Triumfant Implements SCAP / Trusted Network Connect
September 28, 2010 Leave a comment
Today Triumfant was part of a broader announcement by the Trusted Computing Group (TCG) about the integration of the Trusted Network Connect (TNC) security specifications with the Security Content Automation Protocol (SCAP) from National Institute of Standards and Technology (NIST). Triumfant was listed in the press release as having implemented the TNC/SCAP integration in collaboration with Juniper Networks and we demonstrated this capability for the past two days at the NIST IT Security Automation Conference at the Baltimore Convention center.
Let me pause for an acronym break and level set. The Trusted Computing Group is a not-for-profit organization that promotes open, vendor-neutral, industry standards for trusted computing by helping define standard and specifications for sharing information across multiple computing platforms. Triumfant is a member of TCG.
TCG’s Trusted Network Connect (TNC) architecture is a standards-based framework for Network Access Control (NAC) that bases network access decisions on security state information. The objective of the TNC architecture is to deny network access to endpoints that do not meet certain minimum security criteria or are found to be corrupted or under malicious attack. The TNC architecture may invoke NAC operations to place machines in quarantine to prevent further infection.
It may sound elemental, but implementing TNC implies that an organization must have some common minimum security criteria to apply, which surprisingly is not always the case. This is where the integration with SCAP was so natural, as SCAP provides a standard set of criteria that is well defined and readily applicable to the TNC process. Triumfant’s specific and unique methods for monitoring SCAP criteria made our implementation an even tighter fit, as Triumfant maintains a central repository of SCAP compliance data that can be readily accessed to verify minimum compliance.
Triumfant worked with the good folks at Juniper Networks to build the current TNC/SCAP implementation and was able to code the software necessary to make the process work using the TNC framework from TCG and SDK’s from Juniper. I will skip the execution details, but you can get all of the information you require through our TNC white paper and our TNC Fact Sheet or from our TNC web page.
From my side, the entire TNC process just makes sense. Machines have to meet some minimum standard to connect and if they don’t, then they have to be brought into compliance. Since drift happens, the machine must be periodically checked to ensure that is still in the proper compliant state to stay connected. If a machine is not compliant or is under attack, it must be remediated quickly and with minimal human intervention to restore the machine and therefore its ability to connect. All of this needs to be done transparently and without any undo intrusion on the endpoint. The TNC/SCAP implementation from Triumfant and Juniper does just that.
In short, the TNC implementation checks the minimum security criteria at log-in and at regular intervals while the machine is connected to the network. If the compliance assessment fails, the NAC is triggered to take some form of action, normally moving the machine to a remediation network. Here the compliance problems can be addressed and the compliance assessment process executed again, with the goal of moving the machine back to the primary network when the assessment is positive.
Triumfant was an early adopter of SCAP and the SCAP standards are fully integrated into our processing. Triumfant provides policies for the SCAP configuration standards and executes those policies as an optional part of our daily processing. Implementing the TNC/SCAP integration simply requires that the administrator chose what SCAP criteria are to be used as the criteria set for connection. Triumfant performs continuous monitoring of the SCAP policies and stores the actual results of the SCAP policies in the server repository, so it is possible to check a machine’s compliance status without having to do a lengthy scan of the machine on-demand. This capability provides the TNC/SCAP implementation the ability to check compliance at log-in without creating long delays while the security criteria is verified.
A critical differentiator of Triumfant has always been our unique ability to build as situational remediation to fix the problems we find, both non-compliance and malware. This capability aligns perfectly with the TNC process of remediating the problem and restoring the affected machine. Triumfant builds the appropriate remediation to address the detected problems, after which the compliance assessment can be executed to verify that the machine may be returned to the primary network.
Of course, the Triumfant TNC implementation is not limited to SCAP criteria. Any security configuration policy defined to Triumfant may be applied. That being said, the integration of TNC with SCAP is just one of those hand-in-glove combinations that makes too much sense. Furthermore, the TNC process can also be triggered if Triumfant detects malware on the machine, and in fact, our demonstration implementation shows that capability. This helps protect your network when we detect an attack that gets past your traditional shields (which of course they do).
It is always fulfilling to participate in activities like the TNC implementation because it provides a practical and visual illustration of the capabilities of Triumfant. It has also been a pleasure to work with the folks at TCG and with the team at Juniper, specifically Steve Hannah who is a distinguished engineer with Juniper and a very active member of the TCG.