• Save


Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

802.1X - An IT Rorschach Test



802.1X - An IT Rorschach Test

802.1X - An IT Rorschach Test



Total Views
Views on SlideShare
Embed Views



4 Embeds 35

http://www.slideshare.net 23
http://catedrarorschach.blogspot.com 7
http://catedrarorschach.blogspot.com.ar 4
https://www.facebook.com 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

802.1X - An IT Rorschach Test 802.1X - An IT Rorschach Test Presentation Transcript

  • Powering Network Identity 802.1X: An IT Rorschach Test Secure IT 2006 Sean Convery Identity Engines 22 MAR 2006
  • Who am I? (a.k.a. Full Disclosure) Everyone’s background influences their • perspective, so here’s mine: • CTO at venture-funded, network identity management startup, Identity Engines • Previously spent seven years at Cisco most recently in the office of the Security CTO within the Security Technology Group (STG) • Principal architect of Cisco’s original SAFE[1] security architecture • Spent a sizable amount of my time at Cisco in security consulting for large enterprises • Author of Network Security Architectures[2] (Cisco Press 2004) 2
  • Agenda Background and Problem Statement • 802.1X / EAP Background • 802.1X Deployment Considerations • 802.1X Use Cases • 3
  • Our Pal Rorschach • Hermann Rorschach (1884 - 1922) • Swiss psychotherapist who developed the famous inkblot technique for diagnosing psychopathology • A patient views an inkblot and describes what they see in it • …it is based on the principle that subjects viewing neutral, ambiguous stimuli will project their own personalities onto them, thereby revealing a variety of unconscious conflicts and motivations. [3] • Since 802.1X[4] was released, I’ve rarely come across an individual who did not have a fairly strong reaction to the technology, often influenced by their background and role with the broader IT industry 4
  • Where We Were • Mostly secure but only due to a lack of connectivity • Static IPs and desktop machines allow strong correlation from user to IP • Network Security = Firewall + Desktop AV Addressing Static WAN Mobility None Segregated Circa Segregated Access One Server PCs 1995 Methods Internet Non-IP Use High IP Use Low General-Use General Server Internet Non- PCs Essential External Server 5
  • Where We Just Left • More connectivity complicates security • Mobile users and multiple devices eliminates easy user to IP binding • Network Security = Host & Net FW, IPS, Desktop AV, SIMS, … L3 Addressing Dynamic VPN Mobility High Circa Access Five+ Servers 2005 Methods L3 Internet Non-IP Use Almost-Nil IP Use Pervasive Internet Essential IP Devices External 6 Servers
  • Where We Are • Ubiquitous connectivity and mobility create the ultimate security challenge / opportunity • Security is recognized as a critical problem to solve • Now a huge business opportunity • Government regulation (HIPAA[5], GLBA[6], SOX[7], …) • Core network identity problem remains unsolved • Identity is primarily relegated to islands of application identity 7
  • So Where Are We Going? ? Federated Identity XML Firewalls Web 2.0 App FWs DRM All-in-one security devices MS Vista Wire rate crypto 802.1AE/AF/AR XACML NAC WS-Security 802.1X More centralization WPA2 (cyclical) Behavioral / Anomaly Authenticated Networks Anything 8
  • The Cliché Physical World Analogy • The physical world is an identity-aware world • Anonymity has its place, but not for most critical things • Crime investigation is primarily about identifying the who • Networks are very bad at “the who” today • Fixing “the who” might lead to a more accommodating network • Which in turn allows greater productivity 9
  • Application Identity User Application • Lack of ubiquitous identity and trust in the network forced applications to handle identity individually • This solution doesn’t scale creating the multi-billion dollar IdM market • Network has primarily been relegated to identifying broad, easily detectable behavior • Application crypto is making even this basic function more difficult • An identity layer in the network could ease some of the application burden • More fundamentally it makes enforcing the network’s existing responsibilities easier 10
  • An IT Ink Blot • Is the smart network vs. dumb network debate still going in your mind? • Given these last few slides, do you think the network has a role in the solution? • The rest of this talk assumes you are at least open to that answer being yes 11
  • One Solution Users optionally paired with Their Devices authenticate to Network Network Devices Resources via a policy / AAA policy layer. 12
  • With Many Variants Access Layer Inline SSL VPN Network Enforcement Appliance Device Users Insecure Layer (if any) Network Policy Enforcement Resources Policy policy Decision 13
  • Solution Summary • Access Layer Network Device - Auth and enforce at first point of connect • Standards based, available in modern gear, crypto for WLAN only • Inline Enforcement Appliance - Auth and enforce via overlay infrastructure • Perhaps cheaper than access layer solution, single vendor homogenous management, parts of network unprotected • SSL VPN - Auth and enforce by treating your internal network like the Internet • Standards based, most valid with all centralized services, some network flexibility is sacrificed 14
  • General Considerations • Does the technology require additional client software? • Does the technology work with my existing troubleshooting mechanisms? • How close to the point of traffic origination does the protection take effect? • All other things being equal, protection enforced as close to the point of origination is best • Is the technology standards based / am I locked into one vendor? • Does the technology require new or replacement infrastructure? • Am I deploying a stopgap technique or a foundation I can build on? 15
  • NetOps, SecOps, AppOps, Oh My! • Groups wants security but disagree over the means • Collaboration is slow going (early success in IPsec and host firewall clients) • Groups prefer solutions which allow autonomous deployment Network Operations Security Operations Application / Desktop Operations •Prefer router / switch •Historically prefers •Views the network as integrated capabilities dedicated appliances or transport software •Leery of desktop software •Favors solutions which because of loss of control •Works more closely with bypass firewalls and / decision making NetOps as time goes on encrypt traffic via SSL/TLS if required •Prefers clear-text •More open to desktop applications w/L3 crypto to software •Is uncomfortable with aid troubleshooting NetOps or SecOps mandated PC software due to test and integration fears Any resemblance to your own IT organization is purely coincidental 16
  • Agenda Background and Problem Statement • 802.1X / EAP Background • 802.1X Deployment Considerations • 802.1X Use Cases • 17
  • EAP Overview • EAP[8] is the extensible authentication protocol- defined in RFC 3748 • EAP is a framework for a variety of different authentication methods (known as “EAP Types”) • Usually runs on data link protocols such as IEEE 802 (wired & wireless LANs) or the point-to-point protocol(PPP) • Authenticators (the switch, or WLAN AP) facilitate the EAP conversation between the client and the server and act on the result • No need to understand the specifics of a method 18
  • EAP Packet Details (1/2) Basic EAP Packet variable 1 octet 2 octets 1 octet Length ID Code Data… 1 = Request Identifier 2 = Response (matches 3 = Success Requests and 4 = Failure Responses) Success / Failure EAP Packet 1 octet 2 octets 1 octet Length ID Code 3 = Success 4 Identifier 4 = Failure (matches Requests and Responses) 19
  • EAP Packet Details (2/2) EAP Request / Response Packet 1 octet 1 octet 2 octets variable 1 octet Data… Length ID Type Code 1 = Request See below Identifier 2 = Response (matches Requests and Responses) EAP Types • 18 = Subscriber Identity Modules (SIM)[10] 1 = Identity • • 21 = Tunneled TLS (TTLS)[11] 2 = Notification • • 23 = Authentication and Key Agreement (AKA)[12] 3 = Nak (Response only) • • 25 = Protected EAP (PEAP)[13] 4 = MD5-Challenge • • 43 = Flexible Authentication via Secure Tunneling 5 = One Time Password (OTP) • • (FAST)[14] 6 = Generic Token Card (GTC) • 254 = Expanded Types • 13 = Transport Layer Security (TLS)[9] • 255 = Experimental Use • 20
  • 802.1X Overview / EAP-MD5 Example EAP AAA Supplicant Authenticator Authentication Server Request ID Identity Identity MD5 Challenge MD5 Challenge MD5 Response MD5 Response Access Accept Access Success 802.1X EAP over RADIUS[15] (L3) EAPoL (L2) EAP-MD5 is not recommended but is shown due to its simplicity of operation 21
  • Potential 802.1X Benefits • Access Control for Network Ports - When coupled with VPN authentication for remote connections, 802.1X for wired and wireless allows all points of access into an organization to be authenticated • User Mobility - By validation user and group information via 802.1X, differentiated network policies are possible even with a mobile workforce • User Trace Back - By performing user authentication at network connect, malicious traffic--whether intentional or unintentional--can be more easily traced to its source • Foundation for Enhanced Services - A secure authenticated channel from supplicant to the AS can facilitate additional applications (I.e. client device posture checking, or crypto services for wired communications (wireless available today in 802.11i[16]) These benefits will be more fully explored in later case studies 22
  • 802.1X Protocol Security Issues • Both EAP and 802.1X have undergone revisions since first publishing • Early security analysis[18] of these protocols helped facilitate changes • Issues center on integrity, confidentiality, and mutual authentication for the message exchanges 23
  • Common Standard EAP Types • EAP-GTC (Generic Token Card) - Authentication method supporting token cards such as RSA SecureID • EAP-TLS (RFC 2716) - Certificate based authentication using client and server certificates • Secure tunnel follows cleartext identity request/response which generally contains a userID • Provides mutual authentication but only between supplicant and AS • Several emerging non-standard, tunneled EAP types are the de facto choice for deployment today… • Tunneling puts one method inside another in the same EAP conversation to address the security weaknesses of the inner method (and avoid client-side certs) 24
  • Tunneled EAP Types • EAP-TTLS - (EAP Tunneled TLS) TLS is used to authenticate the server to the client and then a password- based scheme is used within the TLS tunnel to authenticate the client to the server • PEAP - (Protected EAP) TLS is used to authenticate the server to the client and then another EAP method is used within the TLS tunnel to authenticate the client to the server • EAP-FAST - (EAP Flexible Authentication via Secure Tunneling) TLS is used to authenticate the server to the client and then a shared key is distributed to allow faster subsequent authentication. An inner EAP method such as MS-CHAPv2 can then be used to authenticate the client to the server 25
  • Agenda Background and Problem Statement • 802.1X / EAP Background • 802.1X Deployment Considerations • 802.1X Use Cases • 26
  • 802.1X Deployment Security Issues • Regardless of the sophistication of the EAP exchange, with wired networks enforcement falls to the MAC address once the EAP success message is sent Devices sharing the same port (via a hub perhaps) can sniff traffic to • and from the supplicant Devices sharing the same port who configure their L2 address to the • supplicants L2 address can inject frames as though they were the supplicant Adversary MAC=B Can sniff Application Hub Port 3/12 Authenticator Authenticated supplicant MAC=A Adversary MAC=A Can inject and sniff 27
  • Wired vs. Wireless 802.1X Issues • WLAN 802.1X more common than wired • Two main reasons: • 802.1X and WPA2[19] / 802.11i provide a critical key management foundation for secure wireless • As a result, supplicant support is more pervasive, well-tested, and embedded • However, wired 802.1X is moving from pilot to production with many customers • By focusing on the deployment considerations in the remainder of this talk, you can increase your chance of success 28
  • 802.1X Exceptions • While EAP support is becoming more pervasive, any network today has a significant percentage of non-EAP capable devices Printers • Fax Machines • Video Cameras • Etc. • • Even among EAP capable systems, you may not have all systems authenticate (I.e. servers are not commonly authenticated) • Managing exceptions to your 802.1X policy on a port-by-port basis is painful • Some authenticators have MAC address authentication fallback • Tools such as Great Bay Software[20] exist to help manage this issue 29
  • AAA Dependence Authentication, Authorization & Accounting (AAA) servers have taken on • increased importance as VPNs, wireless, and now wired 802.1X are adopted • Coming soon, all network connections may be authenticated making the AAA server an essential component of your network infrastructure This requires several key “itys” in a modern AAA server • • Security • Manageability • Scalability • Distributed Availability With authenticated networks, if your AAA goes down, your network goes • down AAA 30
  • Directory Dependence • User and device records are often stored in a central user store such as LDAP[21] or Microsoft Active Directory (AD) and accessed by a AAA server • If the user store can’t be reached, no authentication can occur • AD and LDAPs role expands in authenticated networks, changing the directories’ deployment requirements AAA AAA Main WAN Campus Failure Branch Location 31
  • Fun with Supplicants • Supplicant support is not yet widespread in all IP devices • MS basic supplicant is available in Windows XP and in Windows 2000 • Apple’s support for 802.1X is fairly extensive and reasonably easy to use • Meetinghouse supplicant[23] is embedded in a wide variety of devices and has broad platform and EAP type support • Juniper/Funk supplicant[24] has similar capabilities • SecureW2[25] makes a free open-source EAP-TTLS supplicant for Windows • Open1X[26] open-source supplicant for *NIX systems 32
  • Troubleshooting • Robust 802.1X troubleshooting tools are still lacking • In unauthenticated networks, troubleshooting is well-known • In an 802.1X environment, think of what can go wrong • Host 802.1X Supplicant Problems • Host / server certificate issues (for TLS based EAP types) • Congestion / availability of RADIUS server • Misconfiguration of policy rules on AAA server • Non EAP-capable device • Username / password expiry • EAP-type / crypto protocol mismatch • VLAN assignment / DCHP release - renew problem • Port ACL or other authenticator misconfiguration • These issues aren’t preventing deployment, but planning around them is essential 33
  • Web Authentication • Web authentication refers to using traditional HTTP authentication to a network device for AAA enforcement • Given the challenges with 802.1X wired deployment today, many organizations are limiting deployment with 802.1X and choosing web authentication instead • Port-level web authentication (via static or captive portal) is available in many popular switches, WLAN APs, and gateway devices • Since wired 802.1X enforces via the MAC address anyway the effective security is very similar (when using password schemes) Any IP device with a browser RADIUS Web AAA Auth Auth 34
  • Agenda Background and Problem Statement • 802.1X / EAP Background • 802.1X Deployment Considerations • 802.1X Use Cases • 35
  • User Audit and Differentiated Access Guest / Consultant Internet AAA Web Auth Campus Network 802.1X Auth Student 802.1X Auth Faculty Network Faculty All LAN Access is authenticated enabling user audit and differentiated access • VLAN assignment via authentication segments traffic • VLAN scalability in large networks limits amount of differentiation • Five or less service classes is typical • Remember you need an IP subnet per VLAN, per L3 domain • 36
  • Client Device Posture Checking AAA Posture Clean Machine Campus Network 802.1X Auth w/ Posture Quarantine Network Infected Machine Posture validation happens as part of the EAP exchange and is validated by a • posture server Enforcement of quarantine can occur via VLAN or dynamic ACL • Several approaches (TCG-TNC[27], Cisco’s NAC[28], Microsoft’s NAP[29]) • Posture is focused on device auth but should be paired with user to ease traceback • 37
  • Combined Solution 38
  • 802.1X Real World Applications • Secure WLAN • Most common 802.1X deployment today • Conference room / shared area lockdown • This is viewed as a stepping-stone to full wired 802.1X in many organizations • Facilities management for unused cubes • Unused cubes are live, but require 802.1X or web authentication Phase I Phase II Phase III Department Secure Full Rollout specific sensitive areas rollout Common wired 802.1X customer phasing 39
  • 802.1X University Applications • Differentiated access • Segment faculty and students dynamically • Authenticated dorm networks • All dorm net access passes through authentication layer via 802.1X • Non-EAP devices require web authentication • Library enforcement • Students with overdue books are flagged in the directory and granted a lower class of service via AAA until books are returned • Net access during exams • Granular AAA policies can allow specific segments of the network to be inaccessible to specific groups of students at specific times 40
  • 802.1X University Case Study (1/2) • Mid-size university has all wireless traffic passing through an inline gateway for authentication All wireless traffic is in the clear (this is common in most universities) • Gateways are getting oversubscribed because network infrastructure • is far faster • Primary goal is to improve throughput without buying large quantities of gateways Secondary goal to differentiate between students and faculty on a • shared access medium like WLAN Visitor L3 L3 Campus Network Inline Student Wireless Gateway Common WLAN Network Faculty 41
  • 802.1X University Case Study (2/2) • 802.1X is deployed and users who authenticate successfully get direct access • Performance and security are improved providing an incentive for compliance • Users who fail 802.1X are placed on a VLAN which forces traffic through the existing wireless gateway • Only legacy and non-compliant machines are sent through gateway, reducing throughput requirements Inline Wireless Gateway Visitor / Non compliant machine L3 L3 Student Campus Network 802.1X Auth Faculty Network Faculty Common 802.1X Auth WLAN Network 42
  • Tips for 802.1X Success • 3rd party supplicants allow the greatest functionality and management today • Build out your AAA infrastructure as an essential component of your network • Start simple and consider web authentication as interim step • Plan a strategy to manage 802.1X exceptions • Pilot first and train support staff in new troubleshooting steps • Carefully choose your EAP type based on current and future requirements 43
  • EAP-Type Recommendations EAP-Type Backend Strengths Weaknesses Combination Compatibility Natively Password PEAP-MS- Active supported, based for CHAPv2 Directory (AD) good security clients EAP-TTLS- Broad Cleartext LDAP or AD PAP compatibility passwords Strong Client-side EAP-TLS or certificate certificate LDAP or AD PEAP-TLS based security management 44
  • 802.1X and the Future • 802.1X is a foundation for LAN authentication with good momentum in the industry • Additional capabilities are using 802.1X moving forward • Nearly all posture validation architectures support 802.1X / EAP / RADIUS • New IEEE work in link-layer crypto for Ethernet is underway and will use 802.1X • Customers realize the benefits, however: • Balancing short-term pain points with long term strategic direction (web authentication is great example) • Still building out AAA and directory infrastructure to support authenticated networks 45
  • Summary and Conclusion • Authenticated networks are the emerging reality in networking • 802.1X supports a wide variety of options to suit most any deployment • This flexibility demands careful planning prior to roll-out • 802.1X changes the way networks are run and the way troubleshooting is performed • Pay attention to 802.1X’s unique deployment considerations • 802.1X / EAP is still maturing though organizations are getting use out of the technology today • Organizations not already in the planning / pilot stage should be on their way there soon 46
  • References (1/3) [1] Cisco SAFE - http://www.cisco.com/go/safe [2] Network Security Architectures - http://www.seanconvery.com/#book [3] Gale Encyclopedia of Psychology: Rorschach technique - http://www.findarticles.com/p/articles/mi_g2699/is_0006/ai_2699000604 [4] IEEE 802.1X - http://standards.ieee.org/getieee802/download/802.1X- 2004.pdf [5] Heath Insurance Portability and Accountability Act (HIPAA) - http://aspe.hhs.gov/admnsimp/pl104191.htm [6] Gramm-Leach Bliley Act (GLBA) - http://www.ftc.gov/privacy/privacyinitiatives/glbact.html [7] Sarbanes-Oxley (SOX) - http://www.sec.gov/about/laws/soa2002.pdf [8] Extensible Authentication Protocol (EAP) - http://www.ietf.org/rfc/rfc3748.txt [9] EAP-TLS - http://www.ietf.org/rfc/rfc2716.txt [10] EAP-SIM - http://www.ietf.org/rfc/rfc4186.txt [11] EAP-TTLS - http://www.ietf.org/internet-drafts/draft-funk-eap-ttls-v1-01.txt [12] EAP-AKA - http://www.ietf.org/rfc/rfc4187.txt 47
  • References (2/3) [13] PEAP - http://www.faqs.org/ftp/pub/internet-drafts/draft-josefsson-pppext- eap-tls-eap-10.txt [14] EAP-FAST - http://www.ietf.org/internet-drafts/draft-cam-winget-eap-fast- 03.txt [15] RADIUS Support For EAP - http://www.ietf.org/rfc/rfc3579.txt [16] IEEE 802.11i - http://standards.ieee.org/getieee802/download/802.11i- 2004.pdf [17] 802.1aa - http://www.ieee802.org/1/pages/802.1aa.html [18] An Initial Security Analysis of the IEEE 802.1X Protocol - http://www.cs.umd.edu/~waa/1x.pdf [19] WiFi Protected Access 2 (WPA2) - http://www.wi- fi.org/opensection/knowledge_center/wpa2/ [20] Great Bay Software - http://www.greatbaysoftware.com [21] Lightweight Directory Access Protocol (LDAP) - http://www.ietf.org/rfc/rfc2251.txt [22] Microsoft TechNet 802.1X-IPsec Comparison - http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.ms px 48
  • References (3/3) [23] Meetinghouse AEGIS 802.1X Supplicant - http://www.mtghouse.com/products/aegis_solutions.asp [24] Juniper Odyssey 802.1X Supplicant - http://www.juniper.net/products/aaa/odyssey/oac.html [25] SecureW2 802.1X Supplicant - http://www.securew2.com [26] Open1X 802.1X Supplicant - http://open1x.sourceforge.net/ [27] Trusted Computing Group / Trusted Network Connect - http://www.trustedcomputinggroup.org/groups/network/ [28] Cisco’s Network Admission Control (NAC) - http://www.cisco.com/go/nac [29] Microsoft’s Network Access Protection (NAP) - http://www.microsoft.com/technet/itsolutions/network/nap/default.mspx [30] IEEE 802.1AE MAC Security - http://www.ieee802.org/1/pages/802.1ae.html [31] IEEE 802.1AF MAC Key Security - http://www.ieee802.org/1/pages/802.1af.html [32] IEEE 802.1AR Secure Device Identity - http://www.ieee802.org/1/pages/802.1ar.html 49
  • Powering Network Identity Thank you for your time. www.idengines.com sconvery@idengines.com www.seanconvery.com/weblog