Notesale: Turn your study into money

Document Preview

Extracts from the notes are below, to see the PDF you'll receive please use the links above

---

Bypassing
Network Access Control
Systems

Ofir Arkin
Chief Technology Officer
Insightix Ltd
...
508
...
4788
+972
...
740
...
com
www
...
com

Bypassing NAC Systems

Contents
1
...
1
1
...
1
1
...
2
2
...
5
3
...
5
3
...
5
3
...
Unmanaged Elements
...
3 Exception Rules
...
4 Endpoint Security Assessment
...
5 Quarantine Type
...
6 Inside the Quarantine
...
7 Access Restrictions while in Quarantine and Remediation
...
8 Blinding Post-Admission Protection
...
9 No Bonding with Authorization
...
0 Examples of Bypassing NAC Solutions
...
1 DHCP Proxy-Based NAC Solutions
...
2 Authenticated DHCP
...
3 Broadcast Listeners
...
4 Cisco NAC Framework
...
5 Inline NAC Devices
...
6 Out-of-Band Devices
...
0 Conclusion
...
0 Resources
...

Copyrights © Inisightix Ltd
...


Bypassing NAC Systems

Abstract
The threat of viruses, worms, information theft and lack of control of the IT infrastructure has lead
companies to implement security solutions to control the access to their internal IT networks
...
All are tasked with
one goal – controlling the access to a network using various methods and solutions
...
The flaws associated with the
different network access control (NAC) solutions are also presented
...


About Insightix
Insightix is the developer of the only complete, real-time and agentless IT infrastructure discovery and
network access control solutions
...
By providing comprehensive network visibility and access control, Insightix customers reduce
the time, cost and complexity associated with IT management
...
The company's advisory members include industry leaders from IBM, Computer
Associates, Citrix, Check Point, RSA, Comverse, ECI Telecom and AudioCodes
...
0 Introduction to Network Access Control
An enterprise IT network is a complex and a dynamic environment that is generally described as a black
hole by its IT managers
...

This lack of knowledge regarding the enterprise network layout (topology), resources (availability and
usage), elements residing on the network (devices, applications, their properties and the
interdependencies among them) and users accessing the network and their resources (whether locally or
remotely) lead to a situation in which the stability, integrity and regular operation of the IT network are in
jeopardy
...

This set of technologies is termed by many as Network Access Control (NAC) - a set of technologies and
defined processes aimed at controlling access to the network
...
1 NAC Capabilities
Although NAC is a valid technology that should play a key role with internal network security, a common
criteria for NAC does not yet exist
...


Figure 1: NAC Solution Components

- Page 1 -

Bypassing NAC Systems

The most essential capabilities of any NAC solution must include the ability to detect a new element
connecting to the network1 and the ability to verify whether or not it complies with a defined security
policy of the organization
...

The following is a list of functions that may or may not be included with a vendor’s NAC offering:
•
•

Element Detection – detecting new elements as they are introduced to the network
...


•

Endpoint Security Assessment – assessing whether a newly introduced network element complies with the
security policy of the organization
...
In most cases, it involves the installation of client software on the end system
...
When quarantined, the element may be able to access a defined set of
remediation servers allowing the user fixing the non-compliant issues and to be reintroduced, now successfully,
to the network
...


•

Authorization – verifying access by users to network resources according to an authorization scheme defined in
an existing authorization system, such as Active Directory, RADIUS servers, etc
...
e
...
If detected, the action taken by a NAC solution may vary from isolating the
offending system to dropping the session
...


Each function may be implemented using different technological approaches, which may vary from one
vendor to another
...
2 An Example of the Operation of a NAC Solution
When a new element is introduced to the network, a NAC solution must identify its presence
...
Among the element detection techniques used, the following can be named:

1

Although it may imply that a NAC solution must be aware of any element connected to the network, many NAC solutions do not

maintain a complete, accurate and real-time inventory of all the elements connected to the network
...


•

Broadcast Listener – a NAC solution listens to broadcast network traffic, such as ARP requests, DHCP
requests, etc
...


•

Listening to (sniffing) IP traffic – IP packets passing through a certain monitoring location disclosing a certain
element is connected to the network
...


•

SNMP Traps – some switches can be configured to send an SNMP trap when a new MAC address is registered
with a certain switch port
...


Most of the NAC solutions available today are using a single element detection technique, while a small
number of NAC solutions are using multiple element detection techniques
...
If a NAC solution fails detecting an element connected to the network, the NAC
solution can be then bypassed
...
In order to do this, a NAC solution may use
a set of checks that may include the ability to gather knowledge regarding an element’s operating system,
the list of installed patches, the presence of anti-virus software and its virus signature date, etc
...
Such client-based software usually is available only for Microsoft Windows operating
systems (Microsoft Windows 2000 and later versions)
...
A network element without NAC-based client software is known as an
unmanaged element
...

The result of the checks performed by the endpoint security assessment process determines if the
element in question should be allowed to access the network or if it should be isolated from the network
until the appropriate software should be installed or the appropriate fixes should be applied
...
In most cases, all quarantined elements share the
same isolated network
...


- Page 3 -

Bypassing NAC Systems

The only resource a quarantined element may access is a specified list of remediation servers
...

When the installation of the appropriate software is successfully performed, the element’s compliance
with the organization’s security policy should be re-evaluated
...


Figure 2: An Example for the operation of a NAC solution

- Page 4 -

Bypassing NAC Systems

2
...
These attack vectors can be
divided into several categories based on the way each can compromise the operation of a NAC solution:
•

Architecture – the architecture of a NAC solution is usually combined from various elements, each responsible
for one or more NAC function
...


•

Technology – a NAC solution uses various technologies in order to provide NAC functionality
...


•

Components – a NAC solution is combined from various components, such as servers, client-side software, etc
...


3
...


3
...
1
...

Usually, a NAC solution listens to network traffic (sniffing) trying to detect a new element operating on the
network by analyzing network traffic generated by the element
...
e
...
e
...
This is due to the fact Layer 2
traffic and/or network traffic other then the designated protocol used for the element detection process
can be used where the NAC solution is not be able to detect the presence of the element on the network
...


•

Element detection using a broadcast listener can be bypassed when an element is not generating broadcast
network traffic
...


When an element is introduced to the network without being detected, it may be able to:
•

Infect other elements on the network with a virus, a worm or a malware
...


3
...
2 Lack of Knowledge Regarding the Network Terrain
Currently available NAC solutions do not include network discovery capabilities, although they solely rely
on their element detection capabilities in order to learn about the elements operating on the network
...

NAC solutions, whose aim is to control the access of elements to an enterprise network, do not have
complete and accurate knowledge regarding the elements they need to operate against
...
This may allow elements to access
the network using venues, which may exist, but are unknown to the NAC solution
...
1
...
In this situation, the rogue element is given the same access rights as
an allowed element
...


3
...
Unmanaged Elements
After a NAC solution has learned about the existence of a new element, it may need to determine if the
element complies with the security policy of the organization
...


2

The location of the monitoring point determines the type of network traffic that is observed
...
Such client-based software is usually available only for Microsoft Windows operating
systems (Microsoft Windows 2000 and later versions)
...
The task of
installing client-based software becomes a non-trivial issue where some of the elements the client-based
software needs to be installed on are unknown to the organization
...
In
many cases, virtualized Microsoft Windows-based elements used for development, QA and related
purposes are not part of the organizational Windows domain
...
An
exception rule identifies a certain element according to a unique characteristic, such as its MAC address,
and allows the element to operate on the network without passing through any endpoint security
assessment
...

Another concern is linked to the technology used by NAC solutions to perform element detection, which
suffers from numerous flaws, preventing them from completely identifying the elements operating on the
network, leaving unaccounted elements to operate freely without ever being detected
...
3 Exception Rules
An exception rule identifies a certain element according to a unique characteristic, such as its MAC
address and allows the element to operate on the network without passing through any endpoint security
assessment
...
For example, a printer can be disconnected from the network, while a
rogue element can assume its MAC address and be given its network access rights
...


- Page 7 -

Bypassing NAC Systems

3
...
4
...

Organizations may not enroll a security patch as soon as it is released
...
The
matter of fact is that until this day many organizations still have not enrolled Microsoft Windows XP
service pack 2
...

3
...
2 Falsifying Checked Information
In order to perform an endpoint security assessment, a NAC solution may use a set of checks that may
include the ability to gather knowledge regarding an element’s operating system, the list of installed
patches, the presence of anti-virus software and its virus signature date, etc
...
Any
user with administrative privileges can override these registry settings to represent a different, falsified set
of values, allowing an attacker to introduce an element to the network even if it does not actually have
any of the required software
...
4
...

When client-based software is not available for or on a certain element, or a NAC solution claims to be
agentless, a vulnerability scanner is used
...


3
...

When an element is isolated from the network, it is usually quarantined into a designated network, unable
to access the enterprise network’s resources
...
Usually it is done by using an IP belonging to non-routable network
segment or by using an ACL on routers in order to restrict the quarantined network segment’s
access
...


o

Placing an element into a designated private VLAN (P-VLAN)
...


The following are examples of how a quarantine method can be bypassed
...


•

When ARP mitigation is used to redirect an element to communicate only with the NAC solution, it can be
bypassed by statically defining ARP entries on a newly introduced element
...
6 Inside the Quarantine
When an element is isolated from the network, it is usually quarantined into a designated network without
access to the resources of the organization
...

The elements placed in quarantine shares a common characteristic - they do not comply with the security
policy of the organizations
...

If an infected element is placed into quarantine, it may infect other elements sharing the quarantine
network
...
Instead of combating its way to
bypass network access controls gaining access to the enterprise network, an attacker can intentionally
place its element into the quarantined network
...


3

Private VLAN segregated from the network resources and any other quarantined element

- Page 9 -

Bypassing NAC Systems

3
...
Their role
is to allow a user to easily remedy the issues that had prevented its element from being allowed on the
network by installing the appropriate software stored on the remediation servers
...
For example, access to DNS services requires access to a DNS server
...


3
...
If a suspicious
activity is detected, the action taken by a NAC solution may vary from isolating the offending system to
dropping the session
...
This is also its main drawback
...

Communications between elements found on the same network segment is an example of a
communication type that is usually not observed
...

Another drawback that needs to be considered is the usage of encryption
...


3
...
This, without the supervision of a NAC solution monitoring
the element’s actions tying it with authorization rights (if exists) prevent it access to resources it is not
allowed to access
...
0 Examples of Bypassing NAC Solutions
The following examples detail the operations of several NAC solutions and the ways to bypass them
...
The
main issues with each NAC solution are also highlighted
...


- Page 10 -

Bypassing NAC Systems

The following NAC solutions are discussed in this section:
•

Software
o
o

Authenticated DHCP-based NAC solutions

o

Broadcast listeners-based NAC solutions

o
•

DHCP Proxy-based NAC solutions

Cisco NAC Framework

Hardware
o

Inline NAC devices

o

Out-of-band NAC devices

4
...
1
...


Figure 3: DHCP Proxy Information Exchange

- Page 11 -

Bypassing NAC Systems

The DHCP proxy intercepts DHCP requests coming from elements accessing the network
...
The network configuration information is handed to the
element through the DHCP protocol
...
When found, it gathers the information
required for an endpoint security assessment
...

The DHCP proxy assigns the IP settings for the element only for a short time period
...

4
...
2 Strengths
The strengths associated with a NAC solution using a DHCP proxy are:
•

Most organizations already use DHCP

•

A DHCP proxy solution is easy to deploy

Implementing a DHCP-based NAC solution contains a low barrier-of-entry into organizations
...
1
...

4
...
3
...
Unfortunately,
various elements residing on the enterprise network do no use the DHCP protocol, such as printers,
servers and switches
...
Furthermore, the DHCP proxy-based NAC solution can be simply
bypassed by assigning an element a static IP address
...

4
...
3
...
The client-based software is usually available only for

4

This assuming a blocking gateway might also be present
...
Thus, the endpoint
security of any non-Windows operating system cannot be determined
...

4
...
3
...
First, a non-windows
exception can be made that exempts non-windows clients from the NAC process
...
This MAC address list
accepts wildcards, allowing the exemption of whole classes of systems such as IP
phones using their Organizationally Unique Identifiers
...
In the Sygate/Symantex example, this can be done by imposing any non-Windows
based element that may reside on the network
...
1
...
4 Breaking Out of the Quarantine
A user can bypass its element’s quarantine by assigning the element a static IP address that belongs to
the main enterprise network
...
1
...
5 No User Authentication
With DHCP proxy-based NAC solutions, no form of user authentication exists
...
e
...


4
...
2
...
In order to do so, a DHCP server as part of the authenticated DHCP NAC solution architecture is
installed on the network
...
The NAC
solution quarantines an element sending a DHCP request into a non-routable network segment,
assigning it network configuration information (IP address and static routes) aimed to restrict the

- Page 13 -

Bypassing NAC Systems

element’s access to the main enterprise network (2)
...

Among the configuration parameters sent from the DHCP server to elements requesting an IP address is
the IP address of the DNS server the elements are to use
...
The redirection is
performed when a user tries to browse the web and its element sends a DNS request to the DNS server it
is set to use (the IP address of the DNS server is set to the IP address of the authentication portal5), in an
attempt to resolve the web address of the web site it wishes to browse
...
The reply sent by the DNS server will resolve the web address of the web site to the IP address of
the authentication portal
...
The credentials the user should use are usually the
user’s username and password used to logon to a Windows domain belonging to the organization
(although a separate username and password database can be built for this purpose)
...


- Page 14 -

Bypassing NAC Systems

The authentication credentials sent to the authentication portal (5) are then verified against a data storage
holding the username and password database (6)
...

A NAC solution supporting authenticated DHCP may choose to use additional checks against
authenticated elements as part of the admission process (8)
...

The DHCP server assigns the IP settings for the element only for a short time period
...

4
...
2 Strengths
The strengths associated with an authenticated DHCP-based NAC solution, include:
•

Most organizations already use DHCP

•

An authenticated DHCP solution is easy to deploy

•

Authenticates any user trying to access the network

•

Operating system independent

•

Clientless

Introducing an authenticated DHCP-based NAC solution has a low barrier of entry into organizations
...
2
...
1
...

Authenticated DHCP-based NAC solutions do contain some unique weaknesses
...
2
...
1 Using a Rogue DHCP Server
An attacker is able to use a rogue DHCP server, intercepting DHCP requests and redirecting users to its
own authentication portal for stealing user credentials
...


6

Please note that an authenticated DHCP does not use client-based software
...

An attacker can use the same techniques used by an authenticated DHCP-based NAC solution
...
The network setting places the element on a so-called quarantined network shared
only between the rogue DHCP server and the attacked element
...

When a user on an attacked element would try to browse the Internet (or the local network) it is redirected
to a rogue authentication server, which may have a look and feel similar to the real authentication server
...

4
...
3
...


4
...
3
...
Each probe listens to broadcast network traffic (sniffs the network), which is usually
generated as part of the regular TCP/IP communications in order to detect elements operating on the
network
...

4
...
1
...

When a broadcast listener probe identifies broadcast network traffic coming from a newly introduced
element it probes the agent software for the status of its endpoint security before the element is granted
access to the network
...
Another possibility is to quarantine the element
into a specified VLAN until the process ends
...
Only after these issues are resolved, the
element is granted access to the network
...
3
...
2 Unmanaged Solution
An unmanaged NAC solution utilizing broadcast listeners does not use any client-based software as part
of its architecture
...

If the endpoint security assessment fails, the element is then quarantined and access is granted only to
remediation servers in order to remedy the issues preventing it from gaining access to the network
...

4
...
2 Weaknesses and Bypass
4
...
2
...
A lot of
moving parts are involved with the solution, which makes it difficult to manage
...

Such knowledge must include information regarding all of the network segments, which belongs to the
enterprise network, the locations to place the probes, etc
...

The managed broadcast listener-based NAC solution uses client-based software in order to determine
the endpoint security status of elements residing on the network
...


- Page 18 -

Bypassing NAC Systems

The client-based software is usually available only for Microsoft Windows operating systems (Microsoft
Windows 2000 and later versions)
...

4
...
2
...
Without the use of VLANs, quarantining an element is impossible
...
This NAC solution lacks network discovery capabilities and does have information regarding
these switches
...

In some cases, switches are managed through a dedicated VLAN
...
Such access would have to be configured in order for
the NAC solution to operate successfully
...
3
...
3 Architecture Flaws with the Unmanaged Solution
A time gap exists between an element introduction to the network and the decision whether or not this
element should be allowed on the network or be quarantined
...
This time period may be enough for
the element to infect, penetrate or abuse other elements on the enterprise network
...
3
...
4 No Knowledge Regarding the Network Terrain
This NAC solution does not include network discovery capabilities although it solely relies on its element
detection capabilities in order to learn about the elements operating on the network
...

The NAC solution aims to control the access of elements to an enterprise network, but does not have a
complete and accurate knowledge regarding the elements it needs to operate against
...
This may
allow elements to access the network using venues, which may exist, but are unknown to the NAC
solution
...
3
...
5 Using a Vulnerability Scanner against Unmanaged Elements
Due to the fact a high number of elements that operate on a network use a personal firewall, scanning an
element with a vulnerability scanner is in most cases useless and does not produce valuable results for
the endpoint security process
...
3
...
6 Abusing Exception Rules
An exception rule identifies a certain element according to a unique characteristic, such as its MAC
address and allows the element to operate on the network without going through any endpoint security
assessment
...
For example, a printer can be disconnected from the network, while a
rogue element assumes its MAC address and be given its network access rights
...

4
...
2
...
The rogue
element is given the same access rights as the allowed element
...

4
...
2
...

For example, an attacker can initiate communications directly with a host without broadcasting its ARP
requests
...
e
...
This way the broadcast listener would not detect any broadcast network traffic
coming from the attacker’s element7
...


- Page 20 -

Bypassing NAC Systems

4
...
4
...
e
...
e
...
1x – the Cisco NAD is a Layer 2 device (i
...
switch) with element detection triggered by a data-link
packet passing through the switch

Figure 7: Cisco L3 IP NAC Operation

4
...
2 Strengths
4
...
2
...
1x
The Cisco NAC L2 802
...
It employs not only standard endpoint security checks, but also
includes user authentication as part of the NAC process
...
4
...
4
...
1 Proprietary Solution
Cisco utilizes a proprietary protocol with its NAC framework, EAP over UDP (EAPoUDP), and as a result,
the Cisco NAC framework does not work with non-Cisco elements
...

4
...
3
...
4
...
3 Use of Client-Based Software
The Cisco NAC framework must use client-based software in order to assess the endpoint security status
of elements residing on the network
...
Thus, the endpoint security of any non-Windows operating system and later
versions of Red Hat Linux cannot be determined
...

4
...
3
...

4
...
3
...

Exceptions by device types such as Cisco IP phones can also be permitted using CDP
on the router
...
cisco
...
For example, a printer can be disconnected from the network, while a
rogue element assumes its MAC address and be given its network access rights
...

4
...
3
...
The
rogue element is given the same access rights as the allowed element
...

4
...
3
...

The technology used by the NAC solution to perform element detection suffers from numerous flaws,
preventing it from completely identifying the elements operating on the network, leaving unaccounted
elements to freely operate on the network without being detected
...

Information regarding the physical network topology of the enterprise network is not collected
...

4
...
3
...

4
...
3
...
The ACLs, which are configured for quarantined
elements, allow the tunneling of a number of protocols across the entire enterprise9
...
cisco
...
4
...
10 Abusing Cisco NAC L3 IP
Cisco NAC L3 IP allows elements to freely operate on a local segment without being detected, if these
elements do not send their network traffic through the router that used to implement NAC L3 IP
...

By penetrating other elements on the local network segment, an attacker may abuse these as a launch
pad to gain unauthorized access to other parts of the enterprise network
...
5 Inline NAC Devices
4
...
1 Architecture Overview
Inline NAC solutions use dedicated hardware that is placed on the network usually between switches and
their main switch/router
...

The inline device performs passive element detection by listening to network traffic passing through the
device
...

Inline devices may or may not use client-based software
...

4
...
2 Weaknesses and Bypass
4
...
2
...
If the device fails it may not allow network traffic
to go through the device
...
5
...
2 Amount of Network Traffic that Can Be Handled
Inline NAC solutions may be limited by the amount of network traffic they may be able to process
...


- Page 24 -

Bypassing NAC Systems

4
...
2
...

Therefore, the deployment of an inline NAC solution may not cover the entire enterprise leaving
unmonitored venues to access the network
...
This may allow elements to
access the network using venues, which may exist, but are unknown to the NAC solution
...
5
...
4 Network Re-Architecture
Deploying an inline NAC solution must involve significant changes to the architecture of the network
...
5
...
5 Element Detection Is Partial and Incomplete
Due to the fact element detection is performed passively, technology limitations prevents the inline NAC
solution from completely and accurately detecting all of the elements operating on the network10
...
5
...
6 Abusing the Local Segment
An inline NAC solution allows elements to freely operate on their local segment without being detected if
these elements do not send their network traffic through the inline device
...

By penetrating other elements on the network, an attacker may abuse these as a launch pad to gain
unauthorized access to other parts of the network
...
5
...
7 Tunneling Data while In Quarantine
Some inline NAC solutions may allow quarantine elements to exchange information with other elements
on other parts of the enterprise network using selected allowed services which may be required for the
remediation process
...
5
...
8 Using a Vulnerability Scanner against Unmanaged Elements
Due to the fact a high number of elements that operate on a network use a personal firewall, scanning an
element with a vulnerability scanner is in most cases useless and do not produce valuable results for the
endpoint security process
...
5
...
9 Abusing Exception Rules
An exception rule identifies a certain element according to a unique characteristic, such as its MAC
address, and allows the element to operate on the network without any endpoint security assessment
...
Available from:
http://www
...
com/resources-currentwhitepaper
...


- Page 25 -

Bypassing NAC Systems

An exception rule can be abused in order to introduce a rogue element to the network using a MAC
address listed as an exception rule
...

A contributing factor that makes abusing exception rules even easier is the fact that except for the MAC
address of an element, no other information regarding the properties of an element are discovered and
saved with the exception rule
...
6 Out-of-Band Devices
4
...
1 Architecture Overview
An out-of-band NAC solution uses a span port on a switch to receive network traffic coming in and going
out from networks against which it wishes to operate
...

4
...
2 Strengths
There are several considerable advantages for using an out-of-band NAC solution:
•

Fast deployment

•

Contains less moving parts

•

Element detection is performed in real-time

4
...
3 Weaknesses and Bypass
4
...
3
...

4
...
3
...

An element operating on a local network segment is allowed to infect and/or penetrate other elements
with which it shares the same local network
...
insightix
...
asp
...

4
...
3
...

Therefore, the deployment of an out-of-band NAC solution may not cover the entire enterprise leaving
unmonitored venues to access the network
...
This may allow
elements to access the network using venues, which may exist but are unknown to the NAC solution
...
0 Conclusion
Network access control technology, which should be a vital part of internal network security, is still in its
infancy
...

Nonetheless, some of the NAC solutions can be bypassed, allowing an attacker to freely access a
network and its resources
...
e
...
Without these capabilities, any
NAC solution is destined to fail
...
0 Resources
1
...
Available from:
http://www
...
com/resources-currentwhitepaper
...

2
...
Available from:
http://www
...
com/resources-currentwhitepaper
...

3
...
Available from: http://www
...
com
...
Cisco NAC framework
...
cisco
...


- Page 27 -



---