Commonly Asked Questions and Answers – TNC/InformationWeek Webcast

Answers to the questions posed during TCG’s webcast on April 26, 2011, “Automate to Win: The Business Case for Standards-based Security”.

Trusted Computing Group (TCG) with Information Week recently sponsored the webcasts “Automate to Win: A Business Case for Standards-Based Security,” with Steve Hanna of TCG and Juniper Networks and Craig Dupler, Boeing. The archived webcast can be found at
http://event.on24.com/eventRegistration/EventLobbyServlet?target=lobby.jsp&eventid=295437&sessionid=1&key=BF29D0300BCFFB0FDFABCAE80376179F&eventuserid=47715247.

The following are questions posed during that webcast with answers provided by experts from the Trusted Computing Group and by Dupler.

Q. Is the tool that manages these IT resources (the IF-MAP server) available for us to download and customize?
A. Many vendors are shipping or planning real products based upon the IF-MAP standards. A complete list of commercial products is available at http://www.if-map.org/en/available-products.html and a list of open source implementations is available at http://www.ifmapdev.com.

Q. Do you [Boeing] use any Cisco equipment and how well do they play with the TNC standards?
A. At Boeing, we call ourselves a “Cisco shop” but that is a bit of a misnomer. We also use products from Infoblox and Juniper as a part of our core infrastructure. Also, M&A activity frequently introduces other equipment into our environment. Be that as it may, we do have mostly Cisco switches and routers and have had no issues at all with our TNC architecture implementation.

Q. How feasible is it to keep down the cost of a Dynamic, Automated Security Implementation for the prolonged period of time?
A. Each organization will have its own unique perspective on the meaning of “…keeping down the cost…” As a highly visible aerospace company, some aspects of Boeing’s network security environment are “challenging”. So we may be willing to spend a little more than some. However, one of the main advantages if the TNC architecture is the way in which it enables a separation of duties in alignment with statements of work. TNC makes things a whole lot easier to keep your controls out of the IT networking business and your IT people out of the control systems engineering business. That has to spell cost savings.

Q. Would you recommend an external audit to assess risks? If yes, how frequently?
A. This is actually the most difficult questions of all. First, by all means I would recommend reviewing the adequacy of one’s security posture as often as is practicable. For an audit to be worthwhile, the team performing the audit must have adequate training and experience with respect to the threat, the controls, and the system of internal control (i.e. division of labor).

Depending on the severity of the threat environment that a company faces, finding good threat and security auditors might be a bit of a challenge. It can even be difficult to gain enough expertise to evaluate the competency of a team one might consider engaging to perform the audit. That being said, some audit work is better than no audit work. Another possibility is to send one or more of your technical people to the security training provided by Idaho National Labs. As part of that training and besides scaring the participants about the nature of the many bad actors out there, INL has a number of tools that come with the training which can help perform a self assessment.

Q. What if my vendor doesn’t support TNC protocols?
A. If your vendor doesn’t support the TNC protocols, ask them to add TNC support and point them to the TCG web site for more information.

Q. Does TNC also allow for self-provisioning?
A. Different vendors include different features in their products. Some vendors that implement the TNC standards include support for self-provisioning. Some don’t.

Q. Can you speak more about HAP? While a HAP development kit is “said” to be available, it has been a month since it was requested and none is yet forthcoming.
A. The High Assurance Platform (HAP) Program is an initiative under the U.S. National Security Agency that uses TCG technologies to provide exceptionally strong information security. However, it’s not a TCG effort so we’re not able to provide support or details regarding HAP. We recommend that you contact the HAP team directly or review the information online at http://www.nsa.gov/ia/programs/h_a_p/overview/index.shtml.

Q. What is the role of the TPM within TNC?
A. The Trusted Platform Module (TPM) is a hardware security function included in all commercial-grade laptops. It may be used with TNC to provide strong user or device authentication or hardware health checks. However, TPM is not required for TNC or vice versa.

Q. Have either Juniper or Boeing turned on their TPMs or for that matter (have) any of the TCG members?
A. While some companies talk about the specifics of their defensive measures, most do not. Boeing and Juniper generally do not comment on the specifics of defensive measures of this sort. However, TCG can supply some useful information here. Several large customers have turned on their TPMs. For example, Pricewaterhouse Coopers has given several talks about how they were able to reduce costs by using TPMs for strong user authentication. Several case studies about companies using TPM are available at http://www.trustedcomputinggroup.org/solutions/authentication.

But, TPM is only a small part of what TCG is about, and it is not a central subject to TNC. The heart of the TNC architecture is the use of managed link and identifier attributes to control network behavior, and to encrypt the contents of everything that is in transit and using the service. We use a PKI service for our encryption needs.

Q. Which router/switches support TNC?
A. Because the TNC architecture uses the widely supported RADIUS protocol to communicate with Policy Enforcement Points, all commercial grade routers and switches from all vendors are compatible with the TNC architecture.

Q. Which products have implemented TNC standards?
A. Lots of products have implemented the TNC standards. For example, Microsoft Windows XP SP 3, Vista, Windows 7, and Windows Server 2008 all include TNC support. Also, all modern switches and wireless access points are TNC compatible. We do not have a complete list of products that have implemented the TNC standards but we have a list of manufacturers in the slides for the webinar which are representative of active TNC participants such as Juniper, Infoblox, Lumeta, Triumphant, Great Bay Software, and Byres Security, along with a couple of open source implementations. We have a list of products that have gone through the TCG’s rigorous certification process at http://www.trustedcomputinggroup.org/certification/tnc_certified_products_list. This list will be growing a lot in 2011as more products complete the TNC certification process. Please ask about TNC certification in your RFIs and RFPs. That will encourage vendors to get their products certified and help you ensure that the products will work properly.

Q. How many companies have deployed TNC solutions?
A. Thousands of companies, across a wide variety of industries. Some are small companies but actually TNC is quite popular with large companies that need to comply with regulations requiring controls on what devices are connected to their network. So several deployments include hundreds of thousands of systems. Some case studies about companies deploying solutions supporting TNC are available at http://www.trustedcomputinggroup.org/solutions/network_security.

Q. Where can I learn more about TNC?
A. There are two pages on the TCG web site that have lots of information about TNC. The Solutions Networking page at http://www.trustedcomputinggroup.org/solutions/network_security has links to slides, white papers, and other non-technical resources. The Developers TNC page at http://www.trustedcomputinggroup.org/developers/trusted_network_connect has technical info like copies of the specs and developer tools.