Are you looking for my non-technical blog?

This is now my technical-only blog, my non-technical blog is here.

18 November 2008


So, what's IF-MAP!?
As, you can see, your NAC is at a certain point of time aware of your credentials, the version of the antivirus installed on your PC, the patching level of your OS, etc. And now we need such date to be available for the other devices in the network in order to be able to deal with you not only based on your IP Address, but also based on your username, and machine health. We need some database - MAP or Meta-data Access Point - where all the previous info are available for our Firewalls, IPS's, DHCP Servers and any other network element to base their policies on them. Any IPS now that supports such protocol will be able to deal with end-points and have dynamic policies for them based on various parameters, and not just their IP Address.
"Trusted network connect - part of the Trusted Computing Group - published its Interface for Metadata Access Point protocol on April 28 to provide a common framework for sharing event metadata. This means there's finally a way for security and network devices from a variety of vendors to communicate, and thus make better assessments on whether to grant or deny access to everything from PCs to switches", InformationWeek

So now, even if someone changes his IP address, the firewall will not be fooled by his new IP address, but it will be able to deal with him based on his role in the organization regardless of his address. The IPS will be able to treat the different users differently based on their machine health, role in the organization, etc.

Related Links:
InteropLabs, Making NAC Secuirty - Aware with IF-MAP.
Got the NAC Blog, IF-MAP: Integrating All Network Security.
Got the NAC Blog, The Adoption Curve for IF-MAP.
StillSecure, After All These Years, Is IF-MAP the spark that will ignite theTCG/TNC and the security industry?
Rational Survivability, I Can Haz TCG IF-MAP Support In Your Security Product, Please.

Tags: , , , ,

12 November 2008


I wrote a post here about Network Access/Admission Control as a way to make sure that only authorized and healthy machines will have access to your network.
It's a solution that can check the various hosts before giving them to the network, and it can also control the switches, access points, and create dynamic rules on your firewalls and IPS's in order to granular control the access given to each host to the various resources in the network based on their identity and security posture.
As you can see, to have a successful NAC solution, we need to make sure of the following:

1- You need your NAC Device (Policy Decision Point) to be able to communicate with the different devices in your network (Switches, Access Points, Firewalls, IPS's, etc), in order to push to them the policies needed to control who has access to whcih resources.
2- You can never guarantee that all the devices installed in your network are from the same vendor.

So, the best solution to solve this is to have a standard NAC solution to facilitate the communication between your PDP and PEP's.
And as far as I know, Trusted Computer Group's "Trusted Network Connect" is the only standard available out there.

As for the Switches and Access Points part, TNC decided to make use of the existing 802.1x standard, and added some extension to it in order to transfer the machines health along with the authentication parameters.

But when it comes to the security devices such as Firewall's and IPS's, unfortunately there was no existing standard to depend on. And that's why they decided to introduce a new standard called "IF-MAP" few months ago.

Tags: , ,