securing the lan best practices to secure the wired access network
TRANSCRIPT
#ATM16
Securing the LAN: Best Practices to Secure the Wired Access NetworkMicah Staggs, CSE-SecurityChuck Jenson, CSE-Security
March 2016 @ArubaNetworks |
2#ATM16
Agenda
Why the LAN?MethodologiesExamplesSecurityDemos
3#ATM16
HPE-Aruba 7XXX
Controllers
Soon to be Retired Cisco
Switches
Why Bother With the LAN?
–Isn’t in “inside” my network?–Increased mobility of company-provided devices and the introduction of user-owned devices make trusting the endpoint an issue
–Cloud-first, Mobile-first thinking is that the access layer isn’t truly “inside”
–What’s the point, we are going to be all wireless in a year anyway!
4#ATM16
Other Reasons
–Universal Port–We’d like to have a similar config on all ports and update them based on the device attached
–Static VLAN assignments and changes can be a pain
–Security audits
5#ATM16
Methodologies – Port Security
–Locks the port to the 1st MAC or 2 that it sees. Clears out after the port has been down for some time
–Works well against someone trying to unplug a printer and use that port, but not really secure and not mobile friendly
6#ATM16
Methodologies – MAC WhiteList
–MAC Lists are good for “Quick and Dirty” Security
–Let’s face it, no one wants to maintain an enterprise-wide list of MAC addresses.
–What if a NIC gets changed?–What about BYOD laptops?–What about MAC spoofing?
7#ATM16
Methodologies – Wait and See–Let it on the network and if it does something wrong, or we detect the device type, move it via SNMP. (sometimes coupled with a MAC list)
–Constant changing of port config–What if you miss a syslog?–SNMP writing doesn’t always scale well in enterprise environments
8#ATM16
Methodologies – Captive Portal–Works almost like a Guest Network.
1. Let them on in a temporary fashion
2. Authenticate via Web Auth3. Put them in the appropriate
VLAN/Role–Not supported by all switches–What happens to devices like printers and VoIP phones with no browser?
9#ATM16
Methodologies – 802.1X
–L2, authentication and enforcement occurs prior to the device getting an IP. Also works for Guests with supplicant active
–Requires the supplicant be present and active on the endpoint (not on by default on Windows)
–What about printers and phones and door locks, etc. with no supplicants (headless)?
10#ATM16
What We Usually See
–802.1X, coupled with MAC Auth Bypass and Captive Portal–Best if coupled with a profiler and/or other context sources–Can be versatile enough to handle corporate, personal and guest devicesCisco:interface GigabitEthernet<port-number> switchport access vlan <vlan-id> switchport mode access authentication order dot1x mab authentication priority dot1x mab
HPE:
11#ATM16
Sample .1X Transaction using Certificates (TLS)
–Mutual Authentication Request Identity
Response Identity (anonymous) Response Identity
TLS StartCertificate
Client Key exchangeCert. verification
Request credentials
Response credentials
Success
EAPOL RADIUS
EAPOL Start
Authentication S
erver
Authenticator
Endpoint
12#ATM16
Sample .1X Transaction with Mac Auth Bypass and Captive Portal
13#ATM16
What Context do we use?
–Who is the user?–What type of device is it?–Is it a company-owned or user-owned device?
–What’s the time of day or day of week?
–Location – can this device attach to this port?
14#ATM16
DeviceProfiling
• Samsung SM-G900• Android• “Jons-Galaxy”
EMM/MDM
• Personal owned• Registered• OS up-to-date
• Hansen, Jon [Sales]• MDM enabled = true• In-compliance = true
IdentityStores
Network Devices• Hansen, Jon [Sales]• Title – COO• Dept – Executive office• City – London
• Location – Bldg 10• Floor – 3• Bandwidth – 10Mbps
Sources of Usable Device Context
15#ATM16
Enforcement Options
–Great, now that we know the who, what, when, and where… what can we do?
–Depends on access device, but typically we see:–VLAN Steering–dACL enforcement–Change of
Authorization–Vendor specific
(User Role, AV Pair)–Captive portals on
some switches
16#ATM16
Enforcement Options – Change of Authorization (CoA)
– The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated. When a policy changes for a user in ClearPass, administrators can send the RADIUS CoA packets from the ClearPass Policy Manager (CPPM) to reinitialize authentication and apply the new policy.
– RADIUS Change of Authorization will disconnect them allowing them to reconnect in the new VLAN assigned in the policy.
– If CoA isn't available using short DHCP leases and short session timeouts are options.
17#ATM16
How to Handle “Headless” Devices
–For devices that do not support 802.1X:–Need to use dynamic authentication/FlexAuth/MAB on the port
–Two mechanisms for authentication:–Device Profiler–Device Registration
18#ATM16
MAC SpoofingWhat if someone spoofs a headless device’s MAC address?
19#ATM16
ClearPass Can Detect Device Conflicts
20#ATM16
Endpoint ProfilerAuthorize devices like IP Phones, Hand Scanners, Printers, or Access Points
Protects your users and devices
21#ATM16
Profiling “Unknowns”–Recommended Best Practice:
–Allow DHCP, SNMP, and maybe redirect HTTP to CPPM–Once profiled, re-authenticate against new information
In the Demo, we will show how to use a VLAN for profiling with a short DHCP lease and “bounce” the device to the appropriate VLAN once they are profiled
22#ATM16
Example Profiling Policy
Create an enforcement
profile and policy rule to send the
dACL (in the case of,
say, a Cisco LAN switch)
Protect your users and devices
23#ATM16
Device Registration
–ClearPass comes with a device registration feature that allows a specific device (MAC) to be registered and authorized in the system.
–This allows a user to pre-register a device before bringing it onto the network.– Thus creating an audit trail of the users devices
–Useful when a general category or OS family isn’t–specific enough or when you need to only allow
specific devices.–Example: We don’t want to authorize all Apple
MacBooks but we will allow some to be registered and authorized
–Example: You are allowed 3 Personal Devices and you need to add a new device and remove an old device without having to call the helpdesk
24#ATM16
Device Registration Example
The default device registration page looks like this:
25#ATM16
Pulling it All Together
26#ATM16
Summary: What do we get?
–A single config we can use on all access ports–With CPPM, a policy engine and profiler that can provide consistency across multiple types of edge devices
–Ability to react differently to different device types, and provide needed access without having to default to “full access”
27
Configs / Demos
28
Demo 1 – 802.1X Authentication with VLAN Switching
Valid User?
User Type?
Student
Guest
No
Yes
Faculty
HP-2920 Switch
(PEAP-MSCHAPv2)ClearPass
RouterAccess Denied
VLAN 100
VLAN 600
VLAN 200
29
Demo 2 – Mac Auth Bypass with Device Profiling
HP-2920 Switch
(PEAP-MSCHAPv2)
Device Profiled?
Device Type?
Access Point
Apple TV
No
Yes
Computer
ClearPass
Router
VLAN 400
VLAN 300
VLAN 200
ProfilingVLAN 700 with
short DHCP Lease
30
Demo 3 – Wired Guest Portal
HP-2920 Switch(PEAP-
MSCHAPv2)
Supplicant Enabled? No
Yes
ClearPass
Router
Return to Demo 1
Guest PortalVLAN 200
31#ATM16
Join Aruba’s Titans of Tomorrow force in the fight against network mayhem. Find out what your IT superpower is.
Share your results with friends and receive a free superpower t-shirt.
www.arubatitans.com
Thank [email protected]@hpe.com