I Can Haz TCG IF-MAP Support In Your Security Product, Please…
In my previous post titled "Cloud Computing: Invented By Criminals, Secured By ???" I described the need for a new security model, methodology and set of technologies in the virtualized and cloud computing realms built to deal with the dynamic and distributed nature of evolving computing:
This
basically means that we should distribute the sampling, detection and
prevention functions across the entire networked ecosystem, not just to
dedicated security appliances; each of the end nodes should communicate
using a standard signaling and telemetry protocol so that common
threat, vulnerability and effective disposition can be communicated up
and downstream to one another and one or more management facilities.
Greg Ness from Infoblox reminded me in the comments of that post of something I was very excited about when it
became news at InterOp this last April: the Trusted Computing Group's (TCG) extension to the Trusted Network Connect (TNC) architecture called IF-MAP.
IF-MAP is a standardized real-time publish/subscribe/search mechanism which utilizies a client/server, XML-based SOAP protocol to provide information about network security objects and events including their state and activity:
Today’s security systems – such as firewalls, intrusion detection and prevention systems, endpoint security systems, data leak protection systems, etc. – operate as “silos” with little or no ability to “see” what other systems are seeing or to share their understanding of network and device behavior. This limits their ability to support coordinated defense-in-depth.
In addition, current NAC solutions are focused mainly on controlling
network access, and lack the ability to respond in real-time to
post-admission changes in security posture or to provide visibility and
access control enforcement for unmanaged endpoints. By extending TNC
with IF-MAP, the TCG is providing a standard-based means to address
these issues and thereby enable more powerful, flexible, open network
security systems.
While the TNC was initially designed to support NAC solutions, extending the capabilities to any security product to subscribe to a common telemetry and information exchange/integration protocol is a fantastic idea.
I'm really interested in how many vendors outside of the NAC space are including IF-MAP in their roadmaps. While IF-MAP has potential in convential non-virtualized infrastructure, I see a tremendous need for it in our move to Infrastructure 2.0 with virtualization and Cloud Computing.
Integrating, for example, IF-MAP with VM-Introspection capabilities (in VMsafe, XenAccess, etc.) would be fantastic as you could tie the control planes of the hypervisors, management infrastructure, and provisioning/governance engines with that of security and compliance in near-time.
You can read more about the TCG's TNC IF-MAP specification here.
/Hoff
Hoff wants to know who the IF-MAP Haz and Haz'nots are
So Chris Hoff thinks he might have come across the perfect solution to his vexing cloud/virtual security issues. A comment from from Greg Ness over at Infoblox fired up a synapse in the Hoff's brain and he recalled that the…
The Adoption Curve for IF-MAP
Chris Hoff blogged yesterday about using TCGs standard IF-MAP protocol to connect security functions throughout the cloud. I couldnt agree more! Thats exactly what IF-MAP is for: helping security systems share the information they …
Although I'm hopeful for IF-MAP, I tend to disagree with some of their assertions…
For example, that NAC solutions 'lack the ability to respond in real-time to post-admission changes in security posture'. Many NAC solutions (esp agentless ones) use post-connect behaviour-based checking (similar to IDS) for enforcement. Others, even agent-based do offer post-connect recheck and the TNC's list of supported auto-remediation options is growing daily.
Aside from that, the majority of vendors in this space have been focused on growing their internal integration between products. Cisco, Symantec, HP ProCurve and StillSecure all offer some type of integrated behaviour-based checking and actions (as I'm sure do other vendors).
Since they're already heading down one (internal) integration path, I think we'll see a delay in real adoption of IF-MAP from NAC vendors while they finish up their current projects before turning to a standard framework.
So, IF-MAP *is* filling a gap, but maybe not one that's a huge issue right now since we have a cerain amount of this already available.
Either way, there's a lot of re-tooling that's going to have to happen.
-jj