FAQs for the TNC IF-MAP Specification, Version 1.0
Q. What is TCG announcing?
A. TCG is announcing a major addition to the Trusted Network Connect (TNC) architecture. The existing architecture (released in 2004) defined open standards for Network Access Control (NAC). TCG is now extending the TNC architecture by adding two new architectural components and a new standard protocol (IF-MAP). These additions extend the TNC architecture to support standardized, dynamic data interchange among a wide variety of networking and security components, enabling customers to implement multi-vendor systems that provide coordinated defense-in-depth.
Q. Why has TCG decided to extend the capabilities of TNC beyond typical NAC functions?
A. Today’s security systems – such as firewalls, intrusion detection and prevention systems, endpoint security systems, data leak protection systems, etc. – operate as “silos” with little or no ability to “see” what other systems are seeing or to share their understanding of network and device behavior. This limits their ability to support coordinated defense-in-depth. In addition, current NAC solutions are focused mainly on controlling network access, and lack the ability to respond in real-time to post-admission changes in security posture or to provide visibility and access control enforcement for unmanaged endpoints. By extending TNC with IF-MAP, the TCG is providing a standard-based means to address these issues and thereby enable more powerful, flexible, open network security systems.
Q. What does IF-MAP include?
A. IF-MAP is a standard client/server protocol for accessing a Metadata Access Point (i.e. IF-MAP server). The IF-MAP server has a database for storing information about network security events and objects (users, devices, etc.). The IF-MAP protocol defines a powerful publish/subscribe/search mechanism and an extensible set of identifiers, and data types.
Q. What is “metadata”, anyway?
A. In the context of IF-MAP, “metadata” is any shared, real time data about network devices, policies, status, behavior and relationships between various systems (e.g. security events, network identity, and network location).
Q. What can people do with IF-MAP?
A. The IF-MAP 1.0 specification supports many use cases. The following are two examples:
Since IF-MAP is extensible, more use cases may be supported in the future.
Q. What are the benefits of IF-MAP for customers?
A. They can implement more effective, integrated security systems gaining the following benefits:
Q. What are the benefits of IF-MAP for product vendors and resellers?
A. Using open standards to integrate security products provides many benefits over a single-vendor approach or custom integrations:
Q. How is IF-MAP different from other management protocols like SNMP and syslog?
A. IF-MAP provides an integrated, real-time view of security that allows products to work together in a coordinated manner to grant access as appropriate while identifying and responding to threats in real time. Existing network management protocols including syslog and SNMP are static. Each device reports events but the data is not integrated.
Still, syslog and SNMP can play a valuable role with IF-MAP if a Security Event Manager (SEM) or similar device is used to distill the information gathered with syslog and SNMP and feed it into the MAP database. Also, some flow controllers use SNMP to grant or restrict access.
Q. Does IF-MAP use any standard access protocol?
A. Yes, it is based on SOAP.
Q. How is IF-MAP secured?
A. As a critical component of the network security infrastructure, maintaining the security of IF-MAP is essential. Every IF-MAP request is encrypted and authenticated with the industry standard TLS (Transport Layer Security) protocol. Only authorized IF-MAP clients are allowed to access the MAP database and fine-grained access controls may be employed.
Q. What about privacy?
A. Metadata stored in a MAP database may include privacy-sensitive information such as user identity. However, this metadata is purely optional. Depending on regulations, customs, or contractual obligations, it may be necessary to omit some metadata or restrict access and is possible to do so.
Q. Is IF-MAP a required part of the TNC architecture?
A. No, it’s optional. Customers can continue to use their existing TNC systems. If they want to add an IF-MAP server, they can do so at any time.
Q. Will IF-MAP implementations require a TPM?
A. As with other TNC specifications, this one can operate in an environment of clients with OR without TPMs. Clients with TPMs offer more security against attacks including rootkits.
Q. How does metadata get into the MAP database?
A. The database is automatically populated by IF-MAP clients. For example, a NAC server might add information about who has logged into the network, from which endpoint, and how healthy the endpoint is. An Intrusion Detection System or Data Leakage Prevention system might add information about that endpoint’s behavior.
Q. Must there be hardware changes or upgrades to implement the new protocol?
A. No. IF-MAP can be enabled with a software update from vendors.
Q. Who has implemented these specifications?
A. As with all TCG specifications, IF-MAP is open for anyone to implement. Since the specifications have just been released, there are no shipping products yet. Arcsight, Aruba, Infoblox, Juniper Networks, Lumeta and nSolutions are demonstrating IF-MAP at Interop 2008. We anticipate that products and open source implementations will start appearing by early next year. Of course, IF-MAP is vendor-neutral. Multiple vendors will implement IF-MAP servers and clients.
Q. Will there be open source implementations of the IF-MAP specification?
A. We anticipate that as with other TNC specifications, there will be open source support. For example, the National Center for Data Mining at the University of Illinois at Chicago is implementing an open source IF-MAP stack for client and server implementations.
Contact: Anne Price
Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.
Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.
Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.