M. Jungbauer, N. Pohlmann:,
“tNAC – trusted Network Access Control meets security platform”,
ENISA Quarterly Vol. 5,
tNAC – trusted Network Access Control meets security platform
Current and future networks must be flexible and open in terms of their expansion. At the same time these networks should enable trusted communication. The flexibility and inexpensive use of the Internet brings along a lack of security which only allows a limited usage of the available possibilities. Field workers use their computer systems in many different environments with varying security requirements and conditions. Home workers use their PCs for private purposes and regular employees take their notebooks home. Due to the temporary or permanent removal of computer systems from the company network – and therefore also from its protective measures – these computer systems are exposed to significant dangers. If a computer is compromised by malware outside a company network, the company’s security mechanisms will be bypassed upon its reintegration into the company network (either directly or via the Internet).
Even today there are possibilities in existence for expanding networks in a flexible manner and equipping them with security services – for example via VPNs which offers encryption and user authentication. However, there is a lack of security mechanisms which guarantee the trustworthiness and the identity of the used computer systems.
The Network Access Control (NAC) concept is part of a fairly new group of security concepts which makes the trustworthiness of computer systems verifiable and therefore helps to establish trustworthy and secure network connections. In a NAC enabled network the configuration of any connecting computer system is preventively checked before the network access. Only if the security policies, as defined by the network operator, are fulfilled, a computer system will be considered to be trustworthy and then allowed to access the network and the connected services. Computer systems with a faulty or undesirable system configuration cannot enter the network which is therefore protected from damage.
With the Trusted Network Connect (TNC) [Trus08] specification the Trusted Computing Group is developing its own NAC approach. The development is taking place through the Trusted Network Connect Subgroup [Trus06] with over 85 firms represented and is currently available (May 2008) in version 1.3 [Tru+08]. The aim is the development of an open, producer-independent specification for verifying endpoint integrity.
Besides TNC there are further NAC approaches in existence. The most prominent representatives are Cisco Network Admission Control (Cisco NAC) [Cisc04] as part of the “Self-Defending Network” strategy and Microsoft Network Access Protection (Microsoft NAP) [Micr08] released along with Windows Sever 2008. In addition to these three “major” solutions, there are many further approaches from firms such as Check Point, Juniper Networks, StillSecure, Symantec and Vernier Networks.
Limitations of today’s NAC Solutions
All current NAC concepts – including the given above – have limitations; for example the complex management and a barely existing interoperability.
But the core limitation is the lack of trustworthiness caused by the use of common operating systems. The trustworthiness created by any NAC solution depends on the trustworthiness of the client’s measurement readings representing the client state. These readings must be correctly measured and transmitted in a trustworthy manner without modification to the NAC network. With common operating systems there is no possibility to guarantee the correctness of the measured values. If the operating system of a computer has been compromised, the measurement readings can be influenced by the malware at any time which leads into a paradox. Because of the permanent risk of unnoticed falsification, any collected data must be considered as being compromised and therefore not trustworthy. This was demonstrated at the Black Hat Conference 2007 using Cisco NAC. By means of a modified Cisco Trust Agent (CTA) it was possible at all times – irrespective of the computer status – to gain access to a NAC-protected network [Heis07].
In order to get around this paradox, TNC offers a certain level of protection against manipulation of the hardware and the possibility of signing and therefore securing the transmission of the measured values through its optional and direct support for the Trusted Platform Module (TPM). However, while still using common operating systems the possible level of trust reached by using a TPM is still limited, because malware can still manipulate the measurement readings directly at the measured components.