802.1X Evasion Techniques for IPv4 and IPv6 Networks

Started by deanwebb, July 22, 2017, 07:19:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

deanwebb

July 22, 2017, 07:19:36 PM
http://www.delaat.net/rp/2015-2016/p87/report.pdf

Reading through this now, it's worth it if you do NAC stuff.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

#1
July 23, 2017, 01:47:44 AM
thanks, interesting read.

so basically you can passively MITM snoop but any active traffic needs a SNAT / mac SNAT and you need to be physically in-line?

deanwebb

#2
July 23, 2017, 08:41:31 AM
Correct. I knew about the IPv4 devices, interesting to see that a bit of modification can get us to IPv6 compromises, as well.

This kind of penetration would not go with some guy trying to spread ransomware or other bogeymen like that. This sort of penetration would go with an organized outfit, looking to harvest data like trade secrets or stuff like that. The researchers asked the question if 4G could be used to talk to the inline box and the answer is yes. That would enable data exfiltration as well as the injection of malware to attempt to compromise other points on the network.

This is where NAC endpoint interrogation becomes important. Also application whitelisting.

The researcher talks about some difficult to implement countermeasures. One that I'm aware of - because I use the product - is ForeScout CounterACT's ability to use a SPAN port both for monitoring and injection. If it picks up scanning activity from an unauthorized host, it can block that traffic through several different responses, like an ACL on the port or MAC address, VLAN switching, virtual firewall, or flat-out port block.

If the hacker is scanning from a device that is authorized to do port scans, well, you're hosed. Better have some more defenses in that case...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

#3
July 24, 2017, 02:56:21 AM
I have a meeting at Cisco's office tomorrow to learn and gather info about their new product "DNA". I *think* .1X is one component of this.

wintermute000

#4
July 24, 2017, 03:21:36 AM
Of its software defined access then yeah. Ise for everything. There's your contracts a la ACI. Except LISP not the internal database for location.

deanwebb

#5
July 24, 2017, 10:31:35 AM
Quote from: Dieselboy on July 24, 2017, 02:56:21 AM
I have a meeting at Cisco's office tomorrow to learn and gather info about their new product "DNA". I *think* .1X is one component of this.

It's a critical component, from the Cisco point of view. That's what ISE rides on for endpoint detection and admission security. ISE is itself the means by which enforcement of policies is handled on the endpoint level.

Cisco's strategy is to get wall-to-wall Cisco, but in the security sphere, I've questioned that strategy. Granted, I'm partial to ForeScout CounterACT over Cisco ISE, but that's a partiality that's borne out in the test of time. Everything that Cisco talks about in the security sphere can be replicated with other vendors' gear. The question then comes up about what is it the other vendors provide that keeps them in business, even when they go head to head with Cisco in all-Cisco shops? For some it's price or that they've scaled to target a particular market, for others, it's quality. Cisco's response to both is to get very aggressive on price and get the product in the door as a loss leader, knowing it will generate further business in the implementation and maturation process.

When I say "generate more business", it's not a mustache-twirling muhuhahaha sort of thing, but requisite modernization of the switching enterprise to support the latest code from Cisco. More like accelerating the EoL replacement cycle.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#6
July 25, 2017, 06:39:30 AM
Quote from: deanwebb on July 24, 2017, 10:31:35 AM
Quote from: Dieselboy on July 24, 2017, 02:56:21 AM
I have a meeting at Cisco's office tomorrow to learn and gather info about their new product "DNA". I *think* .1X is one component of this.

It's a critical component, from the Cisco point of view. That's what ISE rides on for endpoint detection and admission security. ISE is itself the means by which enforcement of policies is handled on the endpoint level.

Cisco's strategy is to get wall-to-wall Cisco, but in the security sphere, I've questioned that strategy. Granted, I'm partial to ForeScout CounterACT over Cisco ISE, but that's a partiality that's borne out in the test of time. Everything that Cisco talks about in the security sphere can be replicated with other vendors' gear. The question then comes up about what is it the other vendors provide that keeps them in business, even when they go head to head with Cisco in all-Cisco shops? For some it's price or that they've scaled to target a particular market, for others, it's quality. Cisco's response to both is to get very aggressive on price and get the product in the door as a loss leader, knowing it will generate further business in the implementation and maturation process.

When I say "generate more business", it's not a mustache-twirling muhuhahaha sort of thing, but requisite modernization of the switching enterprise to support the latest code from Cisco. More like accelerating the EoL replacement cycle.

it's all a question of security, take the OPENSSL vulnerabilites of last/this year, put all your eggs in one basket and yer asking for trouble.  back at the secure place I last worked, multi vendor was very important so that if  one vendor has a known vulnerability. one of the others may not. Hopefully you've built enough layers around your critical infrastructure that if 2 or 3 vendors have  the same or similar vulnerability that it doesn't leave you vulnerable.
:professorcat:

My Moral Fibers have been cut.
Print
Go Up Pages1
User actions