Sean Convery

In early July, Jon Oltsik of Enterprise Strategy Group and I both blogged about the need for more emphasis on an open-source 802.1X supplicant. With Funk and Meetinghouse both being acquired by large infrastructure companies there is no other commercially supported 802.1X supplicant on the market. Turns out Jon and the folks at ESG have put more effort on this beginning with a paper describing the problem in more detail. I hope the right folks at possible sponsor vendors are reading it and reaching for their checkbook. It may be time for the Open1X Foundation to be formed (catchy marketing name forthcoming).

Technorati Tags: 802.1X, Supplicant

The rising tide of regulation, vulnerabilities, and exposure of IT security issues means more and more IT folks may find themselves going the way of Todd Acheson and Tom Reid who were both fired after data breaches at Ohio University were exposed. Having spent some time in IT, at professional services firms, and at vendors, I’ve heard plenty of vague allusions to getting fired or not fired by making a bad or good decision around network security. I wonder if anyone is trending this data over time? I would expect as regulation increases, so will unrequested early-retirement.

However, it raises the issue of what techniques can you deploy to protect your network against both the relentless advance of security threats and a similarly relentless onslaught by auditors. The challenge here is that these two aspects may not necessarily be in alignment. What you do to comply with your auditors may not be what is most needed on your network to improve its overall security. However auditors, because of their influence, make things happen in terms of budget allocation and staffing resources. This can lead to pernicious security. Pernicious security is security that seems like a good idea but actually takes resources away from another security initiative that would be more beneficial.

In the NAC space I have to wonder if the focus on posture validation is really where we ought to be spending our time. After all, host-security-controls themselves have the ability to stay up to date and to enforce access restrictions if they are not. Guests can be forced through a restrictive IPS device to limit the damage they can cause. However, the basic foundation of network authentication and authorization of the user is new functionality with significant new benefit: centralized network-wide audit of access, role-based access rights, and guest management. Posture is a great addition to this user foundation but viewing it as the goal itself seems incorrect. As I’ve discussed before, the NAC and authenticated networks space is hard enough without trying to solve the hardest element of it first.

Technorati Tags: NAC, regulation

The AOL-search disclosure debacle is interesting in two ways. First, I’m amused that people are shocked with how easy it is to determine someone’s identity by way of their search queries. Second, I can’t fathom how some faction within AOL thought releasing this data would be a good idea. For some background, The New York Times has a nice article on how a reporter fairly easily tracked down the real-world identity of user 4417749.

But it got me to thinking… Since search history can pretty easily tell you the identity of someone, an IDS / IPS within an enterprise can tell you that and more. These capabilities within IDS and other “big brother” technologies have spawned privacy concerns among their controlled users. “Corporations are not democracies” is the general response: the computer you are using is not your property, nor are the software applications, or the network you access … and so on.

Setting aside what sorts of private things your employer could already know about you based on your network-use, imagine using the same set of data for identity. Let’s call it “inference-based” identity. An inference-based identity system could identify users or devices without their overt participation. Such systems can operate in a very similar way to an IDS. Companies like Great Bay can already do some of this. They determine whether a given MAC address is a Windows PC, a fax machine, a security card reader, or nearly anything else. They do this by increasing the confidence of their classification with each new piece of data they gather until voilá! They make an identification.

Great Bay is doing this to help organizations migrate to 802.1X but a system built specifically for the broader identity problem seems more possible all the time. This would be similar to what Arbor Network’s DoS prevention does with NetFlow, only doing it packet-by-packet with the intention of determining identity information. Each packet or flow inspected would provide clues to the identity of the user and host. IDS certainly becomes more powerful when informed by identity but contemplating an IDS inferring identity is something else entirely.

The trend towards encrypted communication certainly makes this sort of classification harder, but I imagine there’s enough sent in the clear from most workstations to make a clear identification–and to trend that identification over time as users roam on the network. How hard would it be for a network to determine that Tony from accounting isn’t at his normal workstation but is instead using a machine in a conference center? Technologies like 802.1X support mobility through an overt user action today but when paired with an inference-based identity system you could increase security and also deal with non-802.1X capable devices. Any inference-based system would suffer from delays in determining identity as the first few packets from a host are rarely going to be enough to establish a reasonable identity. The false positive problem of an IDS might also appear, but since you are merely using the various bits of information to make a broader identification decision, the challenges might be mitigated. I would expect to see more work in this space in the next couple years.

As an aside, I can’t help feeling that this same data can also be used over time for frightening things. Imagine your employer trending your network access as you do more and more online. They might be able to spot early signs of depression for example. Imagine the phone call from HR, “We’ve noticed a trend in your Internet use which might indicate you could use some help with your personal life. As a caring employer we’d like to do what we can.” Swap out your employer for your ISP or government and things get even scarier. Big brother indeed.

Technorati Tags: identity, IDS, AOL

At Blackhat this year, Ofir Arkin (CTO of NAC vendor Insightix) attacks NAC. It would seem from reading some breathless press reports that major flaws and vulnerabilities have been discovered. The first article about this talk is from Dark Reading and was released almost a month ago. Here are a couple more recent from Infoworld, and Internetweek. Though I did not attend Black Hat this year I’ve reviewed Mr. Arkin’s slides. I have a number of problems with this entire brouhaha.

First, why are so few people reporting on the fact that Mr. Arkin works for a vendor which sells network access control products? In the Infoworld article the author makes no mention of this fact at all besides listing the company Arkin works for. Internetweek goes further by mentioning that Insightix is “an Israel-based developer of agentless, real-time IT infrastructure discovery and monitoring solutions.” Dark Reading is the only one of the three which tells the full story:

Not surprisingly, Insightix is offering products that could help close the vulnerabilities in NAC systems. The Insightix NAC solution, introduced three weeks ago, includes a network discovery tool that not only shows DHCP addresses, but static IP addresses and details on how clients and devices are connected to the network.

I’m no stranger to Black Hat–having presented twice–but both times I was listing design considerations in my own company’s products, not attacking my competitor’s approaches. This is grandstanding at its finest and I’m shocked that most of the media reports I’ve seen so far give Arkin a free pass. A quick visit to Insightix’s own website will make it very clear what role they see themselves playing in the industry.

Second, the posturing of this presentation to the press, to the Black Hat audience themselves, and what was actually delivered in the slides is quite different. First let’s compare a snippet from the InternetWeek article with the Black Hat abstract. First Internetweek:

“People need to understand that NAC is not bulletproof and that’s it’s something important that needs to be taken care of,” he [Arkin] says. “They might already have the right solution to handle their NAC issues, but they need to understand where to apply it.”

Pretty level-headed advice. Now the abstract:

Flaws associated with each and every NAC solution presented would be presented. These flaws allows the complete bypass of each and every network access control mechanism currently offered on the market.

Woah! This is clearly more incendiary and absolute in its damnation of NAC as compared with the press quotes. The grand claims in the abstract raise the question: what flaws were found which allow “the complete bypass of each and every network access control mechanism currently offered on the market?” Now again, I only reviewed the slides that were presented and heard from some of the folks in the room so some of this is conjecture (but hey, this is a blog right?). Since I haven’t seen the slides posted publicly yet, I’ll constrain this post to the flaws described in the press so that I can quote directly.

This leads me to point three: the flaws describes in the press–which should be among the juiciest–seem thin at best. Here’s a snippet from Infoworld:

NAC solutions that enforce access through network switches, such as Cisco Systems’ Network Admission Control, also have weaknesses, he said.

For example, Cisco’s NAC technology is specific to their switches and routers, but enterprises often use a mixture of switching and routing gear. Hackers can find their way into an enterprise network simply by finding and connecting through an unmanaged switch, he said.

Stop the presses; security controls don’t work on devices which don’t run them! Mr. Arkin is raising a very valid deployment concern which architects need to be aware of, but it reminds me of a deployment concern raised in the mid 90s around firewalls: If there are paths in and out of your network that don’t go through firewalls than your firewalls can be bypassed. Deployment concerns are not fatal flaws. However, there is a reason Arkin’s talk was titled “Bypassing NAC Systems” not “NAC Deployment Considerations.” First, as I know first hand, the Black Hat conference likes flashy titles. Second, so does the press. This is too bad because for the most part the information in his presentation presents useful design considerations around NAC as well as a substantial section providing an overview of NAC’s different approaches.

To wrap up, when evaluating a security control you should measure it against what you actually want to accomplish with it. As Mr. Arkin points out in his presentation, the definition of NAC is nebulous. Therefore describing ways to completely circumvent it seems confusing, even if he did point out novel techniques to do so. This is because without clear design goals and expectations, any system can be shown to fail simply by changing the target objective. This is why common criteria evaluations need to list what they say they protect against so that the measurement is accurate.

As I pointed out in a brief article from last year on NAC from a Cisco perspective, one of the most basic benefits that NAC can provide is to ensure systems that aren’t actively trying to subvert your security don’t become conduits in the proliferation of malicious code. Now I’m certainly no NAC zealot; I’ve written lengthy posts in the past on some of the challenges associated with NAC and I certainly agree that it has plenty of room for improvement. However, this and other elements of NAC’s functionality, have value which is in no way diminished by any of the “flaws” described at Black Hat. John Stewart, the CSO for Cisco (on the IT side of the company) said it well at the end of the InfoWorld article:

“The technology’s immature. But [NAC] will increase my capability to keep my network in good condition. Can it be maneuvered to have false data? Yes. Would it be completely the case that every device on my network will provide false data? Unlikely.”

“It’s inherently going to be found that there are weaknesses. But I think that’s the wrong thing to focus on. We want to address the weaknesses but focus on the benefits,” Stewart said.

I hope that as NAC moves along the adoption curve we can have level headed conversations about its use in networks and that the press, the vendors, and the researchers work together to find out the best way to protect against attacks. Eric Norlin’s more sober analysis is welcome. Also, I came across a very level headed article from earthtimes.org of all places which ignores the hype and just focuses on the useful info Mr. Arkin did present. This is where we need to head. After all, we all want a more secure network…right?

Technorati Tags: 802.1X, NAC, Network Security, Black Hat

TechPlanet Asia has a nice interview with HP’s ProCurve CTO Paul Congdon. The interview covers all manner of things centered around NAC and edge security enforcement in switches. I noticed a couple things when reading the interview. First, HP gets it. Paul’s comments taken together with some positive interactions I’ve had with HP’s Mauricio Sanchez have convinced me they understand the opportunity with edge enforcement and are pursuing it aggressively.

Second, HP seems to be pitching this edge play as somehow different from what Cisco is doing which seems a little more like marketing spin. Cisco wants to do edge enforcement just as much as HP does and Paul’s comment that what Cisco is doing is “taking their peripheral security products, putting it on a blade and then shoving it into a high-end chassis at the core of the network” is just plain false. During my time at Cisco I never specified such a design nor did I know anyone who did. It would be like committing architectural seppuku since even if this is something you wanted to do, network cores–as Paul eludes to–are much too fast. Everything was built around enforcement at the wiring closet / distribution layer and then again at the data-center. The core was always meant to be fast and dumb (with the possible exception of basic security techniques like unicast RPF checks and the like). It is clear that HP is trying to differentiate vs. Cisco with security; it will be interesting to see how they do.

Third, Paul is the first major infrastructure spokesman that I’m aware of to discuss the IEEE’s LinkSec work:

With 802.1AE and 802.1AR, it means that I can create trusted infrastructure in a plug-and-play fashion. So I’ll be able to take a ProCurve product out of the box, plug it into the network, and that box already has credentials built into it. And it can automatically authenticate to its peer switch and then you can bring up an encrypted link and now all the traffic - spanning trees, routing protocols - is fully protected.

It will be very interesting to see how quickly customers embrace the notion of hop-by-hop crypto and what sort of policy infrastructure is required to make it work properly. People are balking at migrating their switch infrastructure for NAC; I wonder if line-rate crypto is more or less attractive.

Technorati Tags: Cisco, HP Procurve, Linksec, NAC

Earlier this year I wrote about the basics of 802.1X with the default VLAN. I still believe it provides a great way to slowly coax users to 802.1X without forcing an instant migration as well as a nice way to integrate guests onto your network. Here’s an additional tip for how to work with the default VLAN when using a captive portal, I recommend reading my earlier post first if you haven’t already.

One wrinkle with the default VLAN has to do with DHCP and how tightly coupled it is with the 802.1X process. Ideally the 802.1X supplicant you use would automatically do a DHCP release / renew each time the 802.1X status changes on a port. This isn’t always the case though. I haven’t tested all supplicants yet but certainly some of them (Mac’s built-in supplicant for example) don’t do this. This leaves you with a sequence like this:

1. Host connects to the network and is challenged with an EAPoL-Start message
2. Host does not respond or user does not respond to the authentication request dialogue
3. Authenticator places the host on the default VLAN at which point the host requests a DHCP address
4. The user initiates the 802.1X authentication manually (after getting his morning coffee, etc.) and succeeds in authenticating
5. The authenticator puts the host on a different VLAN since now a trusted user has authenticated
6. The host now has no network connectivity because it still has the old DHCP address for the other VLAN

This is an example of the nascent nature of 802.1X supplicants in general. I can’t think of a valid reason why you wouldn’t do a release renew yet some still don’t. This has been a known issue for quite some time now. In fact I describe a more pernicious variation of this issue in my book:

During my testing, I found a lack of integration between the 802.1x client and the DHCP client in Microsoft Windows 2000 … By the time authentication by 802.1x occurred, the PC had already timed out its DHCP request and opted instead for a link local address (169.254.0.0/16). Though the user could manually go in and restart the DHCP process, for most users this will be infuriating. (343)

There is a reasonable workaround here though it isn’t quite ideal. When the user is placed on a default VLAN–as described in my earlier post–they can be sent through a captive portal device. This captive portal generally provides local DHCP services for the default VLAN as well. So one approach is to simply set the DHCP lease time quite short for these guest systems. Something between one and two minutes is probably appropriate. So now if you start up your 802.1X supplicant after being temporarily placed on the default VLAN, you will only have a short time to wait before the DHCP client gets the proper address.

If you wanted to get really slick you might increase the time of the lease based on the number of times it has been renewed–each renew increases your confidence that the host is actually a guest user. That may add more complexity than it is worth plus it isn’t like the DHCP process is particularly compute intensive, especially if the short lease only applies to guest users. (As an aside, I’m no DHCP expert so I’m not certain if this lease scaling can even be done.)

Regardless of the DHCP particulars this approach will provide a safety net for less than optimal supplicants when working in a network that implements the default VLAN. If you’ve had experience working with this in the field, I’d love to hear about how it went. We’re using this technique in the office here for guest users and according to IT and the guests I’ve talked with it works fairly well.

Technorati Tags: 802.1X, Supplicant, DHCP, VLAN