ETISS 2009 in Graz

The Trust@FHH team participated in the ETISS 2009.

The European Trusted Infrastructure Summer School 2009 was held in Graz, Austria. The Trust@FHH team participated in this year’s summer school. We were asked to give a lecture and to run a lab about Trusted Network Connect.

Thanks to IAIK for hosting such a great event.

tnc@fhh 0.6.0 RC 1 released

Release Candidate 1 of tnc@fhh 0.6.0 is available for download.

This new release introduces a set of new features:

• improved framework for developing IMC/IMV pairs
• cmake based build process
• new package structure (see below)
• first steps to support IF-TNCCS SoH and IF-TNCCS 2.0
• decoupling of TNCS and NAA logic (now provided as two separate shared objects)
• using log4cxx as logging framework

From now on, tnc@fhh software will be provided in a more convenient package structure.

The 0.6.0 RC 1 release consists of three packages (the green boxes)

• imcs: contains all tnc@fhh IMCs and the necessary library imunit
• imvs: contains all tnc@fhh IMVs and the necessary library imunit
• server-freeradius: contains all tnc@fhh components necessary for setting up a PDP based upon FreeRADIUS

The tarballs are available in the download section.

Trust@FHH at LinuxTag 2009

The Trust@FHH Team Member Joerg Vieweg gave a talk about Trusted Network Access Control based on Open Source Software - Experiences from Adoption at the LinuxTag 2009 in Berlin. The talk was aimed to explain how open source software based upon Trusted Computings Trusted Network Connect can help to increase the security of today’s IT systems, especially in the area of modern networks.

In the first part, we gave a general introduction into the concepts of Trusted Network Connect as proposed by the Trusted Computing Group.

The second part presented projects of the Trust@FHH research group that deal with open source software and Trusted Computing as proposed by the TCG, especially the Trusted Network Connect approach.

Three active projects that were presented in the talk:

1. IF-MAP@FHH, an implementation of the IF-MAP specification
2. TNC@FHH, an implementation of the TNC architecture
3. tNAC, a project that aims to develop a TNC compatible NAC solution that uses the capabilities of Trusted Computing platforms.

All software that is developed within these projects is completely open source.

The talk finished with an outlook of current challenges and unsolved problems in the area of Trusted Computing and Trusted Network Connect.

Redesigning the Redesign - TNC@FHH IML Components Version 0.6.0 Alpha released

TNC@FHH’s components of the Integrity Measurement Layer (IML) are now available for download in an updated version.

We have redesigned all TNC@FHH components that are located in the Integrity Measurement Layer (IML). The downloadable package includes:

• IMUnit: a framework for developing IMC/IMV pairs
• DummyIMC/IMV: a simple IMC/IMV pair that just sends some messages around before a recommendation is provided
• HostScannerIMC/IMV: an IMC/IMV pair that scans and evaluates the port status of an endpoint

Major changes to version 0.5.0 are:

• TNCUtil was removed
• Log4cxx is now used for logging purposes
• IMUnit has now a more object oriented approach
• Bug 0000015 was fixed

These IML components are fully compatible with NAA-TNCS version 0.5.0.

tnc@fhh 0.5.0 released

The new version 0.5.0 of tnc@fhh is available for download.

This version includes major changes regarding the build process. We switched to cmake as our new build environment. The HowTos in the Wiki will be updated shortly. Furthermore, we are now providing all tnc@fhh components in one tarball.

The build process now looks basically as follows:

extract tarball

switch to <new directory>/build

cmake ../

make

make install

The FreeRADIUS EAP-TNC patch is not affected by the cmake-switch and therefore not included in this tarball.

tnc@fhh participates in TCG Plugfest 2009

tnc@fhh was successfully tested with other open-source projects at the TCG Plugfest 2009.

The plugfest was hosted by the University of New Hampshire InterOperability Lab. We were able to participate remotely thanks to the great virtual environment that was provided by the organizers of the Plugfest. Several TNC interfaces were sucessfully tested, including

• IF-TNCCS
• IF-IMC
• IF-IMV
• IF-PEP

See the news entry and the short overview by Lisa Lorenzin from Juniper for more information.

Trust@FHH registered an IANA Private Enterprise Number

The University of Applied Sciences and Arts Hanover has registered an IANA Private Enterprise Number. The PEN is 32939 decimal. The Trust@FHH research group will use this PEN as Vendor ID within TNC.

Updated versions of the IMC/IMV pairs are available in the download section.

Architecture of tnc@fhh 0.4.x

This article describes the architecture of tnc@fhh 0.4.x. Therefore, the components which are used are listed and described, as well as the sequence of an EAP-TNC-authentication. For a more basic overview of TNC, see Trusted Computing and Trusted Network Connect in a Nutshell. For concrete contents of the mentioned configuration files and/or for detailed installation instructions, see the HowTos in the wiki.

Overview

tnc@fhh in its actual version (TNCUtil v0.4.4, NAA-TNCS v0.4.4, FreeRADIUS EAP-TNC-patch v0.4.5) consists of several components. There are modules for external programs, dynamic libraries and configuration files, which the most of are in relation to some other components.

Components

• TNCUtil (libTNCUtil.a, header-files in /usr/local/include/TNCUtil/): TNCUtil delivers some utility functions that are use by other components. Furthermore, it includes a framework for developing IMC/IMV pairs.
• NAA-TNCS (libNAA-TNCS.so, header-file naatncs.h in /usr/local/include/): NAA-TNCS is the implementation of both the NAA and TNC-Server component as proposed by the TNC architecture. It is implemented as shared object that is plugged into a FreeRADIUS server.
• EAP-TNC-module: This plug-in mechanism is realised by extending FreeRADIUS with a new EAP-module called EAP-TNC. This module is responsible for exchanging EAP-TNC packets between FreeRADIUS and NAA-TNCS.
• IMVs & IMCs (libIMV/IMC[…].so): IMVs are the validating components who communicate with the IMCs on the clientside, and return a recommendation regarding to a IMV/IMC-pair-specific policy.
• FreeRADIUS: FreeRADIUS is a open-source Radius-server, which has EAP-functionality.
• wpa_supplicant: Currently, wpa_supplicant is used as NAR and TNCC cause it natively supports TNC and does not need any modification.

Configuration files

Additionally there are several configuration files for all of the components.

• /etc/tnc_config: defines the location of the shared objects of the installed IMVs.
• /etc/tnc/imv_[…].policy: the policy-file for a specific IMV
• /usr/local/etc/raddb/eap.conf: holds the configuration of the EAP-module, which includes EAP-TTLS and EAP-TNC.
• /usr/local/etc/raddb/dictionary.tnc: defines a new attribute TNC-Status, and three values (Access, Isolate, None)
• /usr/local/etc/raddb/dictionary: includes the TNC dictionary file
• /usr/local/etc/raddb/sites-enabled/default: configuration that is used after an successful authentication for mapping an TNC-Status (Access, Isolate, None) to a VLAN-ID

Operational sequence

1. Initiation of the modules

On the startup of FreeRADIUS, the EAP-module and the corresponding configuration file are loaded. In the course of loading the EAP-module, the EAP-TTLS and the EAP-TNC-modules are also loaded. The default-type for EAP is EAP-TTLS, as EAP-TNC has to be run inside of a secure tunnel. Therefore, EAP-TTLS is configured to use EAP-TNC as its inner method, and it is also configured to send the reply-attributes from the inner method to the NAS, as EAP-TNC holds the result of the authentication.

2. Initiation of the TNC-authentication

When the first EAP_IDENTITY_RESPONSE (with EAP-TNC as the EAP-type) was received by FreeRADIUS, the method tnc_initiate from the EAP-TNC-module is called, which initiates the EAP-TNC-session. In the beginning it checks if the packet is inside TTLS. Afterwards an connection ID is calculated and the connection is created. This is done by a method of NAA-TNCS, which is located in an shared object and provided via a header-file. The method first loads all installed IMVs which are listed in /etc/tnc_config and informs them that a new handshake has begun. tnc_initiate then builds the EAP-TNC-packet by setting all attributes in the request-structure of FreeRADIUS and settings the current stage to AUTHENTICATE. Finally, the first EAP_TNC_RESPONSE is send to the peer.

3. Ongoing TNC-authentication

When a EAP_TNC_RESPONSE (and the current stage is AUTHENTICATE) is received, the tnc_authenticate-method within the EAP-TNC-module is called. It basically forwards the EAP-TNC-data to the NAA-TNCS and forms an appropriate EAP_RESPONSE. Again, the NAA-TNCS-shared object is used to send the EAP-TNC-message to the TNC-Server where all the messages from the EAP-TNC packet are extracted (from TNCCS-Batch to TNCCS-messages and IMC/IMV-messages). The IMC/IMV messages are forwarded to the respective IMVs, which in turn can send a response or provide a recommendation to the TNCS. Regarding to the resulting connection state, the handshake is either still ongoing (when one or more IMCs/IMVs have to exchange more messages) or the handshake is finished. In the last case, the internal FreeRADIUS server-side-attribute TNC-Status is set. TNC-Status is defined in the dictionary-file dictionary.eaptnc and has the values “Access”, “Isolate” or “None”. Finally, an EAP-Response-Package is send back to the client/AR.

4. After an successful TNC-authentication

When the authentication was successful, FreeRADIUS uses the entries in the post-authentication-section of the default-policy. By using the unlang-language, the value of TNC-Status is read and VLAN-settings (Tunnel-Type, ID) are added to the reply, which is then send from FreeRADIUS to the PEP. Diagram of the components and their relations.

This picture shows all components that are used on the serverside of tnc@fhh.