Proposed F19 Feature: Trusted Network Connect (TNC)
Jaroslav Reznik
jreznik at redhat.com
Tue Jan 29 15:35:06 UTC 2013
= Features/Trusted Network Connect (TNC) =
https://fedoraproject.org/wiki/Features/Trusted_Network_Connect_%28TNC%29
Feature owner(s): Avesh Agarwal <avagarwa at redhat.com>
This feature provides Trusted Network Connect(TNC) framework that can be used
to assess and verify clients' posture (or integrity measurements or
configuration) and its compliance to a predefined policy with existing network
access control (NAC) solutions.
== Detailed description ==
Traditionally network access control (NAC) has lacked the ability in its
decision making to asses endpoint's security posture and its compliance to
enterprise policies. This lack of assessment may leave an enterprise's network
vulnerable to malicious attacks. Trusted Computing Group (TCG) (and IETF too)
has defined an open architecture called Trusted network connect (TNC) (IETF's
Network Endpoint Assessment (NEA)) to fill this gap. TNC, as part of its
architectural components, includes integrity measurement collectors (IMCs) and
TNC client at endpoint and integrity measurement verifiers (IMVs) and TNC
server at enterprise network side communicating over NAC solutions such as EAP
with 802.1X to evaluate and verify the security posture of the endpoint
against the enterprise policies before allowing network access. For this, TCG
has released transport (IF-T), session (IF-TNCCS) and messaging (IF-M)
standards which are open and interoperable. TNC architecture by virtue of it's
IF-M protocol can leverage NIST's SCAP's (OpenSCAP) automated security aspects
for measurement collection, verification and remediation. In addition, TCG has
defined IF-PTS and PTS protocol specifications to integrate platform trust
services (PTS) with TNC for TPM based attestation of integrity measurements.
PTS protocol defines messaging payloads to be used over IF-M protocol.
This feature includes the aforementioned functionalities and aims to provide
an end-to-end network based client assessment, verification and remediation.
More information about the devel-announce
mailing list