408
MDS Orbit MCR/ECR Technical Manual
MDS 05-6632A01, Rev. F
7.0 APPENDIX B
– Integrity Measurement Authority
(IMA)
7.1 Understanding
The MCR supports the integrity measurement and attestation architecture as described by Trusted
Network Connect (TNC) specifications, jointly developed and published by Trusted Computing Group
(TCG) and IETF NEA working group.
The MCR establishes secure IPsec VPN connection with the VPN gateway via mutual authentication
based on certificates or pre-shared secrets. The TNC architecture adds the ability to measure, report and
verify the security state of the MCR (e.g. integrity of critical system configuration file) as a part of IPsec
VPN authentication and authorization process.
MCR supports TNCCS 2.0 protocol and subset of TCG’s Platform trust Service (PTS). The MCR
supports only file measurement capability of the PTS protocol. Also, only measurements for following
files are supported:
/tmp/system.config - This file includes all current system configuration.
/etc/tnc_config
Once the unit has been configured, the hash (sha256 or sha385) of system configuration file can be
obtained via CLI (locally or remotely) and loaded into the Integrity Measurement Authority (IMA)
database.
Typically, integrity measurement and attestation happens automatically as part of IPsec VPN “data”
connection establishment using EAP-TTLS method (and EAP-TNC authentication within it) as instructed
by the VPN-gateway. However, MCR also supports an out-of-band IMA connection, where the unit
connects to a separate IMA server not to pass data but just to perform integrity measurement and
attestation. The IMA server, in such a setup, can then publish the unit’s “health” information to the VPN
server that is terminating the actual data connections. This allows VPN server to enforce permit/deny
policy for incoming VPN data connections from the unit.
7.2 Configuring
The out of band IMA configuration is exactly similar to VPN configuration described in VPN section
except that the IPsec connection is designated specifically as out-of-band IMA connection and local and
remote ip subnet are all set 0.0.0.0/0 as shown below:
% set services vpn ipsec connection
IMA-CONN-1
is-out-of-band-ima
true
% set services vpn ipsec connection
IMA-CONN-1
local-ip-subnet
0.0.0.0/0
% set services vpn ipsec connection
IMA-CONN-1
remote-ip-subnet
0.0.0.0/0
% set services vpn ipsec connection
IMA-CONN-1
periodic-retry-interval
60
The “periodic-retry-interval” applies only to the IPsec connection designated as an “out-of-band” IMA
connection. The MCR attempts attestation every “periodic-retry-interval” if the previous attempt to
connect with IMA server was unsuccessful.
In case of an out of band IMA server setup, the MCR needs to be configured with an IMA IPsec
connection and a VPN-GWY IPsec connection. An example follows:
connection IMA-CONN-1 {
ike-peer IMA-SERVER;
ipsec-policy IPSEC-POLICY-IMA;
local-ip-subnet 0.0.0.0/0;
remote-ip-subnet 0.0.0.0/0;
is-out-of-band-ima true;
Содержание MDS ORBIT ECR
Страница 15: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 15 ...
Страница 35: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 35 ...
Страница 145: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 145 ...
Страница 188: ...188 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F ...
Страница 302: ...302 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F Figure 3 224 SNMP Main Page ...
Страница 380: ...380 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F ...
Страница 389: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 389 ...
Страница 393: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 393 ...
Страница 407: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 407 ...
Страница 449: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 449 ...
Страница 451: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 451 ...
Страница 452: ...452 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F ...
Страница 453: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 453 ...
Страница 459: ...MDS 05 6632A01 Rev F MDS Orbit MCR ECR Technical Manual 459 NOTES ...
Страница 460: ...460 MDS Orbit MCR ECR Technical Manual MDS 05 6632A01 Rev F ...
Страница 461: ......
Страница 463: ...GE MDS LLC Rochester NY 14620 Telephone 1 585 242 9600 FAX 1 585 242 9620 www gemds com 175 Science Parkway ...