Abstract
Network Access Control (NAC) approaches like the Trusted Computing Group’s (TCG) Trusted Network Connect (TNC) enable the verification of the integrity of computing systems (also referred to as NAC assessment) both in an interoperable and fine-grained manner. Currently, the decision regarding which integrity aspects of a computing system must be verified in order to gain network access is solely made by the network operator who establishes appropriate policies. Thus the network is potentially able to read arbitrary data on the endpoint during NAC assessment. A generic mechanism allowing the user of an endpoint to control which integrity aspects of his computing system are permitted to be measured and verified by a NAC solution does not exist. We propose a solution to the problem described above: Client-side Policies. In this paper, we describe the concept of Client-side Policies and define an extension to the TNC framework that allows them to be enforced. Furthermore, we present an implementation that demonstrates the threats that arise in conjunction with NAC assessments. We show how these threats can be mitigated by implementing our Client-side Policy approach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, A.: A Comparison of Two Privacy Policy Languages: EPAL and XACML (September 2005), http://research.sun.com/techrep/2005/abstract-147.html
Bente, I., von Helden, J.: Towards trusted network access control. In: Proceedings of the First International Conference Future of Trust in Computing 2008, pp. 157–167. Vieweg + Teubner (2008)
Chen, L., Landfermann, R., Löhr, H., Rohe, M., Sadeghi, A.-R., Stüble, C.: A protocol for property-based attestation. In: STC 2006: Proceedings of the First ACM Workshop on Scalable Trusted Computing, pp. 7–16. ACM, New York (2006)
Cheng, V.S.Y., Hung, P.C.K., Chiu, D.K.W.: Enabling Web Services Policy Negotiation with Privacy preserved using XACML. In: HICSS 2007: Proceedings of the 40th Annual Hawaii International Conference on System Sciences, Washington, DC, USA, p. 33. IEEE Computer Society, Los Alamitos (2007)
Deng, F., Luo, A., Zhang, Y., Chen, Z., Peng, X., Jiang, X., Peng, D.: TNC-UTM: A Holistic Solution to Secure Enterprise Networks, November 2008, pp. 2240–2245 (2008)
Fernandez, T., Grinnell, M., Weakland, E.: Poof: no more viruses. In: SIGUCCS 2007: Proceedings of the 35th Annual ACM SIGUCCS Conference on User Services, pp. 96–100. ACM, New York (2007)
TCG Infrastructure Work Group. Reference Architecture for Interoperability (Part I) (June 2005), http://www.trustedcomputinggroup.org/resources/infrastructure_work_group_reference_architecture_for_interoperability_specification_part_1_version_10 (Specification Version 1.0 Revision 1)
TCG Infrastructure Work Group. Reference Architecture Part II - Integrity Management (November 2006), http://www.trustedcomputinggroup.org/resources/infrastructure_work_group_architecture_part_ii_integrity_management_version_10 (Specification Version 1.0 Revision 1)
TCG Trusted Network Connect Work Group. TNC Architecture for Interoperability (April 2008), http://www.trustedcomputinggroup.org/resources/tnc_architecture_for_interoperability_version_13 (Specification Version 1.3 Revision 6)
TCG Trusted Network Connect Work Group. TNC IF-M: TLV Binding (February 2008) (to appear), http://www.trustedcomputinggroup.org/developers/trusted_network_connect (Specification Version 1.0 Revision 30 Public Review)
TCG Trusted Platform Module Work Group. TPM Main Part 2 TPM Structures (October 2006), http://www.trustedcomputinggroup.org/resources/tpm_specification_version_12_revision_103_part_1_3 (Specification Version 1.2 Level 2 Revision 103)
TCG Trusted Platform Module Work Group. TPM Main Part 3 Commands (October 2006), http://www.trustedcomputinggroup.org/resources/tpm_specification_version_12_revision_103_part_1_3 (Specification Version 1.2 Level 2 Revision 103)
TCG Trusted Platform Module Work Group. TPM Main Part 1 Design Principles (July 2007), http://www.trustedcomputinggroup.org/resources/tpm_specification_version_12_revision_103_part_1_3 (Specification Version 1.2 Level 2 Revision 103)
Trust@FHH Research Group. TNC@FHH Project Page, http://trust.inform.fh-hannover.de/
IBM. Enterprise Privacy Authorization Language (EPAL) (June 2003), http://www.zurich.ibm.com/security/enterprise-privacy/epal/ (Version 2.0)
Kühn, U., Selhorst, M., Stüble, C.: Realizing property-based attestation and sealing with commonly available hard- and software. In: STC 2007: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, pp. 50–57. ACM, New York (2007)
OASIS. eXtensible Access Control Markup Language (XACML) (February 2005), http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf (Version 2.0)
Sadeghi, A.-R., Stüble, C.: Property-based attestation for computing platforms: caring about properties, not mechanisms. In: NSPW 2004: Proceedings of the 2004 Workshop on New Security Paradigms, pp. 67–77. ACM, New York (2004)
von Helden, J., Bente, I.: Towards real interoperable, real trusted network access control. In: ISSE 2008 Securing Electronic Business Processes, pp. 152–162. Vieweg + Teubner (2009)
Wang, Z., Feng, Q., Xu, R., Dou, Z., Chen, X.: Research on Trusted Access Technology of Grid Resource Based on the Virtual Machine, November 2008, pp. 1384–1388 (2008)
Wang, Z., Feng, Q., Xu, R., Liu, X., Li, X., Qi, N.: Design and Implementation of Wireless Trusted Access Protocol for Embedded Trusted Endpoints, October 2008, pp. 1–5 (2008)
Wang, Z., Li, X., Yao, L., Feng, Q., Wang, R.: Research on Endpoint Isolation and Remediation Mechanism Based on Trusted Access Technology, December 2008, vol. 2, pp. 89–93 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bente, I., Vieweg, J., von Helden, J. (2010). Privacy Enhanced Trusted Network Connect. In: Chen, L., Yung, M. (eds) Trusted Systems. INTRUST 2009. Lecture Notes in Computer Science, vol 6163. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14597-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-14597-1_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14596-4
Online ISBN: 978-3-642-14597-1
eBook Packages: Computer ScienceComputer Science (R0)