|
Posted by Dobromir Todorov on January 8, 2008, 7:45 am
If you were Registered and logged in, you could reply and use other advanced thread options
Cisco NAC and Microsoft NAP may be either 802.1x "on steroids" (EAP packets
with health information in them), or may be more complicated with layer 3
NAC, where TCP/UDP traffic may be used to connect to a policy server (rather
than layer 2 EAP over Ethernet frames, which is the case with 802.1x).
At the same time, Cisco NAC and Microsoft NAP (despite the popular
misconception of them providing ultimate security) suffer from the same
problems. If you give users administrative access, they may potentially
circumvent the NAC or NAP restrictions. NAC and NAP only work if you can
guarantee the integrity of client side components. Let's say you've got a
policy that requires all users to have a personal firewall enabled. If a
user with admin rights replaces the client side NAC/NAP component (Health
Agent) that checks whether the firewall is enabled, and always returns True
(as in - firewall is enabled), then this admin user has already found a way
around NAC/NAP.
Trusted Platfrom Modules (TPM) in combination with a third party FDE or
BitLocker may be able to guarantee the integrity of some parts of the
operating system but not NAC/NAP components, at least not straight out of
the box. Then again, certificates stored in TPMs or SmartCards are even
better but you may end up having to boot up every PC manually every day, or
every time it is rebooted.
Bottom line is: physical access can still prevail, unless you are willing to
sacrifice convenience of use.
--
---
HTH,
Dobromir
Vist http://www.iamechanics.com
> Thanks for the generous replies.
>
> So from what I understand is that the main problem that will arise if
> users
> have physical access to the PCs is that they can transport the
> certificates
> to another PC/OS, given such users have considerable IT awareness. I feel
> encryption is very necessary here, and yes, we need to have this kind of
> security unfortunately.
>
> Any idea whether NAC solutions form Cisco, Symantec etc. provide different
> approaches or configuring 802.1x is a must in all solutions available?
>
> Regards
>
> "Dobromir Todorov" wrote:
>
>> Taco,
>>
>> What's the business case behind this requirement? Although what you
>> require
>> may be technically doable, it makes sense to analyse how this benefits
>> business.
>>
>> If you want to use IAS, I see the following somewhat reasonable option:
>> Configure 802.1x on Cisco switches and then set IAS to use EAP-TLS for
>> client
>> authentication, and require client certificates (as in - Computer
>> certificates - see the Smart Card or Other Certificate option). Make sure
>> that users haven't got admin access to computer certificate stores (this
>> may
>> be tricky - see note below) and can't export client certificates and
>> associated private keys. Configure automatic provisioning for computer
>> certificates.
>>
>> Another option that doesn't require certificates would be to request PEAP
>> authentication for computer accounts. Configure all the domain members to
>> only use PEAP and use ONLY computer credentials to authenticate. In AD,
>> add
>> all the computer accounts (and only computer accounts) to a global or
>> universal group (say - Domain Computers). In IAS, allow PEAP as the only
>> authentication method, and only allow this for the Domain Computer
>> accounts.
>> Now users can't authenticate to the network using their user accounts and
>> passwords, as they are not allowed to authenticate on IAS. Obtaining the
>> computer account password is only possible if they have local admin
>> rights
>> (please see my note below on obtaining admin access), or by offline
>> attacks
>> (if they manage to steal a backup of the computer SAM database).
>>
>> Now, the issue is that you CAN'T take away admin access from users unless
>> they really have no physical access to computers. If they have physical
>> access, they can always boot from a CD into another OS, or boot from the
>> network, or disconnect the hard disk from the local computer and acquire
>> admin access to the operating system, then potentially export the
>> computer
>> certificate from the local computer store, then potentially circuimvent
>> the
>> above IAS/802.1x controls. Alternatively, you may consider storing
>> computer
>> certificates on SmartCards, or in TPMs but this may require an admin to
>> start
>> the computer every time it is used, which is definitely cumbersome. Full
>> Disk
>> Encryption software may also be an option here, and help you protect the
>> integrity of the operating system and associated data.
>>
>> --
>> HTH,
>> Dob
>>
>> Visit http://www.iamechanics.com
>>
>>
>> "taco" wrote:
>>
>> > I have been searching for a solution using MS IAS and cisco switches to
>> > allow
>> > only PCs that are JOINED to the domain to get access to the network
>> > (using
>> > 8021.x and MD5 password authentication).
>> >
>> > Using Mac security was ok but if a user formats his PC he will gain
>> > access
>> > to the network without be joined to the domain, since by entering only
>> > credentials (while leaving the domain field blank) opens the
>> > connection.
>> >
>> > I want some advice on the proper approach required to solve this
>> > problem
>> >
>> > Thanks in advance
| 
XML site map