The TCG announced a new specification today: IF-MAP. Why should you
care? Because this new standard really changes the world of network
In the past, security systems were largely silos. Your IDS didn’t
talk to your firewalls or your VPN or your identity management system
or your endpoint security. If they did talk, it was only through
special, proprietary integrations.
The TCG’s TNC standards for NAC have changed some of that, providing
a standard way to integrate endpoint security, identity management
(usually), and network enforcement (switches, VPN, etc.). But until
now, TNC didn’t have a standard way to
include IDS, firewalls, and lots of other important parts of your security system.
The IF-MAP specification provides exactly that. It defines a
standard SOAP-based protocol that network security devices can use to
communicate with a shared database called a Metadata Access Point
(MAP). Using this protocol and database, the network security devices
share information about the users and devices connected to the network:
who’s logged into what device, how healthy the device is, whether it’s
violating policy on behavior and/or health, etc.
Why is this useful? For several reasons:
If a user connects their laptop to the network, authenticates, and
runs through a NAC health check, and is assigned some privileges based
on this, all of that information can be passed on to other network
security devices in the network through the MAP.
Sensors in the network (like Intrusion Detection Systems and Data
Leakage Prevention systems) can customize their policies based on the
user’s identity, role, and health.
If a user starts acting up after they pass the NAC health check
(sending spam or attacking people), an IDS can post an event to the
database and the NAC system can shut them down at the switch port and
pop up a message on their screen telling them what’s wrong and how to
Device profilers can scan unmanaged endpoints (those that can’t or
won’t participate in the NAC process, like a printer) and post
information about them in the database so that they can receive an
appropriate level of access.
Interior enforcement devices (like firewalls) now have a standard
way to get information from other network security devices on endpoints
so that they can grant an appropriate level of access.
To summarize, the new IF-MAP standard extends the TNC architecture,
now providing a standard way to integrate a wide variety of network
security devices such as IDS, DLP, and interior firewalls with NAC gear
and with each other. This allows the TNC architecture to work with
“unmanaged endpoints” and integrate behavior monitoring in addition to
or instead of endpoint health checking. It also provides a standard way
to integrate firewalls and other enforcement devices into a TNC system.
There are other uses of IF-MAP but this is all I have room for today.
Look for more posts later.
For more details about the IF-MAP specification, see the TCG web page on this topic. If you have questions, let me know.