Security Basics mailing list archives
RE: 802.1x Design Questions.
From: "Ken Kousky" <kkousky () ip3inc com>
Date: Fri, 1 May 2009 12:48:50 -0400
TWO important points: First, 802.1x isn't a viable model if you don't have authentication and PKI solutions available. Second, when we have complex trust dependencies it's often hard to see the weakest link but we've argued for years that certs are certainly easy to attack on most desktops today. You have a verity of ways to manage your certs so it's often easiest to remember a cert is just a structured container for a public key. The question is how do you manage access to your public keys. The general PKI model is to have them digitally signed by a "trusted" authority - this means a public key (or cert) that is in the possession of the client and was delivered out-0f-band. Your cert can then be downloaded whenever it's needed and it's trusted because it's digitally signed. The digital signature relies on the public key that is already present. We recommend short lives on your certs which forces regular reviews and updates. Right now, most certs are managed in browsers and are extremely vulnerable to exploits but I'm not aware of any such attacks. Why do something complicated when there are much easier attacks. Typically, the cert you use can be downloaded to ANY machine that can authenticate it through a chain-of-trust which means the cert you distribute is signed by the trusted authority we just mentioned. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nick Vaernhoej Sent: Tuesday, April 28, 2009 12:16 PM To: security-basics () securityfocus com Subject: 802.1x Design Questions. Good morning, After looking at deploying a Windows Server 2008 based PKI in order for us to implement 802.1x based network access control I have some questions. I feel they are overall pretty basic, but I have not succeeded in locating any documentation that really deals with the basics other than the usual "This is a certificate". 1. What is a proper certificate validity period for user/computer certificates issued by the issuing certificate authority? My thought initially was that a certificate was valid for the duration of "user being logged into active directory". I don't think I was correct. 2. If a certificate has a validity period of one year and users sit at multiple PCs in that one year. Is the user certificate stored on all PCs when the user isn't logged in? If so, is this a concern? 3. Do I need to revoke certificates as users leave the domain? Or is this automated due to the user being removed from active directory? 4. How do you manage endpoints (PCs) for patch deployments etc. when there is no user logged in? Thank you very much Nick This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please notify the sender that this message was received in error and then delete this message. Thank you. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ __________ NOD32 4048 (20090501) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- 802.1x Design Questions. Nick Vaernhoej (May 01)
- RE: 802.1x Design Questions. Ken Kousky (May 01)