Re: Wired security improvements

["Andrea Gatta" <andrea.gatta () gmail com>]

Hi Jesse,

>

I have a lot of experience with 802.1x in a wireless environment and it
works great.  In a wired environment, I think it can add a LOT of
complexities I'm not ready to tackle, especially when it comes to imaging,
and clients/OS's that don't have a supplicant.  It's also a complete PITA to
get up and running, test fully, etc.  So I think while, it's a lot better
option than MAC Authentication via RADIUS as far as security is concerned, I
personally feel the rewards are outweighed by the additional
cost/setup/testing to get a fully wired 802.1x infrastructure in place.

>

I fully see the time/cost issue in regards of the above point but to
be honest I think that the MAC address/Radius solution doesn't worth
the even small time/cost investement for more that one reason.

> From a network security stand point of view - as you've pointed out -
it can only provide a weak form of network authentication. I would say
that it's more an network management tool than a way to secure a
network at L2.

As I said I see your point and I have to admit that I had the same
thought as you while I was designing for a client of mine the new L2
infrastracture. At that time I was thinking to use the Cisco VMPS
which gives you a way to assign switch ports to VLANs dynamically,
based on the source MAC address of the device connected to the switch
port. Thing is, if you see that in perspective you're implenting
something that is still dead.

On the other side, I can't agree with you about the OS side support.
First of allarm, you need to have a sort of standardization on the OS
side. You need it cause the overall message in doing this change in
the network is to take back the control. At the time I'm writing all
of the most known OSs have a good dot1x support. For example I was
able to successfully rollout dot1x for Windows Xp, Linux, Mac OS X and
*BSD flavours. I've used PEAP and RADIUS - with LDAP backend. A custom
captive portal  completed the whole thing. At the end of the day it
was a trade off between security and usability that worked and which
might give me the chance to extend it further to a full NAC solution.
You can't say that the the MAC address auth solution which simply born
dead.

My 2 cents

Cheers,
Andrea
On Jan 3, 2008 1:49 AM, Jesse Rink <jesse-rink () wi rr com> wrote:
> Hello all.
>
> I was hoping for some feedback on some improvement I'm hoping to make at a
> couple of clients as it relates to their wired network.
>
> A bit of a background...
>
> I do support for several K12 school districts.  This, by its nature, changes
> the typical way security needs to be planned for and implemented.  Obviously
> the biggest change is the mindset that the biggest security threat comes
> from the inside as opposed to coming from the outside.
>
> In particular I am looking at ways to minimize the potential of being
> exposed when it comes to students having accessibility to the physical
> network when they bring in their own laptops.  Some schools I do work for
> have a policy in place that restricts students/staff from bringing in
> laptops.  Some schools I do work for have a policy which allows
> students/staff to bring in laptops.
>
> The concern I am looking to address is finding a method to prevent
> students/staff from bringing in their laptop, plugging it into an active
> port and getting on the network.  My concern is, a user who brings in a
> non-controlled device will have the ability to run whatever hacking/cracking
> tools they want, man in the middle attacks, etc.  My experience with these
> tools tells me I only need 5 minutes at the most to start getting usernames
> and passwords from Kerberos hashes - I've done it and it was surprisingly
> easy.  At that time, I can take my laptop offline, go home, and crack
> passwords easily enough.  I have spoken at length with Aaron Royhans about
> this (he is a member on this mailing list) and we have come up with the same
> summation for the most part so I feel as if I'm on the right track at least.
>
> The following 5 methods are, as far as I see it, the potential options I
> have:
>
> 1. Lockdown switchports by individual MAC addresses
> 2. Implementing IPSec
> 3. 802.1x on the Wired network
> 4. A NAC device (HP, Cisco, etc.)
> 5. MAC Authentication via RADIUS
>
> I have put together a small spreadsheet detailing what I see, in MY
> environments, as pros and cons of each method.  Pros and Cons include
> everything from how effective the solution is, to cost involved, to time
> involved, to ease of installation and continued support thereafter, etc.
>
> I need to implement something for approximately wired 500-900 computers
> depending on the size of the client.  Costs need to be kept low.  Time
> investment needs to be kept low.  Those are the main priorities, however,
> I'm considering all options and avenues.
>
> As of now, I am leaning towards MAC Authentication via a RADIUS server,
> followed by IPSec.  Ideally, I would like to implement both options in
> tandem to compliment each other.  MAC Authentication via RADIUS to keep them
> off the network, IPSec to keep the communications secure.
>
> I believe MAC Authentication via RADIUS is an ideal choice for us because it
> seems like it would be the easiest of the methods to implement with minimal
> amount of configuration required and overhead.  Setup the ports on the
> switches, add the MAC addresses to Active Directory, configure my IAS Server
> and that's pretty much a wrap.  We pretty much effectively limit port-access
> to the network unless that MAC can be authenticated.  Yes, I realize MACs
> can be spoofed, but, a student would first have to KNOW the reason they're
> being prevented access to the network is because of MAC based
> authentication.  I think it's a stretch to think a student would guess that.
> Possible - sure.
>
> IPSec seems like a good option as well, but it doesn't prevent physical
> access to the network at all.  It merely requires that both parties, client
> and server, communicate securely.  If one doesn't, then there's no access.
> I am still a bit concerned that "man in the middle attacks" could
> potentially happen even with IPSec however based on what I've read...
>
> I have a lot of experience with 802.1x in a wireless environment and it
> works great.  In a wired environment, I think it can add a LOT of
> complexities I'm not ready to tackle, especially when it comes to imaging,
> and clients/OS's that don't have a supplicant.  It's also a complete PITA to
> get up and running, test fully, etc.  So I think while, it's a lot better
> option than MAC Authentication via RADIUS as far as security is concerned, I
> personally feel the rewards are outweighed by the additional
> cost/setup/testing to get a fully wired 802.1x infrastructure in place.
>
> A NAC device seems like a nice option.  But cost can be outstanding.  I'm
> currently evaluating an HP NAC 800.  Seems to do everything I'd want, but
> again, cost... cost... cost.  Especially when you add in the appropriate
> licensing required on the clients.  Likely would be over $20,000 or more.
>
> If you want to shed your $.02 on this, feel free.  I ask however that you
> first go to http://www.w3si.org/securitymethods.xls and view the spreadsheet
> I put together with pros/cons.  Again, this is based on MY environments so
> it may not coincide with environments you've seen in your travels.
>
> Thanks for reading.
>
> Jesse