policy for employees bringing their own laptop?

[Boscoh]

Originally posted by: STaSh


Yes, this is the exact scenario outlined in the link. However, I do not see why the attacker would need to turn off the 'victim', the machine whose MAC they cloned. If you map a single MAC to a port, if the attacker clones it, the switch wouldn't be able to tell, would it?

Which would then bypass the problem of getting a cert, since the victim has already done the authN for you.

If you plugged a computer in with the same MAC address as another computer, you're opening yourself up to being detected. Microsoft Windows will alert you if there is a duplicate MAC on the network, there are also other ways to detect duplicate MAC's. If you want to avoid possibly giving yourself away, you ensure that the victim machine is not online when you turn your machine on. By doing this, there will be a fraction of a second where the port is in the "down" state, and the 802.1x state is reset to de-authenticated, forcing you to have to reauthenticate.

Also, 802.1x does re-auth checks against the client. The time interval is configurable in most implementations. It typically just takes a few milliseconds to re-auth a client, so any deployment I did, I'd probably set the re-auth period pretty low.

It's not as easy as the article suggests although it is possible to do, but that is the case with most things. However, you're getting into an area where it's fairly difficult to get onto a network with 802.1x properly deployed, and very easy to get caught doing it. Given that risk, it would take a pretty determined person to want to take the chance.

Keep in mind that you're also going to have to get past my physical safegaurds to even get access to the network to attempt any of this.

 

[spidey07]

And while we're at it. The pentagon and military already have this covered.

If a bunch of yahoos on the intarweb can poke holes, don't think for a second that protecting against a rogue machine has already been mastered.

<---still remembers doing work at the pentagon.

 

[stash]

This could be a very good discussion, but mind you I aim for standards based solutions. Even though I love Cisco, i don't like proprietary solutions.

Very intersting indeed. I'm not very familiar with the Cisco solution other than the ads with cute kids, but I did hear something about Microsoft working with Cisco in this area. My customer is a Fed Gov agency, very sensitive, extremely visible, so this is a very hot topic at work.

 

[spidey07]

Originally posted by: STaSh

This could be a very good discussion, but mind you I aim for standards based solutions. Even though I love Cisco, i don't like proprietary solutions.

Very intersting indeed. I'm not very familiar with the Cisco solution other than the ads with cute kids, but I did hear something about Microsoft working with Cisco in this area. My customer is a Fed Gov agency, very sensitive, extremely visible, so this is a very hot topic at work.

Well there was a big uproar over their divergent approaches..October 2003 I believe.

cisco of course going for a network centric approach
MS going for a OS/client/server approach

They told the press they were going to work together and everybody was happy. "we" didn't believe it and they of course are going their different directions to gain market share. Standard's bodies aren't the quickest to react and as usual each vendor is pushing for their own solution (and who wouldn't?)

Meanwhile Cisco NAC is a big egg on the face of Cisco and MS has yet to deliver. either way the customer loses.

But 802.1x is tried and true and does what it intended to do.

 

[Boscoh]

Originally posted by: STaSh

This could be a very good discussion, but mind you I aim for standards based solutions. Even though I love Cisco, i don't like proprietary solutions.

Very intersting indeed. I'm not very familiar with the Cisco solution other than the ads with cute kids, but I did hear something about Microsoft working with Cisco in this area. My customer is a Fed Gov agency, very sensitive, extremely visible, so this is a very hot topic at work.

With highly sensitive data, it usually IS a good idea to use some form of end-to-end communication encryption as well as storage encryption. In your case I would use IPSec to encrypt the highly sensitive channels. When the nature of the data dictates, sacrificing a fair bit of ease and speed of access in favor of extra security is a good practice, in my opinion.

 

[stash]

In your case I would use IPSec to encrypt the highly sensitive channels

Sorry I didn't mean to imply we were looking for a solution. We're using IPSec now to protect certain assets. We're in the process of expanding that to a domain isolation setup, and then NAP testing will begin after that.

 

[skisteven1]

When I worked for Argonne National Labs (via DOE) this summer -- they had a seperate vlan (public network) on which we were allowed to use personal laptops. This seemed like a good policy to me. However, people could VPN into the regular net from the public net -- so it didn't help with viruses much (not that I know of any problems they had).

 

[spidey07]

And that is what is concerning from a security perspective...

Have valid ID/Passord = talk on network.
Make SSL VPN = wide open, nothing you can do about it.

That's why "untrusted" networks are a pretty good approach. It all comes down to "how much do I trust this IP address and how should I treat it"

 

[melthemoose]

we do allow this(wirelessly), but the network is set up to isolate the visiting machine and allow internet access only, no access to any "private" LAN assets

 

[Smilin]

Originally posted by: STaSh
Edit: constructive feedback would be useful, since the product is still in development. One of the PMs for NAP is onsite with my customer this week, so valid criticisms besides 'it's bullshit' would be beneficial.

Definately.

I can pass constructive feedback up the chain as well.

Keep in mind there are several scenarios with NAP. Some will casually knock you off the network with like DHCP and you can work around this if you are clever. If you go IPSec it locks down hard though.

 

[nweaver]

btw, Nac 2.0 is coming, and it's getting better....

also, NAC is coming to wireless!

 

[ktwebb]

OP, look into VMWare ACE. Refusing to allow vendor/contractor laptops on our network isn't practical. Just too many of them to provision company PC's or laptops for them. There are some requirements that can be hefty for the host machines depending on how big and beefy the VM image your using but the solution works pretty well. You then lock down with your standar corporate security plan. GPO's, firewall rules, whatever.

 

[Woodie]

Had Cisco onsite yesterday, showing their NAC stuff: pretty unimpressive.
NAC Framework and NAC Appliance.

Framework is based on 802.1x and infrastructure devices (switches, routers, etc...) that support it. Big $$, will take a few years to implement in most shops.
Appliance is based on SNMP management of VLANs. Supported by most Cisco device in use today....but will break most Windows GPOs/login scripts, but other than that it's deployable today.

As you can tell, I don't see either of these being deployed at our shop in the next 12 months. If you're in the market *now*, and use QIP and/or Macafee w/ EPO, take a look at EndForce and Macafee...their products look a lot more effective for right now. Not perfect, but headed that way. Macafee's is just into Beta now, while EndForce is at some 1.0+ version right now, been shipping for at least a year.

YMMV...these products really depend on what products YOU have already installed, and what you see as the biggest risks.