Trusted Computing Group

Several years ago, Trusted Computing Group published the IF-MAP (Metadata Access Point) protocol as part of its Trusted Network Connect network security architecture. Early proponents likened IF-MAP to a "Facebook" for security, noting that it provided a simple, easy way to aggregate and distribute metadata from devices, users and networks. IF-MAP is based on a publish/subscribe model: clients publish information to a MAP server, determine if changes have been made and get notified when stored information changes.

For security, the change in state is a critical, valuable bit of information that can be linked to a number of applications, including physical access control. Most importantly, IF-MAP can enable communication of information among devices such as switches, routers, wireless access points, security information and event managers, intrusion prevention systems, NAC systems, firewalls and endpoint system protection (antivirus and anti-malware) solutions.

A number of TCG members and those outside the organization have been developing products that use IF-MAP as the word has spread on the many uses for the protocol. While originally developed for network access control (NAC) applications, developers quickly realized the protocol could be useful in a number of other situations, including industrial network security, the emerging integration of physical security with IT security and cloud computing.

The first two areas represent an especially interesting and rapidly evolving security challenge. SCADA networks typically have been loosely secured, based on proprietary approaches and not well integrated with enterprise IT tools. Yet these networks operate some of the world's most important and potentially vulnerable operations - manufacturing, utilities and the like. In recent years, these kinds of operations have been attacked and hacked, making them a target for more effective security.

Integration of physical security with IT security is another rapidly emerging trend. Physical security previously focused on physical access control, such as card keys, video surveillance and traditional physical perimeter security. The rapid transition to digital devices and importance of network security has led to the two areas converging, and IF-MAP provides a baseline for the integration by enabling sharing of data.

Long-time TCG members and supporters Enterasys and Infoblox recently teamed up to show how IF-MAP is used, especially in SCADA and physical/IT access applications. Infoblox announced the availability of its MAP server some time ago and has been working with customers to integrate it into their organizations. Enterasys now has integrated its Network Management Suite with the Infoblox server. With this combination, information about physical access control systems, firewalls and Configuration Management Database (CMDB), which is a dynamic repository of all assets in an IT environment, including hardware and software, networking, facilities and applications.

NMS (NetSight Management) DB integration with a CMDB via IF-MAP automates the updating and maintenance of the database, which enables the database to help ensure compliance with regulatory requirements, more effectively manage assets and help reduce costs. The database collects info including every device's MAC address, IP address, hostname and operating system, SSID or name of the wireless access point and similar data. Physical location also can be supplied to speed up locating systems for repair or emergencies.

IF-MAP can be instrumental in ensuring that only authorized, authenticated users who have carded or keyed into a location are on the network of that location. Card or key systems can be combined with network authentication to prevent others from accessing the network. This can be critical at remote substations or in widely distributed organizations with highly mobile workforces. If the person trying to access the network is not authorized or has been carded into another location, for example, alarms are triggered and access can be denied. This same approach can work in data centers, network operations centers, and others requiring restricted access. TCG member Hirsch Electronics has embedded support for IF-MAP into its card reader systems, for example, and these have been demonstrated by TCG in conjunction with the MAP server. The Enterasys Network Management Suite would manage the authentication and cross-checking to ensure only authorized devices and users gain access.

Click here to learn more about IF-MAP and the Enterasys, Hirsch and Infoblox solutions.