Network Access Control Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:03
>> Not every device is going to have an 802.1X supplicant.
00:03
There are some devices that you want to allow on
00:03
your network that don't have the ability to speak 802.1X.
00:03
A lot of times,
00:03
printers fall into this category.
00:03
There's some printers that you can plug them in,
00:03
they can get an IP address,
00:03
but they just don't have an 802.1X applicant.
00:03
You can't put a certificate on them.
00:03
But you still want to allow
00:03
them on the network and you want
00:03
to identify them as
00:03
printers and put them in the right VLAN.
00:03
In this case, you can configure something called MAC-AUTH
00:03
bypass on the switches or on the authenticator.
00:03
The way this works, is when the printer comes online,
00:03
the authenticator, the switch,
00:03
sees that internal, that link-state,
00:03
it sees that new connection and it sends
00:03
an EAP identity requests because
00:03
it's configured to authenticate.
00:03
Well, the printer doesn't know what that
00:03
is because the printer
00:03
doesn't speak EAP or it doesn't speak 802.1X,
00:03
so it's just going to sit there,
00:03
it's not going to respond.
00:03
The authenticator can be configured
00:03
to send a certain number
00:03
of EAP responses back or EAP
00:03
requests back and then after it doesn't get a response,
00:03
after a certain number,
00:03
in this case let's say it sends it back three times,
00:03
after there's no response received,
00:03
the switch goes into what's called MAC-AUTH bypass.
00:03
It then takes the Mac address
00:03
of that device that it sees connected,
00:03
and it puts it into a radius request,
00:03
a specially formulated radius request called a radius
00:03
MAC-AUTH request and it
00:03
sends it back to that authentication server.
00:03
Now, the radius server, when it
00:03
gets this type of request,
00:03
it knows because of how the request is formatted,
00:03
because it's a Mac authentication request that
00:03
it needs to identify
00:03
this device based on its Mac address.
00:03
The radius server goes and it
00:03
communicates with a back-end database server.
00:03
It's going to be an LDAP database
00:03
or some other type of database,
00:03
but there needs to be some type of database on
00:03
the backend that has a list of assets in the environment,
00:03
what their Mac addresses are,
00:03
and more importantly, in
00:03
the next step where those devices are connected.
00:03
This can be done manually,
00:03
it can be done via scripts that go out and do
00:03
auto detection of devices on
00:03
the network, but at the end of the day,
00:03
you want to have a database that says this device
00:03
has this Mac address that's on this port, on this switch.
00:03
The authentication server goes back and it says,
00:03
hey, what is this Mac address? It does a lookup.
00:03
The database says, this is a printer, and by the way,
00:03
it's this type of printer,
00:03
because of its Mac address, it's
00:03
a Lexmark, whatever printer.
00:03
At that point, the authentication server
00:03
can look in its policies and say,
00:03
okay, do we allow
00:03
this particular type of printer on our network?
00:03
Yes, we do. Okay, cool.
00:03
Let's send back a radius access decision
00:03
to the authenticator.
00:03
We'll send back a yes, it's allowed on the network.
00:03
By the way, it's a printer.
00:03
If you have a printer VLAN, you can
00:03
put it on the printer VLAN.
00:03
The decision is finalized and then the VLANs
00:03
are open and the device is put on the correct VLAN.
00:03
Now, this works pretty well but there's
00:03
one fairly significant security flaw with this,
00:03
and that is that static database.
00:03
Over on the right-hand side, we talked
00:03
about having that database of
00:03
devices and what switch ports
00:03
they're on and what their Mac addresses are.
00:03
But if you have a static database of
00:03
devices, it's fairly easy,
00:03
especially in the case of a printer,
00:03
I could walk by a printer,
00:03
I could print out a test page,
00:03
that test page has the Mac address of the printer on it.
00:03
I can then spoof that Mac address
00:03
and put that Mac address on my own laptop,
00:03
make my laptop spoof that Mac,
00:03
and then I can plug my laptop into that printer port,
00:03
and that authentication we just
00:03
saw would go off without a hitch.
00:03
The network would think I'm
00:03
a printer and it's going to allow me on.
00:03
Now, I'm on the network and I'm not what I said I was.
00:03
One thing you can do to prevent this
00:03
is instead of that being
00:03
a static database on the backend,
00:03
you can have that database configured
00:03
to ingest NetFlow data.
00:03
All of the routers in your environment have
00:03
the ability to capture NetFlow data.
00:03
To look at all of the sessions going through
00:03
that router and identify for each session,
00:03
what's the port, what's the source address,
00:03
destination address, source port, destination port.
00:03
What does that high level metadata
00:03
look like for that network session?
00:03
You can start to capture,
00:03
this is just one way you can create dynamic databases.
00:03
You can capture that NetFlow data into
00:03
the database and if you
00:03
see that printer start to
00:03
do something that printer shouldn't do, for example,
00:03
let's say that printer starts communicating
00:03
on TCP port 23,
00:03
that NetFlow data is going to be sent to
00:03
that backend database and when the database sees that,
00:03
it's going to say hold on a second,
00:03
printers don't communicate on TCP 23.
00:03
That's a telnet session.
00:03
That's more like something an end-user would
00:03
do and the database will
00:03
re-categorize that device from
00:03
being a printer to being an end-user.
00:03
Now the database has changed,
00:03
that Mac address is now classified
00:03
as an end-user and the database,
00:03
it's changed but the printer
00:03
is still out there on the network
00:03
and it's still communicating.
00:03
At that point, you want your database as soon as
00:03
it detects a category change,
00:03
the database can be configured to
00:03
go out there and connect to
00:03
that switch via SNMP and bounce the port,
00:03
do a port reset and that port reset will
00:03
force that whole authentication process
00:03
to start over again.
00:03
But this time, when the Mac address is sent to
00:03
the authentication server and
00:03
the authentication server looks it up,
00:03
instead of the database saying that's a printer,
00:03
it's going to say, that's an end-user.
00:03
We start communicating on 23, it's an end-user.
00:03
The authentication server says, oh, no.
00:03
My policy says if you're an end-user,
00:03
you have to have a certificate.
00:03
We don't Mac off bypass end-users.
00:03
It's going to send back access
00:03
denied message to the switch and
00:03
the device is either going to be placed in the guest
00:03
VLAN or it's not going to be allowed on the network.
00:03
That wraps up our section on network access control.
00:03
Next step, we're going to talk a little
00:03
bit about wireless and
00:03
some of the wireless encryption
00:03
and some of the security around that.
Up Next