In this technical deep dive, Emil Isaakian will explain the details of the protocol, cryptography, key management and vulnerabilities mitigated by MACSec/ESS. Additionally he’ll show use cases to show how to succesfully deploy MACSec/ESS technologies (Network Encryptors + NVF) to protect your WAN (MPLS, PBBN, Carrier Ethernet), LAN and cloud infrastructure. (Source: RSA Conference USA 2017)

1. SESSION ID:SESSION ID:
#RSAC
Emil Isaakian
IEEE MACSec and NSA ESS: How to
Protect Your WAN, LAN and Cloud
PDAC-F01
Security Architect
ViaSat

2. #RSAC
Enterprise Networks are Wide-Open
Past Front Door
2
99% of your Enterprise Network is 100% unsecured
Really? (Ok 97% in this capture…)
Holy C#$P!
Yet we are shocked when the next major breach is announced…
3.6%
Encrypted!

3. #RSAC
Full undetectable read access just by finding a Ethernet Cable or port
3
Raw text from SMB2 File read
Sniffing an Enterprise Network….

4. #RSAC
Data Center/Cloud security
4
But wait we’re moving to
the Cloud…. It’s all fixed
now!
Sure it is....
Data Center (aka the
cloud) traffic is mostly
east/west now
99% unsecured as well L N9K-M6PQ STS 1
ACT ACT ACT ACT ACT ACT
2 3 4 5 6
Servers Compute +
Storage
N9K-M6PQ STS 1
ACT ACT ACT ACT ACT ACT
2 3 4 5 6
VM Replication/Migration
N9K-M6PQ STS 1
ACT ACT ACT ACT ACT ACT
2 3 4 5 6
SAN/DAS/NAS Volumes
N9K-M6PQ STS 1
ACT ACT ACT ACT ACT ACT
2 3 4 5 6
Blade Compute
N9K-M6PQ STS 1
ACT ACT ACT ACT ACT ACT
2 3 4 5 6
Internet/SNMP/DNS
NextGen Firewall
IDS/IPS
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
STS
BCN
ACT
1
2
Cisco Nexus 93128TX
>80-90% Traffic is East West Intra-DataCenter Communication
NextGen Firewall
IDS/IPS
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
STS
BCN
ACT
1
2
Cisco Nexus 93128TX
1000's+ of East West 10-100GbE Links
Load Balancing/Redundancy
100's of North South
10-100GbE Links
Security
is Here
But all the
Traffic is
Here

5. #RSAC
Why are We so Insecure?
5
Fundamental Answer#1: Software is insecure by design
Fundamental Answer#2: Encryption Not deployed everywhere
— And we actually need to communicate outside our intra-net ;)
Why not?
— Most Encryption done by Application
¡ Most applications are hard to secure (Certificates, Passwords, RADIUS, Keys, etc)
¡ Leaves all network/Link (Layer-2) protocols open
— Very hard to do right… Easy to get wrong
— OpenSSL… Can you patch fast enough (Sorry – I know you devs are trying!)
Without Layer-2 Encryption + Isolation APT Lateral Movement is easy

6. #RSAC
Easy/Hard L2 Encryption Targets
6
Data In Transit (DIT) Encryption significantly reduces cyber vulnerability
footprint
Easy Areas to protect:
— Enterprise to Enterprise (CPE to CPE) links
¡ Over dark fiber or over leased infrastructure (MAN/WAN Intra-net links etc)
— Enterprise to Cloud/ Datacenter to Datacenter (cloud/Hybrid IT)
Hard(er) Areas to protect:
— Internal Networks:
¡ PC/Laptop shared LAN
¡ Connection to shared NAS/SAN Data Storage
¡ Printers, End Points, Network IT closets
— L2 Encryption not available yet at end points
— Few switches have line rate L2 Encryption available on all ports yet
— …But were moving in that direction

7. #RSAC
Here’s where MACSec + ESS
come in
Now were getting technical

8. #RSAC
What is MACsec/ESS? … Its Complex!
8
IEEE 802.1AEbw
IEEE 802.1x
IEEE 802.1AR
RFC4492
RFC4949
RFC2986
RFC3279
RFC5247
RFC6379
RFC5106
RFC6460
RFC5216
RFC5759
RFC4108
This is
MACSec
All
these
RFCs
make it
work

9. #RSAC
Boil it down
9
MACSec (IEEE 802.1AE) by itself is useless
Requires all these IEEE specs + RFC’s:
— Key Distribution & Exchange, Trusted Secure Device Authentication, External Authentication (RADIUS)
Lots of options….
— Options == not(interoperable) == not(secure) == not(used)
ESS 1.0 == NSA Tailored Spec version of MACSec
Removes most options – only allows maximum security
— XPN-AES-256-GCM (64-bit PSN, secTAG, No-Bypass, Suite-B compliant)
Adds better support for Carrier Ethernet/MEF
— PBN/PBBN, VPLS topologies, – C-TAG, S-TAG, VLAN aware etc
¡ E.g. To make MACSec Hop-to-Hop suport service provider bridged networks
Adds TRANSEC (Fixed Frame Padding SuperTunnels) – Traffic Analysis protection
Adds Tunnel Mode (MAC in MAC encapsulation) to cover internal Addresses

10. #RSAC
Packet Transforms
10

11. #RSAC
Encryption Details
11

12. #RSAC
Decryption Details
12

13. #RSAC
Key Management Protocol (MKA)
13
MKA Provides Protected control protocol at Layer-2:
Identifies Live Peers
Creates Connectivity Associations (CA’s) between 2+ Peers
Distributes Security Association Keys (SAKs) among Peers in CA
Timeliness check (optional) to prevent delayed packets (inverse of anti-replay)
Protection:
— Each packet has a Cryptographic ICV (AES-CMAC) using ICK (Derived from CAK)
— SAKs encrypted (AESKW) using KEK (Derived from CAK)
¡ All derivation uses AES-CMAC based KDF
¡ Forward Security – New SAKs distributed on Peer List Change
— Per Packet Counter for Anti-Replay (Strict)

14. #RSAC
EAPOL-MKA Frames
14

15. #RSAC
Ethernet Data Encryption (EDE) Device Types
15
IEEE/ESS Created new MACSec Device Types to support Networks
EDE-T
— Two Port Mac Relay. No VLAN awareness (Encapsulates)
EDE-M
— Port Based or C-Tagged single service (VLAN Agnostic), or Customer Bridged Network
EDE-CC
— C-Tagged to C-Tagged (Customer VLAN Tag)
EDE-CS
— C-Tagged to S-Tagged EDE with internal translation
EDE-SS
— S-Tagged to S-Tagged EDE (Service Provider VLAN Tag)
Refer to:
http://www.ieee802.org/1/files/public/docs2013/ae-seaman-ede-0713-v02.pdf

16. #RSAC
Bridge Group Addressing
16
IEEE specs EAPOL to use 802.1Q Reserved Addresses for Broadcast
Allows easy visibility of group peers
— But overlaps with common protocols (Spanning Tree)
¡ Refer to: http://ieee802.org/1/files/public/docs2015/ae-seaman-ede-interop-1115-v05.pdf
— -0x Rsvd Address Filtered at various domains:
— Requires careful setup and selection of EDE-x device
¡ Based on customer vs service provider location

17. #RSAC
Network Vulnerability Mitigated
17
Attack/Vulnerability Description
Does MAC-SEC
Protect against
Does ESS Protect
against this?
Description of protection
Application Level
DOS/DDOS
Denial Of Service, Distributed Denial Of Service attacks where
large volumes (Floods) of packets are directed at servers to
overload network
Yes Yes
Packets that are not encrypted/authenticated are dropped at the link layer
preventing application services from seeing the large volume of traffic
preventing DOS.
L2 MAC Address Tables
DOS
Denial Of Service targeting Router/Switch by sending large
volumes (Floods) of packets with different MAC Addresses
Yes Yes
Line rate classification of L2 packets forces dropping of all un-authorized L2
packets on ingress (e.g. non-MAC-SEC Frames).
Spanning Tree Protocol
DOS
Denial Of Service targeting Router by sending large volumes
(Floods) of STP packets (BPDUs) to cause Router control plane
overload.
Yes Yes
Line rate classification of L2 packets forces dropping of all un-authorized L2
packets on ingress (e.g. non-MAC-SEC Frames)
ARP Poisoning/Man in
the Middle
Eavesdropping
Malicious ARP responses from compromised or unsecure end
devices can poison the ARP cache causing traffic to be
redirected
Yes Yes
Un-authorized devices cannot communicate on a MAC-SEC
authenticated/encrypted network
Port Mirroring
Eavesdropping
Reconfiguration or physical tapping of a switch/router port Yes Yes
Un-authorized devices cannot decrypt data sent on a MAC-SEC
authenticated/encrypted network
Replay
A adversary/malicious user can capture valid
authenticated/encrypted traffic and replay (re-send) it.
Partial Partial
MAC-SEC provides anti-replay protection via a authenticated window
(configurable) mechanism that discards packets with sequence numbers that
are out of the replay window.
Traffic Flow Analysis
Even without being able to decrypt and recover a packets Plain-
Text, inspection of the MAC source/destination addresses can
allow a adversary to map a networks topology and gain
intelligence on end-points, communication activity, etc.
No Yes
ESS Provides continous fixed frame sizes encapsulating the underlying
network packets preventing analysis
Covert Channels
A compromised end-point, or malicious user or application can
indirectly create a un-secured covert communications channel
over a secure network by varying packet sizes, rates, source-
dest addresses of transmitted packets.
No Yes
ESS Provides continous fixed frame sizes encapsulating the underlying
network packets preventing analysis
Repudiation
Sending secure (or un-secure) packets and later dis-avowing
that the packets were sent from the specified end device.
Partial Partial
Since MAC-SEC provides confidentiality and authentication with a anti-replay
window there is inherently some protection against repudiation depending on
how many end-devices are assigned to a SA.
MAC Address Spoofing
A unsecure end-device can masquerade as a trusted devices
MAC Address both to re-route traffic for DOS attacks and
potentially eavesdrop on communications.
Yes Yes
Un-authorized devices cannot communicate on a MAC-SEC
authenticated/encrypted network so will be unable to eavesdrop.

18. #RSAC
What to do!
How do I apply this in my network

19. #RSAC
WAN/MAN Protection (Easy Part)
19

20. #RSAC
Intranet Protection
20
CPE to CPE Encryption is obvious and Easy to do….
But what about reducing Cyber vulnerability threat vectors?
VM Isolation of external vs internal applications + Encryption
— Move all non-critical applications to VM
¡ E.g. IE, Chrome, Firefox, web-apps, Facebook, Streaming Music, Dropbox
— Isolate via MACSec encryption all internal Enterprise port access
¡ Shared NAS/SAN, Printers, VDI, Email, Sharepoint, etc operate over encrypted L2 link
Completely isolates internal vs external flows
Next two slides show How Enterprise Network normally gets Hacked vs Protected
Network

21. #RSAC
Unprotected Intranet Hack

22. #RSAC
Intranet ProtectionProtected Intranet
Hack-Fail

23. #RSAC
Cloud Protection
23
How to we extend these principles to the Cloud?
Same techniques work inside Datacenter
— Encrypt External Links
— Encrypt Groups of VMs/Applications Internally
¡ Minimize Lateral movement on compromise
— Isolate separate clients to separate Cryptographic Domains (CA’s)
— Allow Users to Encrypt all the way to VM (e.g. MACSec at vSwitch layer)

24. #RSAC
L2 Protected DCI

25. #RSAC
What to Do next
25
Analyze your internal network…. Get scared!
Encrypt your inter-office links
Stop using openSSL to “Secure” your network
— You cant possibly patch fast enough…. And all Layer-2 is exposed L
Deploy High Grade Encryption Appliances or Embedded Hardware Encryption
Require Switches to support MACSec/ESS L2 Encryption on all ports
— Only use Software based encryption in VMs and applications
— For follow up - Contact me:
¡ Yep after all that security talk I’ll give you an email address K