Bypassing NAC v2.0 - OSSIR

More documents

Recommendations

Info

802.1x• Exceptions– Hosts that do not support 802.1x can be granted access to the networkusing manually configured exceptions by MAC address– There is no knowledge about the exception element (i.e. OS, exact location,and other properties)– It is possible to spoof the MAC address of an exception element is order toreceive the same access that element has to the enterprise network• Not able to detect masquerading elements hiding behind an allowedelements (i.e. NAT)– Virtualization as a major issue (i.e. Freebee virtualization software such asVirtual PC, Vmware, etc.)• No knowledge on actual network topology may lead existence of other,uncovered venues to access the network– The network might be composed from other networking equipment whichdoes not support 802.1x– Used as an access venue to the network
Cisco <strong>NAC</strong> Framework
Page 4 and 5:
Introduction
Page 6 and 7:
IntroductionThe Problem• An enter
Page 8 and 9:
Introduction“My” NAC is not “
Page 10 and 11:
Capabilities
Page 12 and 13:
CapabilitiesNAC Functions• The fo
Page 14 and 15:
CapabilitiesNAC Functions- Remediat
Page 16 and 17: Attack Vectors
Page 18 and 19: Bypassing NACBackground
Page 20 and 21: Element DetectionQuestions to Ask
Page 22 and 23: BasicsQuarantine• There are a var
Page 24 and 25: QuarantineQuestions to Ask• How d
Page 26 and 27: Enforcement• How is enforcement p
Page 28 and 29: End-point Compliance Assessment•
Page 30 and 31: End Point Compliance AssessmentAgen
Page 32 and 33: Bypassing NACExamples
Page 34 and 35: Bypassing NACExamples• The exampl
Page 36 and 37: DHCP ProxyArchitecture
Page 38 and 39: DHCP ProxyInformation Exchange
Page 40 and 41: DHCP ProxyWeaknesses• Detected el
Page 42 and 43: DHCP ProxyWeaknesses• Not able to
Page 44 and 45: Authenticated DHCPorDHCP In-a-Box
Page 46 and 47: DHCP In-A-BoxArchitecture
Page 48 and 49: DHCP In-A-BoxStrengths• Theoretic
Page 50 and 51: DHCP In-A-BoxRogue DHCP Server
Page 52 and 53: Broadcast Listeners
Page 54 and 55: Broadcast ListenersArchitecture: Ma
Page 56 and 57: Broadcast ListenersWeaknesses• So
Page 58 and 59: Broadcast ListenersWeaknesses• Un
Page 60 and 61: Switch IntegrationSNMP Traps
Page 62 and 63: SNMP TrapsWeaknesses• Must rely o
Page 64 and 65: 802.1x
Page 68 and 69: Architecture• Components- Cisco T
Page 70 and 71: Cisco NAC FrameworkInformation Exch
Page 72 and 73: Cisco NAC FrameworkWeaknesses• Wo
Page 74 and 75: Cisco NAC Framework• Static Excep
Page 76 and 77: Cisco NAC FrameworkWeaknesses• No
Page 78 and 79: In-Line Devices
Page 80 and 81: In-Line DevicesWeaknesses• No kno
Page 82 and 83: In-Line DevicesWeaknesses• Not ab
Page 84 and 85: Out-of-Band DevicesArchitecture
Page 86 and 87: Out-of-Band DevicesWeaknesses• In
Page 88 and 89: The End-Result• A (very) confused
Page 90 and 91: Resources• Microsoft NAPhttp://ww
show all

Bypassing NAC v2.0 - OSSIR

Create successful ePaper yourself

Delete template?

Save as template?