Securing the LAN Best practices to secure the wired access network
Download as PPTX, PDF5 likes6,831 views
This document discusses best practices for securing the wired access network. It begins by explaining why securing the LAN is important due to increased mobility and use of personal devices. It then reviews common methodologies for securing the LAN such as port security, MAC whitelisting, and 802.1X authentication. The document demonstrates how using device profiling and context from sources like EMM/MDM can improve enforcement options. It also addresses challenges like handling "headless" devices and preventing MAC spoofing.
![14#ATM16
Device
Profiling
• Samsung SM-G900
• Android
• “Jons-Galaxy”
EMM/MDM
• Personal owned
• Registered
• OS up-to-date
• Hansen, Jon [Sales]
• MDM enabled = true
• In-compliance = true
Identity
Stores
Network Devices
• Hansen, Jon [Sales]
• Title – COO
• Dept – Executive office
• City – London
• Location – Bldg 10
• Floor – 3
• Bandwidth – 10Mbps
Sources of Usable Device Context](https://image.slidesharecdn.com/securingthelanbestpracticestosecurethewiredaccessnetwork-160331163515/85/Securing-the-LAN-Best-practices-to-secure-the-wired-access-network-14-320.jpg)
Securing the LAN Best practices to secure the wired access network
- 1. #ATM16 Securing the LAN: Best Practices to Secure the Wired Access Network Micah Staggs, CSE-Security Chuck Jenson, CSE-Security March 2016 @ArubaNetworks |
- 3. 3#ATM16 HPE-Aruba 7XXX Controllers Soon to be Retired Cisco Switches Why Bother With the LAN? –Isn’t in “inside” my network? –Increased mobility of company- provided devices and the introduction of user-owned devices make trusting the endpoint an issue –Cloud-first, Mobile-first thinking is that the access layer isn’t truly “inside” –What’s the point, we are going to be all wireless in a year anyway!
- 4. 4#ATM16 Other Reasons –Universal Port –We’d like to have a similar config on all ports and update them based on the device attached –Static VLAN assignments and changes can be a pain –Security audits
- 5. 5#ATM16 Methodologies – Port Security –Locks the port to the 1st MAC or 2 that it sees. Clears out after the port has been down for some time –Works well against someone trying to unplug a printer and use that port, but not really secure and not mobile friendly
- 6. 6#ATM16 Methodologies – MAC WhiteList –MAC Lists are good for “Quick and Dirty” Security –Let’s face it, no one wants to maintain an enterprise-wide list of MAC addresses. –What if a NIC gets changed? –What about BYOD laptops? –What about MAC spoofing?
- 7. 7#ATM16 Methodologies – Wait and See –Let it on the network and if it does something wrong, or we detect the device type, move it via SNMP. (sometimes coupled with a MAC list) –Constant changing of port config –What if you miss a syslog? –SNMP writing doesn’t always scale well in enterprise environments
- 8. 8#ATM16 Methodologies – Captive Portal –Works almost like a Guest Network. 1. Let them on in a temporary fashion 2. Authenticate via Web Auth 3. Put them in the appropriate VLAN/Role –Not supported by all switches –What happens to devices like printers and VoIP phones with no browser?
- 9. 9#ATM16 Methodologies – 802.1X –L2, authentication and enforcement occurs prior to the device getting an IP. Also works for Guests with supplicant active –Requires the supplicant be present and active on the endpoint (not on by default on Windows) –What about printers and phones and door locks, etc. with no supplicants (headless)?
- 10. 10#ATM16 What We Usually See –802.1X, coupled with MAC Auth Bypass and Captive Portal –Best if coupled with a profiler and/or other context sources –Can be versatile enough to handle corporate, personal and guest devices Cisco: interface GigabitEthernet<port-number> switchport access vlan <vlan-id> switchport mode access authentication order dot1x mab authentication priority dot1x mab HPE:
- 11. 11#ATM16 Sample .1X Transaction using Certificates (TLS) –Mutual Authentication Request Identity Response Identity (anonymous) Response Identity TLS Start Certificate Client Key exchange Cert. verification Request credentials Response credentials Success EAPOL RADIUS EAPOL Start AuthenticationServer Authenticator Endpoint
- 12. 12#ATM16 Sample .1X Transaction with Mac Auth Bypass and Captive Portal
- 13. 13#ATM16 What Context do we use? –Who is the user? –What type of device is it? –Is it a company-owned or user-owned device? –What’s the time of day or day of week? –Location – can this device attach to this port?
- 14. 14#ATM16 Device Profiling • Samsung SM-G900 • Android • “Jons-Galaxy” EMM/MDM • Personal owned • Registered • OS up-to-date • Hansen, Jon [Sales] • MDM enabled = true • In-compliance = true Identity Stores Network Devices • Hansen, Jon [Sales] • Title – COO • Dept – Executive office • City – London • Location – Bldg 10 • Floor – 3 • Bandwidth – 10Mbps Sources of Usable Device Context
- 15. 15#ATM16 Enforcement Options –Great, now that we know the who, what, when, and where… what can we do? –Depends on access device, but typically we see: –VLAN Steering –dACL enforcement –Change of Authorization –Vendor specific (User Role, AV Pair) –Captive portals on some switches
- 16. 16#ATM16 Enforcement Options – Change of Authorization (CoA) – The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated. When a policy changes for a user in ClearPass, administrators can send the RADIUS CoA packets from the ClearPass Policy Manager (CPPM) to reinitialize authentication and apply the new policy. – RADIUS Change of Authorization will disconnect them allowing them to reconnect in the new VLAN assigned in the policy. – If CoA isn't available using short DHCP leases and short session timeouts are options.
- 17. 17#ATM16 How to Handle “Headless” Devices –For devices that do not support 802.1X: –Need to use dynamic authentication/FlexAuth/MAB on the port –Two mechanisms for authentication: –Device Profiler –Device Registration
- 18. 18#ATM16 MAC Spoofing What if someone spoofs a headless device’s MAC address?
- 19. 19#ATM16 ClearPass Can Detect Device Conflicts
- 20. 20#ATM16 Endpoint Profiler Authorize devices like IP Phones, Hand Scanners, Printers, or Access Points Protects your users and devices
- 21. 21#ATM16 Profiling “Unknowns” –Recommended Best Practice: –Allow DHCP, SNMP, and maybe redirect HTTP to CPPM –Once profiled, re-authenticate against new information In the Demo, we will show how to use a VLAN for profiling with a short DHCP lease and “bounce” the device to the appropriate VLAN once they are profiled
- 22. 22#ATM16 Example Profiling Policy Create an enforcement profile and policy rule to send the dACL (in the case of, say, a Cisco LAN switch) Protect your users and devices
- 23. 23#ATM16 Device Registration –ClearPass comes with a device registration feature that allows a specific device (MAC) to be registered and authorized in the system. –This allows a user to pre-register a device before bringing it onto the network. – Thus creating an audit trail of the users devices –Useful when a general category or OS family isn’t –specific enough or when you need to only allow specific devices. –Example: We don’t want to authorize all Apple MacBooks but we will allow some to be registered and authorized –Example: You are allowed 3 Personal Devices and you need to add a new device and remove an old device without having to call the helpdesk
- 24. 24#ATM16 Device Registration Example The default device registration page looks like this:
- 25. 25#ATM16 Pulling it All Together
- 26. 26#ATM16 Summary: What do we get? –A single config we can use on all access ports –With CPPM, a policy engine and profiler that can provide consistency across multiple types of edge devices –Ability to react differently to different device types, and provide needed access without having to default to “full access”
- 28. 28 Demo 1 – 802.1X Authentication with VLAN Switching Valid User? User Type? Student Guest No Yes Faculty HP-2920 Switch (PEAP- MSCHAPv2)ClearPass Router Access Denied VLAN 100 VLAN 600 VLAN 200
- 29. 29 Demo 2 – Mac Auth Bypass with Device Profiling HP-2920 Switch (PEAP- MSCHAPv2) Device Profiled? Device Type? Access Point Apple TV No Yes Computer ClearPass Router VLAN 400 VLAN 300 VLAN 200 Profiling VLAN 700 with short DHCP Lease
- 30. 30 Demo 3 – Wired Guest Portal HP-2920 Switch (PEAP- MSCHAPv2) Supplicant Enabled? No Yes ClearPass Router Return to Demo 1 Guest Portal VLAN 200
- 31. 31#ATM16 Join Aruba’s Titans of Tomorrow force in the fight against network mayhem. Find out what your IT superpower is. Share your results with friends and receive a free superpower t-shirt. www.arubatitans.com
Editor's Notes
- #3: Trivia Answer: There are 6 horses on the Agenda Page
- #4: "Agree that the wired edge is shifting from access to wireless aggregation. In what tangible ways are we optimizing our Wired infrastructure for Wireless?" Here was my answer: 1) SOFTWARE - five points of integration with Aruba software to become better together: unified mgmt via Airwave supplemented by IMC; unified policy via ClearPass; ZTP same as APs via Activate or DHCP-based; cloud mgmt. via Aruba Central; and better-together features ported from the MAS switch like rogue AP detection and auto-setting PoE and QoS for an identified AP. 2) HARDWARE - best-in-class performance (throughput, switching, latency), full POE+ on every port, redundant power supplies for reliability, and of course #hpesmartrate for multi-gig to 11ac wave 2 APs. 3) ASIC - future-proof with best-in-class programmable ASIC, greatest scale and best performance for rule matching to enable real-time visibility, optimization and security services.
- #5: Example: One customer thought their VoIP phones would be stationary until they found out that end users were moving them and then complaining because they would not authenticate on the new port.
- #6: Trivia Answer: Wired Port Security is supported by HPE-Aruba, Cisco, Juniper (and others)
- #12: Trivia Answer: The Authenticator initiates the Request Identity
- #15: Trivia Answer: Device Profiling is one source of Usable Device Context
- #18: Trivia Answer: A Headless Device is on that does not support 802.1X
- #19: What if someone gets the MAC address of a printer or other authorized device and spoofs it on their PC? CPPM will set the Conflict flag on the Endpoint if the same MAC profiles as a different device than it previously had been. You can then act on that in the Enforcement Profile
- #20: What if someone gets the MAC address of a printer or other authorized device and spoofs it on their PC? CPPM will set the Conflict flag on the Endpoint if the same MAC profiles as a different device than it previously had been. You can then act on that in the Enforcement Profile
- #22: But what about new devices or devices that haven’t been profiled yet?
- #29: Make networks mobility-defined instead of fixed
- #30: Make networks mobility-defined instead of fixed
- #31: Wired Guest has no supplicant and uses Guest Portal to be placed into VLAN 200
- #32: Contest Overview - Aruba is running a marketing campaign where we ask “What is your IT superpower?” - Go to arubatitans.com to take a quick quiz to discover your superpower. - Share your results with friends and encourage others to play the game - Once you share, go to the Social and Community Hub, Gracia Commons, 3rd fl to pick up your free superpower shirt. FAQ 1. What do I have to do to get a shirt? Share your IT superpower results with friends and encourage them to play the game. Then come to the Social & Community Hub, 3rd Floor Gracia Commons to pick up your shirt. We just need your name and badge for verification. 2. Where do I get my shirt? Come to the #ATM16 Social & Community hub located at Gracia Commons on the 3rd Floor 3. Do I have to be at the event to get the shirt? Yes. You have to be at #ATM16 to get a shirt. 4. Can I get my colleague a shirt? He/she is in a session right now. Unfortunately not. We encourage your colleague to participate so that they can win a shirt for themselves. 5. Can I bring a shirt home for my colleague? Unfortunately not. You have to be at #ATM16 to get a shirt. 6. You don’t have a shirt in my size, can you ship the right size to me later? Unfortunately not. Please select the best size from our inventory on site.