General InfoSec discussion

Discussion in 'Business & Enterprise Computing' started by Gunna, Nov 18, 2019.

  1. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    2,110
    The reason why you prefer PEAP (i.e. its easy) is also the reason why its much less secure. The client authentication is user/password (or the machine password if you're doing machine auth instead). The cert is only really used for the client to authenticate the server (and people turn it off because duh).

    Anyhow you will not find a single security standards or architecture document that recommends PEAP. Its better than nothing, universally compatible and easy, esp for the unwashed masses with Microsoft NPS. And yes its very popular esp. with mid-market/SMB wireless networks, because like you said its easy.

    Pretty much every enterprise wireless deployment in the corporate world is EAP-TLS (for the domain SSID anyway) and every single wired dot1x deployment I've seen is EAP-TLS. You'd be crucified by any security auditor or infosec person to deploy PEAP for anything beyond guest or semi-trusted (think BYOD) scenarios, where you can't control the endpoint.

    Certificate management on managed endpoints is a done thing, Windows is automagic, and you have a MDM for your i-thingys right? I do realise its a pain in the ballsack but do you really want Karen's post-it note letting them onto the network without them at least having to hijack Karen's laptop or wait till she's at lunch at the very least?

    Pedantic note (yes I did read the textbook again for this): Technically PEAP is the encapsulation, like EAPOL. But when people say PEAP 99.9% of the time they are talking about PEAP wrapping up MS-CHAPv2. Technically you can implement EAP-TLS over PEAP but this is rarely seen. Fuck I hate security so much
     
    Last edited: Jan 14, 2020
  2. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    12,882
    Location:
    Brisbane
    I dunno, NAC has its place but it's certainly not the magic bullet you'd hope it to be for the effort.
     
  3. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    2,110
    the magic bullet is the auditor's tick. The CISSPs are gagging to pay for it so why not...

    in a practical sense, ensuring that rando can't just walk into any office (think reception area IP phone? etc) and plug into your network is a big win IMO. Now think industrial where there are datapoints in sheds or god knows where, the attack vector is massive

    the real hawtness comes if you can enforce internal segmentation (whether bleeding edge with SD-Access or Aruba Mobile First or even traditional RADIUS pushed ACLs or just dropping them into segmented VLANs), that's a clear and massive win
     
    Last edited: Jan 15, 2020
  4. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    12,882
    Location:
    Brisbane
    Just depends what you're defending against really.

    NAC bypass is fairly trivial if you have physical access, obviously the barrier to entry is totally different but it's not like you magically just prevent network points from being hijacked. Can accomplish it with a pi and 2 ethernet ports.

    Personally I've always been partial to always on VPN + host isolation.

    Either way you're at the point you need to look at proper firewalling of servers etc. for good wins.
     
  5. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    2,110
    How do you break dot1x with EAP-TLS with a pi and 2 ethernet ports without access to the root/signing CA?
    If you're proposing some kind of MITM/ARP attack then no dice, if you put in NAC you're also putting in all the usual layer-2 security (DHCP snooping, Dynamic ARP inspection etc.)
     
  6. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    12,882
    Location:
    Brisbane
    Wifi you can't break and is very good on a proper setup. You can MITM quite happily on a wired port though if there's an authenticated host connected, e.g. https://github.com/scipag/nac_bypass something like that plus being inline on port.
     
  7. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    2,110
    Interesting, thanks for the link. I didn't consider inline bypass
     
  8. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    12,882
    Location:
    Brisbane
    One of those things I found to be pretty obvious in retrospect after reading through how those scripts work it but yeah, it's still a totally different barrier to enter a network.

    But for me it boils down to what are you looking to address? Network ports in public locations that have to exist for some ungodly reason? Or somebody actively looking to circumvent your network controls and has physical access. If it's the latter you're in for a bad time and it'll only have a limited impact.

    Something something layers etc.
     
  9. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    2,110
    Well yeah you need a specialist device that can bridge/linux, and power it (or battery powered setup for limited duration), and the access to install it behind a user's workstation without them noticing (or a gun to their head whilst they login lol).

    Not to mention the specialist expertise to rig it all up esp. sophisticated auto scan and auto attack scripts if the phone home doesn't automatically work and you can't drive it remotely.

    I can't imagine that this is a 'mainstream' attack vector so even a lot of black hats would lack familarity with this (and again they'd need the specialist not-a-normal-pc hardware to do it, and the installation hurdles).

    As you say layers e.g. the SSH phone home should be blocked, internal firewalls, yada yada though if you managed to sneak a preconfigured battery powered bridging pi behind a workstation then all the good ports are 99.9% likely to be opened, can your magic Palo box catch the IPS sig.
     
    Last edited: Jan 15, 2020
  10. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    12,882
    Location:
    Brisbane
    I'm surprised how few people are unaware it's possible to be honest.

    It's like anything infosec really, apply appropriate compensating controls. If you're working on military tech, probably a risk. If you're a SMB, probs not worth considering :)
     

Share This Page

Advertisement: