#ATM16

Securing the LAN: Best Practices to Secure the Wired Access NetworkMicah Staggs, CSE-SecurityChuck Jenson, CSE-Security

March 2016 @ArubaNetworks |

2#ATM16

Agenda

Why the LAN?MethodologiesExamplesSecurityDemos

3#ATM16

HPE-Aruba 7XXX

Controllers

Soon to be Retired Cisco

Switches

Why Bother With the LAN?

–Isn’t in “inside” my network?–Increased mobility of company-provided devices and the introduction of user-owned devices make trusting the endpoint an issue

–Cloud-first, Mobile-first thinking is that the access layer isn’t truly “inside”

–What’s the point, we are going to be all wireless in a year anyway!

4#ATM16

Other Reasons

–Universal Port–We’d like to have a similar config on all ports and update them based on the device attached

–Static VLAN assignments and changes can be a pain

–Security audits

5#ATM16

Methodologies – Port Security

–Locks the port to the 1st MAC or 2 that it sees. Clears out after the port has been down for some time

–Works well against someone trying to unplug a printer and use that port, but not really secure and not mobile friendly

6#ATM16

Methodologies – MAC WhiteList

–MAC Lists are good for “Quick and Dirty” Security

–Let’s face it, no one wants to maintain an enterprise-wide list of MAC addresses.

–What if a NIC gets changed?–What about BYOD laptops?–What about MAC spoofing?

7#ATM16

Methodologies – Wait and See–Let it on the network and if it does something wrong, or we detect the device type, move it via SNMP. (sometimes coupled with a MAC list)

–Constant changing of port config–What if you miss a syslog?–SNMP writing doesn’t always scale well in enterprise environments

8#ATM16

Methodologies – Captive Portal–Works almost like a Guest Network.

1. Let them on in a temporary fashion

2. Authenticate via Web Auth3. Put them in the appropriate

VLAN/Role–Not supported by all switches–What happens to devices like printers and VoIP phones with no browser?

9#ATM16

Methodologies – 802.1X

–L2, authentication and enforcement occurs prior to the device getting an IP. Also works for Guests with supplicant active

–Requires the supplicant be present and active on the endpoint (not on by default on Windows)

–What about printers and phones and door locks, etc. with no supplicants (headless)?

10#ATM16

What We Usually See

–802.1X, coupled with MAC Auth Bypass and Captive Portal–Best if coupled with a profiler and/or other context sources–Can be versatile enough to handle corporate, personal and guest devicesCisco:interface GigabitEthernet<port-number> switchport access vlan <vlan-id> switchport mode access authentication order dot1x mab authentication priority dot1x mab

HPE:

11#ATM16

Sample .1X Transaction using Certificates (TLS)

–Mutual Authentication Request Identity

Response Identity (anonymous) Response Identity

TLS StartCertificate

Client Key exchangeCert. verification

Request credentials

Response credentials

Success

EAPOL RADIUS

EAPOL Start

Authentication S

erver

Authenticator

Endpoint

12#ATM16

Sample .1X Transaction with Mac Auth Bypass and Captive Portal

13#ATM16

What Context do we use?

–Who is the user?–What type of device is it?–Is it a company-owned or user-owned device?

–What’s the time of day or day of week?

–Location – can this device attach to this port?

14#ATM16

DeviceProfiling

• Samsung SM-G900• Android• “Jons-Galaxy”

EMM/MDM

• Personal owned• Registered• OS up-to-date

• Hansen, Jon [Sales]• MDM enabled = true• In-compliance = true

IdentityStores

Network Devices• Hansen, Jon [Sales]• Title – COO• Dept – Executive office• City – London

• Location – Bldg 10• Floor – 3• Bandwidth – 10Mbps

Sources of Usable Device Context

15#ATM16

Enforcement Options

–Great, now that we know the who, what, when, and where… what can we do?

–Depends on access device, but typically we see:–VLAN Steering–dACL enforcement–Change of

Authorization–Vendor specific

(User Role, AV Pair)–Captive portals on

some switches

16#ATM16

Enforcement Options – Change of Authorization (CoA)

– The RADIUS Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated. When a policy changes for a user in ClearPass, administrators can send the RADIUS CoA packets from the ClearPass Policy Manager (CPPM) to reinitialize authentication and apply the new policy.

– RADIUS Change of Authorization will disconnect them allowing them to reconnect in the new VLAN assigned in the policy.

– If CoA isn't available using short DHCP leases and short session timeouts are options.

17#ATM16

How to Handle “Headless” Devices

–For devices that do not support 802.1X:–Need to use dynamic authentication/FlexAuth/MAB on the port

–Two mechanisms for authentication:–Device Profiler–Device Registration

18#ATM16

MAC SpoofingWhat if someone spoofs a headless device’s MAC address?

19#ATM16

ClearPass Can Detect Device Conflicts

20#ATM16

Endpoint ProfilerAuthorize devices like IP Phones, Hand Scanners, Printers, or Access Points

Protects your users and devices

21#ATM16

Profiling “Unknowns”–Recommended Best Practice:

–Allow DHCP, SNMP, and maybe redirect HTTP to CPPM–Once profiled, re-authenticate against new information

In the Demo, we will show how to use a VLAN for profiling with a short DHCP lease and “bounce” the device to the appropriate VLAN once they are profiled

22#ATM16

Example Profiling Policy

Create an enforcement

profile and policy rule to send the

dACL (in the case of,

say, a Cisco LAN switch)

Protect your users and devices

23#ATM16

Device Registration

–ClearPass comes with a device registration feature that allows a specific device (MAC) to be registered and authorized in the system.

–This allows a user to pre-register a device before bringing it onto the network.– Thus creating an audit trail of the users devices

–Useful when a general category or OS family isn’t–specific enough or when you need to only allow

specific devices.–Example: We don’t want to authorize all Apple

MacBooks but we will allow some to be registered and authorized

–Example: You are allowed 3 Personal Devices and you need to add a new device and remove an old device without having to call the helpdesk

24#ATM16

Device Registration Example

The default device registration page looks like this:

25#ATM16

Pulling it All Together

26#ATM16

Summary: What do we get?

–A single config we can use on all access ports–With CPPM, a policy engine and profiler that can provide consistency across multiple types of edge devices

–Ability to react differently to different device types, and provide needed access without having to default to “full access”

27

Configs / Demos

28

Demo 1 – 802.1X Authentication with VLAN Switching

Valid User?

User Type?

Student

Guest

No

Yes

Faculty

HP-2920 Switch

(PEAP-MSCHAPv2)ClearPass

RouterAccess Denied

VLAN 100

VLAN 600

VLAN 200

29

Demo 2 – Mac Auth Bypass with Device Profiling

HP-2920 Switch

(PEAP-MSCHAPv2)

Device Profiled?

Device Type?

Access Point

Apple TV

No

Yes

Computer

ClearPass

Router

VLAN 400

VLAN 300

VLAN 200

ProfilingVLAN 700 with

short DHCP Lease

30

Demo 3 – Wired Guest Portal

HP-2920 Switch(PEAP-

MSCHAPv2)

Supplicant Enabled? No

Yes

ClearPass

Router

Return to Demo 1

Guest PortalVLAN 200

31#ATM16

Join Aruba’s Titans of Tomorrow force in the fight against network mayhem. Find out what your IT superpower is.

Share your results with friends and receive a free superpower t-shirt.

www.arubatitans.com

Thank youstaggs@hpe.comcjenson@hpe.com