Home > Cloud Computing, Infrastructure 2.0, Virtualization > I Can Haz TCG IF-MAP Support In Your Security Product, Please…

I Can Haz TCG IF-MAP Support In Your Security Product, Please…

November 10th, 2008 Leave a comment Go to comments

In my previous post titled "Cloud Computing: Invented By Criminals, Secured By ???" I described the need for a new security model, methodology and set of technologies in the virtualized and cloud computing realms built to deal with the dynamic and distributed nature of evolving computing:

basically means that we should distribute the sampling, detection and
prevention functions across the entire networked ecosystem, not just to
dedicated security appliances; each of the end nodes should communicate
using a standard signaling and telemetry protocol so that common
threat, vulnerability and effective disposition can be communicated up
and downstream to one another and one or more management facilities.

Greg Ness from Infoblox reminded me in the comments of that post of something I was very excited about when it
became news at InterOp this last April: the Trusted Computing Group's (TCG) extension to the Trusted Network Connect (TNC) architecture called IF-MAP.

IF-MAP is a standardized real-time publish/subscribe/search mechanism which utilizies a client/server, XML-based SOAP protocol to provide information about network security objects and events including their state and activity:

IF-MAP extends the TNC architecture to support standardized, dynamic data interchange among a wide variety of networking and security components, enabling customers to implement multi-vendor systems that provide coordinated defense-in-depth.
Today’s security systems – such as firewalls, intrusion detection and prevention systems, endpoint security systems, data leak protection systems, etc. – operate as “silos” with little or no ability to “see” what other systems are seeing or to share their understanding of network and device behavior. 

This limits their ability to support coordinated defense-in-depth. 
In addition, current NAC solutions are focused mainly on controlling
network access, and lack the ability to respond in real-time to
post-admission changes in security posture or to provide visibility and
access control enforcement for unmanaged endpoints.  By extending TNC
with IF-MAP, the TCG is providing a standard-based means to address
these issues and thereby enable more powerful, flexible, open network
security systems.

While the TNC was initially designed to support NAC solutions, extending the capabilities to any security product to subscribe to a common telemetry and information exchange/integration protocol is a fantastic idea.


I'm really interested in how many vendors outside of the NAC space are including IF-MAP in their roadmaps. While IF-MAP has potential in convential non-virtualized infrastructure, I see a tremendous need for it in our move to Infrastructure 2.0 with virtualization and Cloud Computing. 

Integrating, for example, IF-MAP with VM-Introspection capabilities (in VMsafe, XenAccess, etc.) would be fantastic as you could tie the control planes of the hypervisors, management infrastructure, and provisioning/governance engines with that of security and compliance in near-time.

You can read more about the TCG's TNC IF-MAP specification here.



  1. November 10th, 2008 at 12:42 | #1

    Hoff wants to know who the IF-MAP Haz and Haz'nots are

    So Chris Hoff thinks he might have come across the perfect solution to his vexing cloud/virtual security issues. A comment from from Greg Ness over at Infoblox fired up a synapse in the Hoff's brain and he recalled that the…

  2. November 11th, 2008 at 07:46 | #2

    The Adoption Curve for IF-MAP

    Chris Hoff blogged yesterday about using TCGs standard IF-MAP protocol to connect security functions throughout the cloud. I couldnt agree more! Thats exactly what IF-MAP is for: helping security systems share the information they …

  3. November 19th, 2008 at 05:14 | #3

    Although I'm hopeful for IF-MAP, I tend to disagree with some of their assertions…
    For example, that NAC solutions 'lack the ability to respond in real-time to post-admission changes in security posture'. Many NAC solutions (esp agentless ones) use post-connect behaviour-based checking (similar to IDS) for enforcement. Others, even agent-based do offer post-connect recheck and the TNC's list of supported auto-remediation options is growing daily.
    Aside from that, the majority of vendors in this space have been focused on growing their internal integration between products. Cisco, Symantec, HP ProCurve and StillSecure all offer some type of integrated behaviour-based checking and actions (as I'm sure do other vendors).
    Since they're already heading down one (internal) integration path, I think we'll see a delay in real adoption of IF-MAP from NAC vendors while they finish up their current projects before turning to a standard framework.
    So, IF-MAP *is* filling a gap, but maybe not one that's a huge issue right now since we have a cerain amount of this already available.
    Either way, there's a lot of re-tooling that's going to have to happen.

  1. July 25th, 2009 at 16:56 | #1
  2. August 9th, 2009 at 22:42 | #2
  3. October 13th, 2009 at 14:14 | #3
  4. December 18th, 2009 at 17:15 | #4