This document discusses best practices for securing the wired access network. It begins by explaining why securing the LAN is important due to increased mobility and use of personal devices. It then reviews common methodologies for securing the LAN such as port security, MAC whitelisting, and 802.1X authentication. The document demonstrates how using device profiling and context from sources like EMM/MDM can improve enforcement options. It also addresses challenges like handling "headless" devices and preventing MAC spoofing.
Securing the LAN Best practices to secure the wired access network
1. #ATM16
Securing the LAN: Best
Practices to Secure the
Wired Access Network
Micah Staggs, CSE-Security
Chuck Jenson, CSE-Security
March 2016 @ArubaNetworks |
3. 3#ATM16
HPE-Aruba
7XXX
Controllers
Soon to be
Retired Cisco
Switches
Why Bother With the LAN?
–Isn’t in “inside” my network?
–Increased mobility of company-
provided devices and the
introduction of user-owned devices
make trusting the endpoint an issue
–Cloud-first, Mobile-first thinking is
that the access layer isn’t truly
“inside”
–What’s the point, we are going to be
all wireless in a year anyway!
4. 4#ATM16
Other Reasons
–Universal Port
–We’d like to have a similar
config on all ports and update
them based on the device
attached
–Static VLAN assignments
and changes can be a pain
–Security audits
5. 5#ATM16
Methodologies – Port Security
–Locks the port to the 1st MAC or 2 that
it sees. Clears out after the port has
been down for some time
–Works well against someone trying to
unplug a printer and use that port, but
not really secure and not mobile
friendly
6. 6#ATM16
Methodologies – MAC WhiteList
–MAC Lists are good for “Quick
and Dirty” Security
–Let’s face it, no one wants to
maintain an enterprise-wide list
of MAC addresses.
–What if a NIC gets changed?
–What about BYOD laptops?
–What about MAC spoofing?
7. 7#ATM16
Methodologies – Wait and See
–Let it on the network and if it does
something wrong, or we detect the
device type, move it via SNMP.
(sometimes coupled with a MAC
list)
–Constant changing of port config
–What if you miss a syslog?
–SNMP writing doesn’t always scale
well in enterprise environments
8. 8#ATM16
Methodologies – Captive Portal
–Works almost like a Guest Network.
1. Let them on in a temporary
fashion
2. Authenticate via Web Auth
3. Put them in the appropriate
VLAN/Role
–Not supported by all switches
–What happens to devices like
printers
and VoIP phones with no browser?
9. 9#ATM16
Methodologies – 802.1X
–L2, authentication and enforcement
occurs prior to the device getting an IP.
Also works for Guests with supplicant
active
–Requires the supplicant be present and active on the endpoint
(not on by default on Windows)
–What about printers and phones and door locks, etc. with no
supplicants (headless)?
10. 10#ATM16
What We Usually See
–802.1X, coupled with MAC Auth Bypass and Captive Portal
–Best if coupled with a profiler and/or other context sources
–Can be versatile enough to handle corporate, personal and guest
devices
Cisco:
interface GigabitEthernet<port-number>
switchport access vlan <vlan-id>
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
HPE:
13. 13#ATM16
What Context do we use?
–Who is the user?
–What type of device is it?
–Is it a company-owned or
user-owned device?
–What’s the time of day or
day of week?
–Location – can this device
attach to this port?
14. 14#ATM16
Device
Profiling
• Samsung SM-G900
• Android
• “Jons-Galaxy”
EMM/MDM
• Personal owned
• Registered
• OS up-to-date
• Hansen, Jon [Sales]
• MDM enabled = true
• In-compliance = true
Identity
Stores
Network Devices
• Hansen, Jon [Sales]
• Title – COO
• Dept – Executive office
• City – London
• Location – Bldg 10
• Floor – 3
• Bandwidth – 10Mbps
Sources of Usable Device Context
15. 15#ATM16
Enforcement Options
–Great, now that we know the who, what, when, and where… what
can we do?
–Depends on access device, but typically we see:
–VLAN Steering
–dACL enforcement
–Change of
Authorization
–Vendor specific
(User Role, AV Pair)
–Captive portals on
some switches
16. 16#ATM16
Enforcement Options – Change of Authorization (CoA)
– The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an
authentication, authorization, and accounting (AAA) session after it is authenticated. When a policy
changes for a user in ClearPass, administrators can send the RADIUS CoA packets from the ClearPass
Policy Manager (CPPM) to reinitialize authentication and apply the new policy.
– RADIUS Change of Authorization will disconnect them allowing them to reconnect in the new VLAN
assigned in the policy.
– If CoA isn't available using short DHCP leases and short session timeouts are options.
17. 17#ATM16
How to Handle “Headless” Devices
–For devices that do not support 802.1X:
–Need to use dynamic authentication/FlexAuth/MAB on
the port
–Two mechanisms for authentication:
–Device Profiler
–Device Registration
21. 21#ATM16
Profiling “Unknowns”
–Recommended Best Practice:
–Allow DHCP, SNMP, and maybe redirect HTTP to CPPM
–Once profiled, re-authenticate against new information
In the Demo, we will show how
to use a VLAN for profiling with
a short DHCP lease and
“bounce” the device to the
appropriate VLAN once they
are profiled
22. 22#ATM16
Example Profiling Policy
Create an
enforcement
profile and policy
rule to send the
dACL
(in the case of,
say, a Cisco LAN
switch)
Protect your users and devices
23. 23#ATM16
Device Registration
–ClearPass comes with a device registration feature that allows a specific device (MAC)
to be registered and authorized in the system.
–This allows a user to pre-register a device before bringing it onto the network.
– Thus creating an audit trail of the users devices
–Useful when a general category or OS family isn’t
–specific enough or when you need to only allow
specific devices.
–Example: We don’t want to authorize all Apple
MacBooks but we will allow some to be registered
and authorized
–Example: You are allowed 3 Personal Devices and
you need to add a new device and remove an old device
without having to call the helpdesk
26. 26#ATM16
Summary: What do we get?
–A single config we can use on all access ports
–With CPPM, a policy engine and profiler that can
provide consistency across multiple types of edge
devices
–Ability to react differently to different device types,
and provide needed access without having to default
to “full access”
31. 31#ATM16
Join Aruba’s Titans of Tomorrow
force in the fight against network
mayhem. Find out what your
IT superpower is.
Share your results with friends
and receive a free superpower
t-shirt.
www.arubatitans.com
Trivia Answer: There are 6 horses on the Agenda Page
"Agree that the wired edge is shifting from access to wireless aggregation. In what tangible ways are we optimizing our Wired infrastructure for Wireless?" Here was my answer:
1) SOFTWARE - five points of integration with Aruba software to become better together: unified mgmt via Airwave supplemented by IMC; unified policy via ClearPass; ZTP same as APs via Activate or DHCP-based; cloud mgmt. via Aruba Central; and better-together features ported from the MAS switch like rogue AP detection and auto-setting PoE and QoS for an identified AP.
2) HARDWARE - best-in-class performance (throughput, switching, latency), full POE+ on every port, redundant power supplies for reliability, and of course #hpesmartrate for multi-gig to 11ac wave 2 APs.
3) ASIC - future-proof with best-in-class programmable ASIC, greatest scale and best performance for rule matching to enable real-time visibility, optimization and security services.
Example: One customer thought their VoIP phones would be stationary until they found out that end users were moving them and then complaining because they would not authenticate on the new port.
Trivia Answer: Wired Port Security is supported by HPE-Aruba, Cisco, Juniper (and others)
Trivia Answer: The Authenticator initiates the Request Identity
Trivia Answer: Device Profiling is one source of Usable Device Context
Trivia Answer: A Headless Device is on that does not support 802.1X
What if someone gets the MAC address of a printer or other authorized device and spoofs it on their PC?
CPPM will set the Conflict flag on the Endpoint if the same MAC profiles as a different device than it previously had been.
You can then act on that in the Enforcement Profile
What if someone gets the MAC address of a printer or other authorized device and spoofs it on their PC?
CPPM will set the Conflict flag on the Endpoint if the same MAC profiles as a different device than it previously had been.
You can then act on that in the Enforcement Profile
But what about new devices or devices that haven’t been profiled yet?
Make networks mobility-defined instead of fixed
Make networks mobility-defined instead of fixed
Wired Guest has no supplicant and uses Guest Portal to be placed into VLAN 200
Contest Overview
- Aruba is running a marketing campaign where we ask “What is your IT superpower?”
- Go to arubatitans.com to take a quick quiz to discover your superpower.
- Share your results with friends and encourage others to play the game
- Once you share, go to the Social and Community Hub, Gracia Commons, 3rd fl to pick up your free superpower shirt.
FAQ
1. What do I have to do to get a shirt?
Share your IT superpower results with friends and encourage them to play the game. Then come to the Social & Community Hub, 3rd Floor Gracia Commons to pick up your shirt. We just need your name and badge for verification.
2. Where do I get my shirt?
Come to the #ATM16 Social & Community hub located at Gracia Commons on the 3rd Floor
3. Do I have to be at the event to get the shirt?
Yes. You have to be at #ATM16 to get a shirt.
4. Can I get my colleague a shirt? He/she is in a session right now.
Unfortunately not. We encourage your colleague to participate so that they can win a shirt for themselves.
5. Can I bring a shirt home for my colleague?
Unfortunately not. You have to be at #ATM16 to get a shirt.
6. You don’t have a shirt in my size, can you ship the right size to me later?
Unfortunately not. Please select the best size from our inventory on site.