 I guess now is the time that I need to start to sing, okay. Thank you for coming here. My name is Alfie Arkin. I'm the Chief Technology Officer of InsightX. And I'm here to talk about network access control, a topic that I've started to talk about a year ago, and still find it very interesting. Just as a curiosity, how many of you have a network access control solution installed? Okay, how many of you are happy about it? Okay, 1%. That's cool. Before I start, I would like to dedicate this talk in the memory of a good friend of mine who was killed this year, actually two months ago. So this talk is in his memory. Okay, so what is network access control? And what are the things that need to be part of network access control? And then we'll be talking about how to bypass these. The way that I've outlined this talk is different than the one that I gave last year. First and foremost, there are new things here. I'm going to do this slow. We have all the time in the world. It doesn't mean that we'll end up at nine. I'll basically take another five or 10 minutes. Basically for each NAC feature, I've outlined the problems, gave some interesting examples. And basically, whenever you would like to stop me for questions, just feel free to raise your hand. Sometimes it's good to be the last up of the day. So, a bit about myself. As I said, CTO co-founder of Insight 8, founder of the security group, did some computer security research in the past. X-Probe 2, some voice for security back in the days, information warfare, network access control, and so forth. So, what's network access control? I think Tati is the million dollar question where basically nobody can define what's network access control really stands for. The functions that it needs to actually have. And also what kind of a solution is it? Is it a security solution? Is it a compliance solution? What does it need to do? And so forth. So, the problem definition is really easy. That's the one thing that we all know about. We have our enterprise land. Everybody wants to access it. Everyone wants to put their stuff on it. So, in the past, it was really easy. Workstations, servers, printers, that was our world. But today, anything that has an Ethernet jack, anything that has a wireless access card, can connect to our enterprise. Everything that has a VPN and so forth. And basically to zoo out there. I mean, I can ask you easily how many of you know exactly what you have on the network, and basically no one will raise his hand, or her hand. Because in any given moment, we don't have a control over the enterprise land. And that's the number one problem that we have as security today. We secure the perimeter. We do good VPNs. We do a lot of other good things, or we try to. But at the end of the day, we really don't know what we have on the enterprise land. So in any given moment, someone can connect something that they brought, put the ROG device on, access our information, or try to. And at the end of the day, this whole thing puts in jeopardy the stability, the integrity, and our regular operation. So if you look at the history, credits that I need to give. First and foremost, the first definition or the first company who started to speak about this type of a solution was actually Cisco back in 2003 as a result of the blaster. Warm. Cisco wanted to introduce security technology or ad technology that will make sure that elements that are introduced to the enterprise land are actually compliant with a certain policy. Then we saw Microsoft Jump on the bandwagon, the trusted computing group, and a ton of other companies that claim to provide with network access control solutions. So what's network access control as is? So as I said before, there is no standard. There is no common criteria. Basically today, there are two groups that try to say that they know what network access control is. It's basically the TNC group, which there are a bunch of companies membered there. Microsoft, Juniper are among the biggest companies that are on that camp. And of course Cisco, which represent their take on the world, and other companies that decided not to be in each camp. So since there is no definition, you can't really say what components a network access control solution should have. So at the end of the day, this varies from a vendor to vendor, and it all depends on how the vendor takes this. So in my opinion, the first and foremost thing, when you hear network access control, it means security. And only then it means compliance. The most important thing that we want to achieve with network access control is the ability to be able to control who accesses our network. Does this sounds logical to you guys? Right. Network access control means I want to control who enters my network first, and then I would like to make sure that they are compliant with what I said forth as the policy. Also network access control is a risk mitigation solution. Why is this risk mitigation? Because you work in the financial sector. In the financial sector, it's all about risk mitigation. What should I do in order to lower the risk to my business? What is the risk and how much money do I need to invest in order to mitigate that risk? And does that risk worth the money that I'm going to put in it, or considering to put in it? NAC makes that thing. By setting the policies of compliance, you are able to say if someone does not have this patch or someone runs a certain program, I'm not granting that particular computer access to my network. And by doing that, you lower the overall risk that you have from that element or to the overall network from new viruses, warrants, and so forth. So security solution that is backed up by compliance checks, which at the end of the day provides risk mitigation. So this leads us to my definition of network access control, which means a set of technologies and defined processes which they're all tasked with controlling access to the enterprise land, basically allowing only authorized and compliant elements to be on the network. Okay, I guess no one here would like to say that doesn't sound logic. I mean, question someone. It's important for you. Okay, you actually, the gentleman just touched a very interesting point. The question was, does network access control needs also to control the applications or the protocols that are being used by the element and other things? Well, you know, there are some people who say that network access control should also be about normality detection and should also do filtering on the host like you said and also should do anti-spam and also should do antivirus and also should be, and this is kind of getting to the point where what do you want from network access control? Is this an only one solution that needs to solve all of your problems? And at the end of the day it's not because then we're talking about set of technologies and set of things that we are all doing today in order to control those things at the first place and you're talking about different systems that are designed to do different things and you cannot load network access control with everything altogether and say, okay, this is the magic solution for everything that we have in security. Yes. Oh, I haven't said that it doesn't belong to network access control. I know this is a bit about definition, but it's important because when we'll get into how you bypass these solutions you'll see why those components are so much important and why the definition is so much important because if you define your solution as a compliant solution and not as a security solution, you're selling something else you're not selling network access control because the word network access means security. If you are willing to ignore that, then at the end of the day the solution that you're sending is FUBOR. It's not security. So what components do we need to have with network access control? First and foremost, we need detection and real-time detection. We need to detect an element that enters to our network so we will be able to do network access control because detection set the motion for network access control. If I would not be able to detect the element that enters my network, that's it for me and we'll talk about that later on. So first and foremost, we need to have element detection as one of the most important components of network access control. Then we need to have validation. Validation, first, is the device validation. It means that I need to know who are my devices and as we will see later on, most of the network access control solution don't care about what are the devices. They care about the user's big problem. Validation means device authorization and user authentication. Assessment means the ability to set policies and to make sure that elements that enters my network comply or not comply to those policies. In other situations in which they do not comply to those policies, basically to allow them either self-remediation, automatic remediation, or manual remediation of the problem that this element is currently having. Then of course, another most important feature in network access control is the ability to quarantine an element that does not comply with the policy and also to enforce policy on those elements that do not comply so they cannot access our resources. So this is enforcement and quarantine and provisioning means that we will be able to look at those elements we allowed onto our network so we will be able to maintain the provisioning on those systems so we will know that the terms that we set for them to be compliant with are still being maintained when they are on our network and not just at the admission time or the connectivity time to the network. So basically detection, validation, assessment, remediation, enforcement, quarantine, and provisioning. Different functions, a lot of problems. Questions until this point? Okay. So what are the attack vectors? With any technology there are multiple attack vectors. First and foremost, the architecture. How does the different pieces of the solution play with each other? A lot of different problems there but usually if you would like to look at the solution you need to understand how the pieces interact with each other and then usually you will be able to find things. Then you can take the technology and disassemble it to different parts like the element detection part like the device authorization and so forth and try to find problems in that arena. And of course the components themselves, the clients, the servers, they are also our target. So this is the interesting part. So what are we going to talk about in regards to bypass? First and foremost we will see why definition is so important. We'll see why element detection can be problematic as well. We'll talk about completeness, real time of the detection that is being done at layer two versus detection that is being done at layer three. We'll see issues with device authorization and user authentication. Then we'll talk about one of my most favorite topics about quarantine, shared versus private, layer two, layer three and bypassing it. Then we'll go to enforcement, assessment and we'll show some examples of full flow of solution at the end so it will be interesting for all of us. Okay, so the problem of the definition. Again, what do we want to achieve? Is this security or compliance? If we define that this is compliance, it means that we don't provide with security. Do we provide access control against all of the devices or do we provide access control against part of the elements that are on our network? That is a major thing because if you hear a vendor that says, well, I have agents that I installed on Windows based machines and this is my world, it means that this is not a good thing. Why can someone tell me? Not because we already have Linux and macOS 10 and handhelds and other things, but because usually those solutions will go to the domain controller, will get the list of the systems but guess what? There are elements on the network and part of you I'm sure do not like the big brother looking at you so they don't log on to the domain. They put their personal firewalls on, they're unmanaged so a solution that goes against those systems that automatically log on to the domain is not a good solution. Like edge management, like antivirus, like any client based automatic installation on your domain elements because you have unmanaged systems that are on your network that are part of your network but you don't have a clue that they are there. So this is why, you know, one thing. A good explanation of this you can see with the trusted network connect definition of network access control and this is interesting. Actually it reads security requirements for endpoints connecting to the corporate network, collecting endpoint configuration data, policy compliance. So should this means that they look only on those machines that they can check the policy compliance? Or not? We still don't have actually an answer for that but in most cases what I've seen here is it totally depends. So instead for this definition to say we would like to enforce security by making sure that your devices are your devices and making sure they are compliance, this is like a definition like an RFC. You must, you should and this is why all of what we get is a mixture of solutions. So at the end of the day what we have is a weird definition or non-definition at all but the interesting parts comes from the technology itself. As I said before, element detection is the most important piece of any NAC solution. If we are not going to have an ability to detect an element that operates on our network at the end of the day, it opens up a window for opportunity for that element to infect the devices on the network, try to penetrate into them, try to infect them with viruses, warmth and so forth. So the second the element is being attached to the network, this is the time that we need to detect it and then we need to actually take an action against it. So if there is no ability to provide with complete detection if the network, if the solution is not aware of the contextual data of its own enterprise land that it's working against, there is no way whatsoever the solution can actually provide you with security because that element would be able to operate on your network without that, without the knowledge of the NAC solution and would be able to do actions without being controlled. So if there is no knowledge, there is no control, there is no defense, and when there is no element detection, there is no NAC at first place. So there are multitude of ways to provide with element detection. One of the most problematic ways is to listen to DHCP traffic, for example. In the case that solutions have DHCP proxy servers that intercept the DHCP requests, gives you an IP address on a known and routeable subnet. If you're a good guy and install the client, that's nice, they will interrogate the system, going through all of this, but at the end of the day, if you don't use DHCP, then who cares? They'll not be aware of your existence and you will be able to do whatever you want on the network. There are also broadcast listeners, basically a client that sits on a subnet and listen to broadcast traffic. Broadcast traffic can be broadcast, net bios, DHCP requests and so forth. The idea here is that an element would be able to or should send a broadcast traffic during its operation on the network and that would disclose its identity. We'll see later on that this is nonsense as well. There are also out-of-bend solutions listening to traffic at the monitoring point. They can be deployed at layer two, they can be deployed at layer three. It really depends where they're deployed in. Inline devices and other ways, for example, integrating with the switch. If you enable 802.1x on the switch, it will give you a good element detection capability. But that said, the 802.1x has other problems that we will look later on. There are some switches who can actually send you SNMP traps when a new MAC address is being registered on a port. Unfortunately, not all of them can do that. That's another way to do this. Of course, if you have a software conch installed on the element and it's powered on and the client talks through the solution and tells you about that as well. Unfortunately, I know at least one solution that does that. It can be easily spoofed. That's the most easiest thing to do. Actually, that solution is totally dependent on the infrastructure. It sets the SNMP traps. It communicates with SNMP with all the switches. We'll see why it's problematic. Just one hint. You need to know your infrastructure in order to know which switches you need to manage. That's a big problem when you don't have a capability of discovery and any topology and any physical network topology ability as well. Why kill the messenger? Let's wait. We can define Layer 2, Layer 3 switch in software. I'll jump over. I'm pretty much understood. We'll look at positive element detection. It can be done with most of the solutions there. You can just sit and listen. Basically, you're totally dependent on the traffic that either goes through a monitoring point either being sniffed over the network being sent by a broadcast traffic. The biggest problem here is that you don't have control over the devices. I can't ask you to send me something through the monitoring point. Let's say I'm deployed in Layer 3 and I'm looking for IP-based traffic. So you can get on to the network, don't send anything outside the network, be okay with it, especially if this is a small network that do not have any services outside the boundaries of the router. So you can sit there and don't see anything. Now, if you need some type of information, other than the detection, it's another bad thing because I can't make you send the traffic that needs to disclose that particular information. And of course, there is no control over the pace of the discovery as well because whenever that element sends the traffic, that will be the time that it will be detected. I didn't want to go over too many of the things, but if you would like to read more about problems with passive network discovery systems, then there is a reference in the presentation to a paper I wrote back in 2005. So this is an example for passive element detection at Layer 2 and Layer 3. The inline hardware actually sits at Layer 3, totally depends on the traffic that needs to be sent through the monitoring point in order to detect the elements. You can see for yourself why this is a problematic. And on the lower website, there is a broadcast listener that basically sits at Layer 2 and waits for broadcast traffic so it will be able to detect the elements. We already talked about the problem. I was browsing the web and I wanted some examples to the presentation so Google is a nice thing. I googled up Cisco Clean Access presentation, actually taking two slides of it just to show the point. If you know Cisco, actually it's called now NAC appliance, it's basically able to intercept traffic and to force the authentication of a user. It can be deployed in various modes, inline, out of band, bridged, routed, actually has multiple ways. It's actually a company that Cisco had purchased called the Profigo a few years back or months back. And this is all the flow that this element needs to go through. Who can tell me what's the problem? Just by looking at the slide. The problem is actually if you see the element on the left side there are multiple switches it needs to pass until it hits the box. It means that technically speaking if that element would like to interact with anything in between it will be able to. And it means that if that element would not like to go through the monitoring point it will still be able to interact with other elements of that wireless access point, connected to that wireless access point providing that it doesn't cross the boundary because the box is actually installed after the wireless access point and not before. So the detection is the totally dependent on the element actually going to another network. So technically speaking if I have the ability to connect to the wireless network I'm able to interact with all of the devices there. If I'm being detected I'm only being stopped. But the next slide will show this even better. This is a slide that shows why the solution actually requires less boxes. In the slides here on the left side the before which is actually in my opinion better all the branches has boxes and in the after only the data center has boxes. Who can tell me what's the main problem here? If I connect to the branch office I can do whatever I want. If I don't go to the data center I can do whatever I want and nobody will detect my presence and I will be able to interact with whatever I want on the network as well. So if I don't have the presence of the solution to detect my if I don't have the solution installed to detect my presence I cannot do network access control on the end of the day. If I don't go to the data center to request services I'm able to interact with the whole network without going through the network access control process at all. Yes. There's more material coming. So exit definition if you do the deployment in the wrong way because you want to save the boxes exactly you want to save the money. Where's security? Everybody buys security. It's just the how you wrap it around. Or I'll tell you how afterwards I don't want to start it to here. I mean you bought one solution you got another half price free. You paid the maintenance. You don't know where you go. You already installed it so he laughs he knows who I'm talking about. Okay. Another example the broadcast listener okay so the broadcast listener is basically the broadcast traffic that should go through but guess what happens? If I do for example unicast ARP requests for someone that someone will reply me unicastly as well. So if I shut down file and print sharing for example. If I know how not to send DCP request if I don't need DCP and I start to do the ARP request unicastly everybody will talk to me and the solution that listens for traffic on the local land will never know that I'm there. Easy. Try it at home. ARP minus SK a good tool for falsifying ARP data. You can play with it. You can create a communication with someone. You'll get the responses. Nobody will know that you're actually there on the network. So easily if you want to cross the boundaries of the network and there is no something that monitors that point of the crossover just send the router an ARP request unicastly and not broadcastly the router will be more than happy to answer and you will be able to just cross the boundaries without being detected happy ever after on the network with no element detection whatsoever. No one wants to guess the product okay so I'll just continue. Okay. So you sure you don't want to guess the product? Starts with an M. That's it. Okay. So just to wrap this up some element detection capabilities still provided with poor discovery. We talked about DTP for a bit. We talked about SNMP traps then thanks to George Bakos here we also know that if we send spoof SNMP traps back to these solutions we can have a nice party over on our network and also if we install client software there are elements that we will not be able to install them on and so forth. So the conclusion, oh there are more stuff more beautiful things I forgot about all of that basically also network address translation we all tend to forget that network address translation is not our friend and in most virtualization solutions like ZAN, Parallels, VMware and so forth you can just bring up multiple guest machines do static knot basically and just be on the network and whatsoever. Most of the solutions will not be able to detect network address translation devices operating on the network. So in that respect you can fire up other elements on your network whoever raised their hand you can try it at home. Download Parallels of VMware install guest operating system do static knot you'll be more than happy to just be on the network the more the marry. So that's another problem this basically concludes the element detection part. Any questions? Okay and how would the ideas will help me? The problem is that you can't really hook up to each point to each point an ideas and also the type of things that you will be able to see are probably different. I mean if you really want to make use of the ideas you can do that. But the problem being is that there are so many things that you can do it's not that easy. There are ways to prevent that we'll talk about that later on. Other questions? We will see how that works later. You can ask the gentlemen to the fourth row how that works for them. Okay validation basically validation okay I'll answer your question so you'll have an the problem of pushing security into the switch layer means that you now need to go to your boss and tell him listen I know that you bought a new infrastructure two, three, four years ago but you are now going to dump this and instead of buying model XYZ you are going to buy Z slash one and that is something that we could update if that company would be able to allow us to but we need to invest in your switches and your boss is going to look at you. And there are two chances here. One he will be fired thank you and yes because nobody is someone who invested in infrastructure and someone who put a solution doesn't like people coming and telling this sucks that's the problem with our jobs in security we always come to people who invested in solutions and say you need to throw that out of the window that's the wrong approach in my opinion at least we need to make that work in the context of what we have or we need to purchase solution that will enable them to operate better. A good example is contextual network information can really help patch management can really help antivirus because it can identify those elements that do not belong to the party and that is the 20% that we are not aware of one example and the other one is just to tell you okay I heard you and just close the door after you and the story that's the problem it's a lot of money it's not just you know I've heard numbers for a company I'm not going to name names a company that has 5000 people operating in a campus the number was 7 figures why do they need that in the middle of the day to invest in new infrastructure where the infrastructure works perfectly fine no need for that in my opinion nobody is going to put the money and replace the whole infrastructure not mentioning the fact that when you replace the infrastructure and you put on a solution you are in deep problem as well because then you need to install new security servers, radio servers for example Cisco's sake the ACS that needs to interact with other parts of your network like the Active Directory like the LDAPS and so forth and you need to install other pieces that needs to interact with the whole party so the moving parts that you have with the solution is not only the infrastructure it's not only the radio servers it's not only the other pieces it's the whole thing all together that needs to work all the time so from an infrastructure that works all the time and works fine let's assume that it is working you into it in a way that restricts the user's ability to work on the network and might also put stability issues to the network itself because you are putting here new stuff instead of the old stuff but new stuff that you need to make work again not mentioning the fact that some of the technologies that we will talk here like dynamically quarantining and stuff like that is financial sector very much like it because it's dynamically defined sport VLANs another great thing for when you have to have a change control over something so it's not just black and white kind of thing it's a lot of other great things in the middle that's the biggest problem here but I'm not even half through so is that okay he doesn't speak so I'll over help him exactly you're talking about something that I also see a lot people buy a solution and they would like to have the alert side they are afraid to take the action or they're not much certain that that solution would actually do good for them so they are afraid to hit the button and say okay do enforcement and actually remind me that question at the end because we're jumping all over here but that's actually a good view about what is actually going on today so validation that's good that we're the last talk basically it's the process of authorizing devices and proving the identity of their users again two things that sounds very easy but they're at all so the role of device authorization is to combat rock devices I would like to make sure that the devices that I know of are the only devices that connect to my network that also connects back to the element detection thing if I'm not able to do element detection I don't know that something is there not only that I can't do NAC but I can't do anything so if I don't have the ability to know that something is there a rock device will be on my network this as I said needs to be integrated with the element detection an element that is on the network must be immediately blocked or restricted access but the problem is that most NAC solutions do not authorize devices if you want to have names then you can look at them basically nearly all of them do not do this some of the solutions actually only mandates user authentication they will not they will not actually look at the device authorization and some of them will have some ways to do network access control without doing user authentication at all so if you have been to Black Hat and look at the NAC attack presentation that actually takes that into account where two out of three of Cisco NAC frameworks ways of operation do not require the user to authenticate at all not mentioning the fact that there is no device authentication in the first place that's that's how they operate also the problem is that someone if I have the credentials for someone and I would like to bring my device from home, technically speaking I will be able to connect the device use the username and password that is authorized in the network and basically work on the network I guess we are all about user experience in this session okay so basically an example again if we look at the Cisco NAC appliance slide again basically there is no way to do authorization for the device so if you basically replace the device with another device use the same username and password we will be able to get on the network why is this so important to tie between the device and the user first and foremost we don't want the rogue devices but if we are able to tie between the device and the user that uses it we will have a stronger security solution and again stronger authentication authorization and auditing another interesting example there are solutions who are DHCP in a box it means that they provide you a DHCP replacement server redirecting you afterwards to an authentication portal they do that by hijacking the DHCP requests and basically the DNS server IP to the authentication portal so the authentication portal can basically answer your DNS queries directly to the authentication portal request your authentication and admin to your network this seems really good at first but what happens when you have a rogue DHCP server so I basically try to answer those queries faster I provide the same services hey I have DNS I have my authentication portal just give me your credentials and now I'm on so I'm sure do whatever you want so that's a big problem here just as a teaser so just to worry about 802.1x before we talk about 802.1x later 802.1x for those who do not know it's just a user password probably about nothing more than that I mean sure it has you need to have infrastructure in place and if they have a supplicant but basically that supplicant you don't need to have anything unless you build a client on top of that so that doesn't provide with any type of device authorization it only provides with user authentication because when you go on the network and that works in the background what credentials do you think that are being used the same credentials of the user to log on to the domain okay great so what do I learn about that nothing basically I do double authentication for the user okay who cares if I have that username I'll be able to admit any type of element I would like to the network in the first place that brings us to another interesting part which has more me to it which is the assessment process basically it's the process of evaluating whether or not an element complies to the network access policy usually in most cases this is Microsoft Windows only sometimes there are checks for Linux and for Mac OS 10 how many of you who has an act solution actually do this type of checks Linux Mac OS 10 what do you check basically if you do compliance checks what do you check on the Mac and the Linux basically in my opinion you really don't check anything at all but the problem is you check the stuff that they send the stuff that you don't check the box itself but the problem here is first and foremost is that you need to classify the device you need to decide if this device is the assessment process or a student because you need to say or to detect whether or not this device is Windows-based or not and there are several ways to do that climb-based active voice detection passive voice detection, javascripts captive portals and so forth and there's lots of problems with that this is the Cisco problem that they had with the NACA appliance where first and foremost the user went string on his on his browser you don't need to do anything here we don't need to do assessment just give me or use an impasse one in or through ok that was fixed then they go and change the way the TCP-IP OS stack is being done and actually answering the type of queries it's being asked and the type of traffic it's being sending so that was another issue that was addressed and of course they decided that their element doesn't need to be managed and that also contributed to the problem because then they should be doing special handling so all of that was an advisory that was out around a year ago and there's a nice response by Cisco where I'll sum the response to you users cannot bypass authentication using the approach described in the advisory ok but I'm not talking about authentication I'm talking about assessment using an impasse word but he runs whatever programs he wants doesn't want to be patched doesn't want to do anything did those things put using impasse word wasn't checked for compliance it was on the network the actually the nicest thing here is in my opinion the interesting point is the clean access use the network scanning feature to detect users who attempt to bypass agent checks if you go to that advisory basically what he tells you is to use several nest scripts in order to do detection ok assessment methods you have client based client less dissolving agent I'll go through this fast strength can provide wealth of information changes in real time and so forth the problem is as I said before where do we install this are we installing on the 100% that we need to install this on and again we can't do 80-20 rule on security this is again one client among many so the desktop people that you go through and say ok I'm going to install another client on the desktop that you need to include in your image well I say ok that's fine close the door behind you as well this this is not going to happen and more and more companies that I go and speak to they come and say well first and foremost I don't want you to touch my switches second I don't want you to touch my client and then if you have a solution I'm willing to speak to you they don't want you to touch the box they don't want you to touch the switches because they had enough and we will see why also this is a management overhead performance impact time to implement exactly we know how good this is and again we came back seems like Cisco ok client side issues with the supplicants themselves and again the communication path between the agent to the server another big thing for this to happen NAC attack was just proof of concept or something that works as an attack vector I talked about it a year ago but the most interesting things that happen is you see companies say well we need an all-in-one solution and when they put the antivirus and the antispyware and the antispam and the NAC and firewall and other things in one nice happy all-in-one agent if that doesn't kill your CPU and the device and it managed to work the problem here that this is a single point of failure and like today that our viruses and worms that basically go and make you think that the antivirus actually working at the end of the day doesn't this line of attack will happen again with the all-in-one solution it will be a client that will be able to be disabled by the same type of an attack she will be able to send a type of malware that will attack the client itself so you put all your eggs in one one basket it all needs someone with understanding on how you disamble this the agentless approach it's easier it's faster the problem there that you need the cooperation of the device to actually communicate with it you need the service to be open you need the service to answer and you need the type of information that you are looking after to actually be sent back to you and the dissolving agent the biggest problem is that you need to be local administrator you have to have local administrator rights or power user rights but the biggest problem here is not with the way that you do things you can overcome this you can select your way that you want to do this it doesn't really matter currently the problem is that with the information that we are actually checking or that these solutions are actually checking if we look at registry values at home you can play with all of the registry values you can falsify them so I can be running Windows 2003 SP3 I'll be fine I'm SP2 equal and bigger than SP3 right? also I can say that I'm running a certain patch because hey it's written in my registry the problem here is that Microsoft does not provide us with the means to know what was changed with the DLS with any patch so we can't go or these next solutions can't go and say ok this DLS was changed but just in that have the hash for the DLS and say this is good and this is bad so all of the information that is being checked in that basically spoofable and we talked about the remote communications between the client and the server or machine and the server and there are two things that I would like to talk about here that I checked and they work marvelously the first one is replay attacks for some of these solutions you can take the information that was checked you can basically record that do the differences when you are being asked with the IP address and basically replay it back and you'll be fine some other solutions don't encrypt the communications between the server to the client so in that respect you can see what are the parameters that are being checked you can fix them on your host as you would like and you will be admitted to the network as well I call this SNS this brings us to another interesting topic which is exceptions basically if one cannot take a certain element through the NAC process or through parts of the NAC process it defines an exception saying this MAC is allowed to go through a certain process or this MAC is allowed to be admitted freely on the network the problem here that these type of these type of elements for example be those that cannot run a software client like 802.1x systems that cannot run a client like non-windows elements or some elements that run an operating system that is not macOS 10 or Linux so yeah most of them not so technically speaking if you put the hub instead of a switch and use the MAC address of a switch automatically because there is no way for those to understand that you have replaced the switch with something else because they don't have context they will be able to replace everything the voice over P devices as well and we'll see that in a second so basically the CTA the way that if you can't really install it on our machine you can define an exception and one of the coolest things that I look is the CDP for the Cisco IP phone so if you want to admit your element to the network all you need to see if you have NAC framework operating on the voice over P side to sniff the CDP packet that authenticate to the 6500 to send it yourself and you are admitted now as a voice over IP phone onto the voice VLAN another interesting thing this is taken from PsyGate documentation now Symantec again if you would like to define an on-windows exception you can do that blah blah blah and basically this is the problem we don't deal with solutions basically don't have any kind of understanding of what these exceptions are what's the operating system what's the logical location of the element what is the type of the element is it the voice over IP device is it the switch is it something else and they can't relay the information about this element is this is a previously observed element or this is a new element so they can't really determine so basically if you are able to define exceptions you're the king of the hill because you can bypass any of those solutions so basically if we have a printer this is my favorite your previous question about Cisco will see that here I take the printer off spoof the MAC address spoof the IP and I'm on get the same access rights to the network like the printer and we're back with 802.1x so basically using a base protocol problem here that not all of the networking elements on the network can actually do 802.1x as well as the host that actually resides your ace 400 can do that printers voice over IP devices legacy equipment so forth so you invested in replacing your infrastructure to your question you decided to enable 802.1x and at the end of the day what's required is someone to know that you can just unplug something and plug something instead and you're the king of the hill simple as that no idea what this element is no idea what's this element is doing as long as the MAC address will be the same you're you're good to go so this is why why replacing all the infrastructure may not really help you I put that personal firewall on you can't do anything okay this is why all the checks that they tell you that they're doing with vulnerability assessment forget about it what is a vulnerability assessment good against the device which is personally firewall as a personal firewall nothing here's the really really cool that I like which is quarantine so if your device is non-compliant it will be put into a holding place called a quarantine the access that it will be granted will be only to remediation servers and at the end of the day what we have is that the quarantine will hold all the soft targets of the enterprise those that do not have dispatch those that certain network services open those that forgot to install the service back those that we don't know about okay how do we do quarantine there are multiple ways to do that ACLs dedicated subnet, dedicated VLAN also known as a quarantine VLAN private VLAN, per switch port et cetera to using up cache poisoning and so forth there are two types of quarantine private and shared shared is basically a quarantine method that allows the elements inside the quarantine to interact with each other so basically if I would like my biggest and nicest attack vector I would come with a device will let the next solution put me on the quarantine VLAN start attack all of the devices all of the other devices because what are all of the other devices that maybe it targets to me those of the quarantine VLAN right so I have I have my own definition of that I call it the self-infecting VLAN or the self-infecting subnet I think I'll trademark it so that's a big problem you may heard also the term quarantine VLAN quarantine VLAN is basically a shared VLAN that associate the device with a dedicated VLAN by dynamically assigning the VLAN ID using the switching infrastructure so if I mentioned before the networking people that likes this because they now know which switch ports represent which VLAN IDs now it's like a circus now this changes now that changes what happens if the solution fails I mean what does the state of the network will be left on so this is also a big hit for the financial institutes because you have a chain of requests that you need to put in place it takes a week until you can do the change and here talking about the solution that in seconds can assign VLANs, can change the escape, can make mistakes so that's definitely known for the financial sector and I can tell you from first hand that they don't allow this in most of them also this means that you need to provide a major function using the networking infrastructure you need to rely on the networking infrastructure in order to provide with this type of feature but what if this infrastructure is old or what if this infrastructure cannot provide you with this and a lot of organizations small and medium take what they had in the core when they replace it and push it to the access and I do get to see a lot of them use old base switches on the access layer they don't have the money to invest in switches to do security or do VLANs and it works so why replacing that and that basically also opens up another interesting problem that nobody is like to talk about your device policy how many of you do not have hubs come on you don't have hubs good for you actually very good, I'm not joking that's great not at home right, at work okay that's very good because most of your organizations will have non-managed switches aka hubs on their network so it means that multiple elements will be connected to the same port and it means that you can't really put the policy in place if you have multiple elements on the same port because if you assign that port, that's not available if you assign that port it means that you are going to assign that port for all of the devices and not just for the device you want to put with quarantine the other problem here which is much more philosophical is that you don't know how the infrastructure looks like in the first place so how do you know which are the switches that you interact with in the first place because usually next solutions will not have any type of network discovery capabilities so they will not know the infrastructure in the first place so someone needs to tell them who are the switches and guess what, if we're a big infrastructure if we're a big shop, we don't know we know the big boys that sit in our server room but the small stuff I mean if you are 10,000 element shop I mean you don't know who are the you have, it's really a problem I mean you don't know who is on a network so you know your switches, the access switches never happens also one of the favorite things that the networking people really love is when you go to them and say well, read write access through your switches that's the biggest joke they can hear never they would like to give read write access to the switches so that's basically the self-infecting VLAN when we look at the private quarantine it means that it doesn't allow the elements to interact with each other usually this can be done with a nice feature called private VLAN or with some layer 2 based methods this is an example of why it is bad to do quarantine at layer 3 the way quarantine is being done here by an inline device is basically the device to cross the boundaries or to get to the router the problem here is that this device is able to interact with the whole local subnet so in that case it can just try to penetrate to another host use it as an access proxy to the rest of the network and gain access to wherever it wants if it is able to do that other interesting questions that not a lot of people ask is when an element should be assessed for compliance I mean when the element should be a quarantine when it needs to be assessed for compliance might be too late because it is already on the network after the assessment when it fails if it already failed it means that it doesn't comply so we should have put the quarantine in the first place so at the end of the day in my opinion an element needs to be put into quarantine as soon as it is being attached to the network then we need to check the element then we need to decide what we need to do with it that way we will be blocking any possible interaction with the element to the other elements operating on the network and we will be able to control the element rather than allowing it access to the network and then doing the quarantine as I said before an act is risk mitigation and therefore we need to close the window for opportunity for an element when it is being attached to the network to infect or to harm our network and if we are not going to quarantine the device it will be being attached to the network we haven't been doing anything so if you don't do real-time element detection then you can't really do quarantine immediately then the window for opportunity for the element or for the attacker is getting bigger and bigger and basically again the problem of not knowing gets back to the problem of NAC is not working, gets back to the fact of how your piece of the solution actually works let's go quick about enforcement basically enforcement goes into blocking and restricting network access from elements we can do layer 2, we can do layer 3 we can do that at the switch level we might need additional hardware we might need additional software and usually at the switch level this is again per port, per switch per single device and at layer 3 it means a lot of problems I have highlighted the IPS style some tell you that they have IPS capabilities inside of boxes the problem with IPS is that it can remotely block maybe TCP but not other protocols so in order to do something the IPS needs to be installed inline rather than out of band out of band IPS doesn't work in any case I can tunnel whatever protocol I would like through whatever I would like and the IPS would not be able to tell my stack to stop doing something because for example in the UDP and ICMP and other protocols if my application doesn't care about your messages so it doesn't care so the communication is basically still flowing and nothing happens last example and basically I'll take questions and I'll let you go and have some party basically this is another product which is combined with broadcast listener and inline device combo basically the broadcast listener listens on the layer 2 subnet and the inline device acts like an IPS the inline device can also be installed closer to the closer to the layer 2 the problem here is and if we look at the deployment stage this requires a complete network rearchitecture in order to be effective the inline device must be deployed as close as possible to the access layer and this means also that the inline device is a point of failure if you want redundancy this means 2x the number of appliances that we invest there is a limitation on the bandwidth this inline device can take if you want more bandwidth you pay more and if you need redundancy it costs you more so that's a never ending story also if you want to do inline devices it means that you have to have power knowledge regarding your infrastructure to know where the switches are deployed and who they connect to and what are they doing because you are going to unplug cables so when you start to unplug cables and you don't know what you do big problem so in this particular scenario there are ways to bypass the layer 2 detection simply by unicastly speaking with the router and bypassing the wireless listener and also if you want to speak or talk to the local elements you can do that as well there is no form of device authorization with this solution also there is no form of user authentication so basically you are admitted to the network oh you're there okay we'll do the checks if you're not there we'll not do the checks we'll continue using a switch but if we're not able to detect you then please go through and drive safely the inline device is being used in IPS but if we're not going to use regular traffic and if we will try to access regular stuff we all know that the IPS can basically try to defend against multiple things but if we don't tune the IPS correctly for different things then it will not be able to actually detect them or if we enable everything all together it will act like an old i386 server so in that respect if we don't know what we're looking for that IPS is going to be useless as well so basically if we go through and not be detected by the layer 2 both as listener we pass through no device authorization whatsoever no form of user authentication and at the end of the day we basically can look at this solution and bypass any aspect to it just because it doesn't know how to translate the power of IPS and the element detection that it performs a lot of stuff ok, questions are there questions? ok first and foremost if you ask me I'll answer you need to have a solution that first and foremost understands the contextual network information and maintains that in real time because without any contextual network information you are not able to do anything whatsoever um you'll see the web others I mean I got into this by researching the technology for a product and basically ended up looking in these solutions and I was like it can't be that people are buying this just because they heard the buzz words they heard the three letters and you know that's one of the things but I can tell you that the clients and the prospects since last years bracket know what they want more and more people that are looking at the technology and they would like to look at things they need and need not to do are reading the stuff and understanding that at the end of the day they need to invest in something that will give them value today compliance I can achieve with patch management or with all the other solutions you know that we all know about like you know Marimba other companies that provide agents other companies that do automatic patch management automatic software releasing and so forth we don't need network access control to do that but we need network access control in making sure that the stuff on our network is ours we need network access control to make sure that we do risk mitigation the right way and we find the elements that do not belong there and if we find elements that we do not control we alert the user we alert whoever manages that solution and we let it fix the thing the word control means that we will gain control back on our IT back we never had that and now that we try to gain that control when we already build the network is hard but without understanding what we have we can't really do that so the first building block in order to do this is to get acquainted with what you have identify what you have start to know your physical network topology your topology is an urgent major thing that you need to be aware of in order to do any type of security and any type of manageability identify the host that do not do patch management identify the host that are unmanaged identify the things that shouldn't be there in the first place then you can start to gain that control that you need ok I'll finish now so they can stop the recording if you want to ask me any type of questions please do afterwards thank you for having me here enjoy your night