Phil Mayers <[email protected]> My name is Phil Mayers I do various things at Imperial Core routing, multicast, IPv6 Edge access control – macauth & 802.1x Fully centralised IT @ Imperial ~1300 edge switches (~50/50 old 3Com 4400s, new Extreme x450/x250) ~750 wireless points (Cisco lightweight) ~35k unique hosts seen on-net TLA minefield NAC NAP TNC SoH At the time of network connect, the machine submits evidence of its posture to the network The network may grant, restrict or deny network access Posture includes OS updates (set for auto-update, up-to-date) Antivirus state (installed, enabled, up-to-date) Firewall state (installed, enabled) NAP – Network Access Protection (Microsoft) NAC – Network Access Control (Cisco) Both names for the same thing... TNC – Trusted Network Connect EAP mechanism from the Trusted Computing Group – posture-over-EAP SoH – Statement of Health Microsoft extension to PEAP TNC and SoH do the same job, differently Assuming 802.1x for wireless/wired... Client connects Network issues EAP challenge Client does EAP to identify itself Client then sends posture info inside EAP session Radius server makes a decision about the posture acceptability Network access granted, restricted or denied Out-of-band posture assessment can be done Wupdate or antivirus management logs Run a client / ActiveX control Won’t talk about those here – because Imperial don’t have any use for them EAP-TNC is an EAP method It needs to run inside another EAP method – TTLS It ought to run after an authentication method It’s a cross-platform standard Support is (currently) non-existent ▪ Picture by http://www.flickr.com/photos/bbaunach/ SoH is a Microsoft extension to PEAP It’s Windows-oriented It’s supported on XP SP3, Vista and Windows 7 It’s off by default It needs* Microsoft IAS Not well-loved No offense intended to those who do use it But have no fear... FreeRadius can now do it too! git clone [email protected]:soh.git peap-soh git checkout -b peap-soh origin/peap-soh Supposed to be in 2.2.0 I wrote the patch – need to sync with 2.1.9 Quite a lot of info: SoH-Supported = yes SoH-MS-Machine-OS-vendor = Microsoft SoH-MS-Machine-OS-version = 6 SoH-MS-Machine-OS-release = 0 SoH-MS-Machine-OS-build = 6001 SoH-MS-Machine-SP-version = 1 SoH-MS-Machine-SP-release = 0 SoH-MS-Machine-Processor = x86_64 SoH-MS-Machine-Name = "netbios.example.com" SoH-MS-Correlation-Id = 0x54468936cb494374b127a6a3cc3bb11c01ca78d858ee1ef0 SoH-MS-Machine-Role = client SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=1 up2date=1 enabled=1" SoH-MS-Windows-Health-Status = "antivirus error not-installed" SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=1 up2date=1 enabled=1" SoH-MS-Windows-Health-Status = "auto-updates ok action=install" SoH-MS-Windows-Health-Status = "security-updates warn some-missing" Deny outright Send back an access-list or vlan Log to a database ...then send back ACL/VLAN if the machine has “bad posture” for >2 hours Avoids all your machines falling off-net when a new update is released! This kind of flexibility is a good argument for FreeRadius :o) SoH request can be sent to a virtual server Then write “unlang” policies Or use rlm_perl / rlm_python / shell scripts eap.conf sites-enabled/soh eap { peap { soh = yes soh_virtual_server = ... } } server soh-server { authorize { if (SoH-Supported == no) { # client NAKed our request for SoH update config { Auth-Type = Accept } } else { if (SoH-... != ok) { It’s turned off by default :o( Presumably because of the information leakage? Clumsy to enable on unmanaged clients via GUI Can be done via “netsh” CLI & XML profiles Can be done with Group Policy on domain members Windows collates SoH data from various sources Windows “security centre” by default But also 3rd party apps in theory AntiVirus and other products can send vendor- specific info inside the SoH statement FreeRadius patch doesn’t decode these yet; no examples seen in the wild Promising because it’s cross-platform Does anyone here really think that managed machines will be the norm in 5-10 years? iThings, eee PCs Needs kickstarting OpenSEA / Xsupplicant? Will need to be on by-default, or a very easy provisioning method (per SSID) Prompt user when first asked for posture? Yes. Resnets will probably be first... Posture statement != posture proof Negative posture is probably not a lie! Log the posture statements, deal with lies via AUP and/or physical device banning Managed clients can be trusted “more” Mandate SoH for financial systems access? Some work to support TPM signing of TNC/SoH Description of these is not an endorsement... MS SoH can be run over non-802.1x transport DHCP DISCOVER/OFFER MS Terminal Services (new-style) IPSec FreeRadius doesn’t yet do these But the TS & IPSec stuff are Radius-based And FreeRadius can do DHCP... Let me know if this interests you Lots of “innovation”, little standards-setting Cisco vs. Microsoft SoH is (of course) proprietary But useful even so because of the numbers and nature of windows machines Clearly an open standard is better e.g. TNC Many vendors will try to sell you pricey clients or supplicants Think carefully before doing that Could we add posture checking to Eduroam? The posture is hidden inside the EAP tunnel Only the home site sees it But the home site could pass standard attributes back to supporting visiting sites Better user experience than “it doesn’t work” Under investigation Depends on demand I’ve heard scepticism about posture checking Perhaps not for everyone? Our IT Security team really, really want it Machines accessing our financial systems are usually managed windows builds VLAN assignment into finance VRF Locked down desktops, 802.1x using machine account credentials
© Copyright 2024 Paperzz