.
4. After an successful TNC-authentication
When the authentication was successful, FreeRADIUS uses the entries in the post-authentication-section of the default-policy.
By using the unlang-language, the value of TNC-Status is read and VLAN-settings (Tunnel-Type, ID) are added to the reply, which is then send from FreeRADIUS to the PEP.
Diagram of the components and their relations.
This picture shows all components that are used on the serverside of tnc@fhh.
16 Feb 2009
FreeRADIUS EAP-TNC patch 0.4.5 released
The new version 0.4.5 of the EAP TNC-patch for FreeRADIUS was released.
One of the main changes was that the VLAN assigment is not longer executed by the EAP-TNC module, but by another module of FreeRADIUS. This results in a separation of verifying (what EAP-TNC does) and assigment (what VLAN assigment is). It also leads to slighter code of our module, but also to a new way of configuring the TNC-Server.
This new configuration is described in the HowTo in the Wiki (HowTo build a TNC@FHH-Server on Linux).
03 Feb 2009
Latest Changes on Trust@FHH
Work is still going on here. Finally, we’ve migrated the old TNC@FHH Bugtracking System and Wiki.
Check it out. Any feedback is appreciated via email@example.com
27 Jan 2009