Network Access Control and VoIP Ben Hostetler Senior Information Security Advisor
Objectives/Discussion Points Network Access Control Terms & Definitions Certificate Based 802.1X MAC Authentication Bypass (MAB) Attack Vectors Spoofing Certificate Capture Traffic Injection VoIP Consideration Network Traffic ACL s Configuration Data Restrictions Securing Our Network Layered Defense Conclusion Security Program 2
Network Access Control Terms & Definitions Supplicant Device that is requesting access to network resources. Device must possess the information necessary to successfully identify itself as an authorized device. Radius/Authentication Server Server that is used to authenticate the supplicant to the network. Certificates, passwords, and MAC addresses are some of the items that can be used to authenticate a host. Certificate Authority Server (CA) Network server used to generate signed certificates used by supplicants to authenticate securely to the network and to negotiate the secure transmission of data. 802.1X IEEE standard that defines how traffic, authentication, and connection data is communicated between the supplicant and the authenticating hosts. EAP is one of the common protocols used to support 802.1X configurations. Identity Services Engine (ISE) Cisco product that is used to profile supplicants based on the hosts configuration data (e.g. Operating System). Commonly used as a Authentication or RADIUS Server in 802.1X configurations that are leveraging CISCO products. Security Program 3
Network Access Control Certificate Based 802.1X Security Program 4
Network Access Control Certificate Based 802.1X Positives Provides point of entry security for exposed network ports. Allows for integration and alerting using the organizations IDS or SIEM solutions. Prevents internal employees from connecting rogue devices without notification Negatives Requires planning and constant evaluation to implement successfully Higher costs as compared to other methods of NAC Failure to implement across the entire organization can create gaps in control effectiveness Security Program 5
Network Access Control MAC Authentication Bypass Security Program 6
Network Access Control MAC Authentication Bypass Positives Typically lower cost as compared to other 802.1X solutions. Negatives Vulnerable to spoofing and other network attacks. Limits the scalability of the network due to increased manual network management. Security Program 7
NAC Attack Vectors Security Program
Attack Vectors - Spoofing MAC Spoofing Discover a hosts MAC address through passive network tapping or visual means (e.g. MAC displayed on host) Change the attacking machine MAC address and disconnect the victim host Connect to the same port and wait until 802.1X timeout to force a MAB authentication. Security Program 9
Attack Vectors Certificate Capture Captured Certificate Compromise an existing host through social engineering or direct access. Export or Capture the installed 802.1X client Certificate If the NAC configuration allows, the attacker can now import the obtain certificate and authenticate to the network. (Note An appropriately configured CA would prevent this exploit from being successful) Security Program 10
Attack Vectors Traffic Injection Traffic Injection Fenrir was presented at BlackHat Europe in 2017 Used as an injectable MiTM tool that would allow redirection of 802.1X frames. Redirection is possible due to lack of encryption of 802.1X frames. The attacker would spoof both the authentication server and the supplicant and direct traffic between them with neither host being aware the exploit was working. Security Program 11
VoIP Considerations Security Program 12
VoIP Consideration Network Traffic Traffic should be limited to only what is required for success VoIP operation. VoIP systems should be logically segregated from other network hosts. Organizations should monitor what kinds of protocols and network devices are sending data across the VoIP network. Security Program 13
VoIP Consideration ACL s Access Controls list should prevent VoIP systems from transmitting data across other network VLAN s Appropriately utilized, ACL s will restrict an attacker s lateral movement in the event that the network is compromised through spoofing a VoIP system. Security Program 14
VoIP Consideration Configuration Data Restrictions Attackers must obtain valid MAC addresses or other information to successfully spoof a VoIP device Limiting exposure of this data will aid in limiting this attack vector Security Program 15
Securing Our Network Layered Defense Organizations should implement multiple layers of security controls for identified risks or attack vectors. Never assume that the implemented control will effectively mitigate the threat to appropriate levels. Security Program 16
Securing Our Network Layered Defense Restricted Access to Identification Data. Modified VoIP systems to prevent display of MAC addresses and IP s as well as removed the sticker identification. Isolated VoIP Network Created ACL s that restricted lateral movement as well as placed VoIP systems on their own VLAN. Identified Devices Connecting through MAB Integrated ISE logs with SIEM solution to provide alerts for when anomalous activities occur. Security Program 17
Securing Our Network Layered Defense Examples of SEIM Alerts When VoIP systems are outside of VLAN VoIP systems are using unnecessary protocols VoIP systems are repeatedly going offline Security Program 18
Conclusion Organizations need to take a comprehensive, and consistent look at their NAC. These controls are often the first line of defense from internal malicious users and introduction of rogue devices. Evaluations of attack vectors should be included as part of the risk management process. VoIP systems, similarly to printers, are often overlooked aspects of securing infrastructure. Organizations should refrain from leveraging single point controls within the environment. Security Program 19