New Protocol Improves Interaction among Networked Devices and Applications
An emerging specification promises to make it easier for devices and applications to share metadata. The Trusted Computing Group’s (TCG) Infrastructure-Metadata Access Point (IF-MAP) specification simplifies security-device integration. TCG recently demonstrated IF-MAP interoperability among seven devices, and the specification is expected to pick up steam with another update scheduled for later this year.
"IF-Map is Facebook for endpoint devices," said Matt Webster, product management director at Lumeta and cochair of TCG's Trusted Network Connect (TNC) workgroup, which developed the IF-MAP specification. "As attacks become more complex, you need multiple systems within your security architecture for protection. IF-MAP allows these security products to pool that information together, which can be addressed by specialized devices."
This helps deal with new types of attack. For example, an endpoint profiling device might note that a device listed as a printer was behaving like a PC. It could share this information with a network access control (NAC) appliance to block access to the device until the discrepancy is resolved.
Although this kind of integration between multiple security products is possible today, it must be done for each pairing. With IF-MAP, developers will have to write an IF-MAP interface only once to support integration with any other IF-MAP–enabled application or device.
Proponents believe that IF-MAP will eventually become as commonplace as other networking protocols. Many vendors have already adopted it, including Arcsight, Aruba, Infoblox, Juniper Networks, Lumeta, and nSolutions. That said, Cisco hasn't yet accepted it, which could hinder its widespread deployment.
An Old Idea
The idea of sharing security information among multiple networking devices has been around for some time, said Lawrence Orans, research director at the Gartner market research group. In the mid 1990s, vendors including Microsoft and Cisco created the Directory-Enabled Networking (DEN) specification. However, the DEN specification was never widely adopted.
The TNC workgroup was launched to focus on improving NAC security. It has developed several specifications and released IF-MAP protocol version 1.0 as part of this effort in 2008.
Although no international standards body has sanctioned IF-MAP as a standard, the TCG is hoping to build on its success with the Trusted Platform Module, which has been installed on between 350 and 400 million laptops, said Webster. These modules let applications perform integrity checks that detect malicious software on the laptop.
How IF-MAP Works
The IF-MAP protocol lets any kind of networking device share information that can be used for managing security policy. An IF-MAP server aggregates its MAC address, IP address, and other device information. When a device first connects to a network, the IF-MAP server publishes the information to other security devices on the network. Any network appliance — for example, a firewall, leak detector, or spam filter — can record and append new information about a device’s behavior to its record. The IF-MAP server can pass this information on to other security devices.
Different network monitoring devices can gather or create a variety of information about individual endpoints. For example, Lumeta's IPsonar security product can detect whether a device can leak data from a secured network via an unsecured connection. If a laptop connected to a cellular data network exposes secure data, the IPsonar server can share this information with a NAC server using IF-MAP, which can enforce a policy, such as locking out the leaking laptop.
IF-MAP could play a valuable role in networking security, but Gartner's Orans said its success isn't guaranteed. Some of the same concepts were present in DEN, he noted, but it never took off.
Cisco's nonparticipation is one of the biggest obstacles to its widespread adoption. "Without Cisco's support IF-MAP will struggle because Cisco dominated the enterprise network provider market," Orans said.
This could change if the IF-MAP specification gets rolled into an Internet Engineering Task Force RFC, said Webster. He noted that Cisco has adopted other TCG specifications after they became RFCs. In the long run, Webster expects IF-MAP to become as common as networking standards like HTTP and SNMP.
IF-MAP could open the door for a variety of new network management tools. For example, the Infoblox OS1 Orchestration Server uses IF-MAP to gather and publish information about cloud services’ pricing and availability. An applications server could use this information to locate and provision the most cost-effective cloud-based services.
George Lawton is a freelance journalist based in Guerneville, CA. He can be reached via his website at http://glawton.com.