The Department of Defense added a requirement that all network ports, or on-ramps need to be protected. Applications, server, and data are normally protected; however, most network ports are left open. You get on to a network by plugging into a port and a network address is allocated for the connection. Computers without proper are free to launch attacks from the network. Network port protection lock down restricts anonymous access and prevents these “attacks”.
When network protection is turned on, a machine plugs into the network; no network access is given until the machine is authenticated to the network.
A few years ago, NAC solutions tried to accomplish goals for locking down networks. Most of my customers hated NAC. It added a layer of complexity that made the network behave unnatural and harder to support. It used a variety of ports, protocols, and physical boxes to implement. In short, it was complicated. NAC supported networks broke down often, causing nightmares for those legitimate users trying to get access and the people supporting those networks.
What are people doing to support port lockdown today at the Department of Defense and other large enterprise organizations? Surprisingly, the solution has been around for a long time to help secure wireless networks. It is called 802.1x. Historically, 802.1x has worked great on wireless networks and has always been a little troublesome on the wired ports. But things have changed with enterprise policy servers (Cisco Identity Services) that make the connection more easily configurable on modern day operating systems such as Mac OS X Mountain Lion and Windows 8.
How does 802.1x work? According to Wikipedia, IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It is part of the IEEE 802.1 group of networking protocols.
802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The term ‘supplicant’ is also used interchangeably to refer to the software running on the clients’ device that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point. And the authentication server is typically a host running software supporting the RADIUS and EAP protocols.
The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. A similar comparison to this would be providing a valid visa at the airport’s arrival immigration booth before being allowed to enter the country. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines that the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.
DISA (Defense Information Systems Agency) and the DOD (Department of Defense) have mandated that all government network on-ramp ports will be configured and protected by 802.1x technologies through a STIG.
A Security Technical Implementation Guide or STIG is a methodology for standardized secure installation and maintenance of computer software and hardware. This term was coined by DISA, which creates configuration documents in support of the United States Department of Defense (DOD). The implementation guidelines include recommended administrative processes and span of the devices’ lifecycle.
An example where STIGs would be of benefit is in the configuration of a desktop computer. Most operating systems are not inherently secure leaving them open to criminals such as identity thieves and computer hackers. A STIG describes how to minimize network-based attacks and prevent system access when the attacker is present at the device. STIG also describes maintenance processes (such as software updates and vulnerability patching).
Defense agencies do not have a choice. They must comply with STIG or go through lengthy time-consuming process of getting exceptions. Some customers will buy older hardware, that is more expensive and out dated simply because it complies with STIG or some other regulation. Vendors have to submit their products to the government to get STIG approved. This process has high costs associated for the vendor. The process also takes a long time to complete, sometimes over a year. By the time a product is certified, in many cases it is outdated.
Most organizations will get audited on how they comply with STIG. Therefore, organizations try and read the STIG and comply with it the best they can. The biggest problem is sometimes; the STIG can be open to interpretation. Although, a STIG is revised often, it can become outdated since updates cannot keep with the revisions of the technology. This leaves organizations in an interesting situation. Should they go with the best solution, following the intent of the STIG or go with the exact prescription of STIG and stick as close to the language and products as possible.
Most auditors I spoke to prefer the latter. They believe no matter how good an organization’s intentions are, they simply do not have the resources to test new solution products. They rather prefer solution products that are already tested and certified.
An advanced STIG (version 8, release 10) states, “The IAO will ensure that 802.1x is implemented using a secure EAP such as EAP-TLS, EAP-TTLS or PEAP” under Group ID V-7542.
Additionally, Group ID: 5626 states, “the switch must be configured to use 802.1 x authentications on host facing access switch ports”. Lastly, Group ID: 5624 states, “the IAO/NSO will ensure if 802.1x Port Authentication is implemented, re-authentication must occur every 60 minutes.”
It is recommended that defense agencies and organizations will have to implement 802.1x technologies. They can buy products such as Cisco’s Identity Services Engine (Cisco ISE) to accomplish this task. However, the organization must still engineer and design the implementation of the solution. The biggest hurdle facing most establishments is what EAP type should be implemented when deploying 802.1x. The STIG states, “the IAO will ensure that 802.1x is implemented using a secure EAP such as EAP-TLS, EAP-TTLS or PEAP.”
Arguably, EAP-TLS is the most secure protocol because both the client and the server validate each other before access granted. The biggest hurdle is that it requires a certificate authority server (CA) that both the authenticator server and the client trust. In many cases, DOD CA root servers are controlled from a central authority. Individual agencies do not manage certificate servers and must work with other groups to attain valid certificates. This can be a painful and time-consuming task.
In addition, EAP-TLS requires client machines to have certificates installed. In many cases this means some sort of configuration on every client machine that connects to the network. Although, there are tools that help automate this process, they are not easy. The task is even more daunting when you consider endpoints may be scattered throughout the world.
EAP-FAST is another option. It has most of the benefits of EAP-TLS without the requirement of having certificates. The concern with EAP-FAST is that it is a Cisco proprietary protocol. Many people prefer open standard protocols, yet, the STIGs do not prohibit EAP-FAST or a proprietary protocol; they just prohibit insecure protocols. EAP-FAST requires the Cisco AnyConnect software on each client machine and distributing software is much easier than distributing and configuring certificates. Cisco’s AnyConnect is available on Windows, Mac OS X, Apple, iOS, and Google Android platforms.
The most popular EAP implementation I ran into is EAP-PEAP. PEAP unlike EAP-TLS, requires only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server.
PEAP then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server’s public key. The exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from being stolen.
PEAP appears to be a secure protocol and is stated as an acceptable protocol in the STIG. However, it may not be as secure as we think.The STIG clearly reads, “The IAO will ensure that 802.1x is implemented using a secure EAP such as EAP-TLS, EAP-TTLS or PEAP.”
STIG protocols are just examples, the guideline calls for secure EAP, PEAP is not considered secure anymore. As of August 2012, MSCHAPv2 has been broken and rendered vulnerable.
Security and privacy researcher Moxie Marlinspike released the tool ChapCrack after his demonstration at the 2012 Defcon Conference that renders MS-CHAP v2 to a computational intensive mathematical key that can be easily broken. It should also be noted that MS-CHAP v2 is widely used in enterprise wireless networks that use WPA2.
So how should organizations following DISAs STIG implement 802.1x and be in compliance? There are options. EAP-FAST seems to be an extremely attractive option. An organization can mitigate the risks of MS-CHAPv2 while gaining the advanced EAP-FAST extensions such as EAP Chaining (currently only available on Windows platforms). It does require the Cisco AnyConnect agent. I feel the agent is much more stable and provides a consistent and better user experience than the native OS client.
I am also a fan of EAP-TLS. It is a proven method that works. However, DOD organizations will need to plan ahead, obtain certificates, and design a proper implementation strategy.
I have had a lot of success implementing 802.1x technologies. We often want to rush things; choose lowest quoting contractors with the fastest timelines. To implement 802.1x right, it takes time and experience. A little bit of hassle upfront for planning and implementation will result in a more secure network.