PacketFence, the Open Source Nac: What we've done in the last two years

Video thumbnail (Frame 0) Video thumbnail (Frame 1377) Video thumbnail (Frame 3369) Video thumbnail (Frame 7141) Video thumbnail (Frame 14168) Video thumbnail (Frame 18347) Video thumbnail (Frame 20915) Video thumbnail (Frame 32932) Video thumbnail (Frame 34285) Video thumbnail (Frame 37940) Video thumbnail (Frame 44889) Video thumbnail (Frame 50239) Video thumbnail (Frame 53439) Video thumbnail (Frame 56941) Video thumbnail (Frame 57952) Video thumbnail (Frame 60986) Video thumbnail (Frame 66562) Video thumbnail (Frame 70910) Video thumbnail (Frame 72635) Video thumbnail (Frame 76176)
Video in TIB AV-Portal: PacketFence, the Open Source Nac: What we've done in the last two years

Formal Metadata

PacketFence, the Open Source Nac: What we've done in the last two years
Salivating on NAC secret sauce
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Ever heard of PacketFence? It's a free and open source Network Access Control (NAC) software that's been out there since 2005. In the last two years we had several major releases with important new features that makes it an even more compelling solution. Trying to appeal to both attackers and defenders, this presentation will cover all of our NAC's secret sauce : Wired / Wireless RADIUS MAC authentication / 802.1X, port-security through SNMP, captive portal redirection techniques, hardware support procedure, voice over IP, FreeRADIUS, Snort and Nessus integration, and quarantine / remediation features. We will continue with the advantages of Open Source when dealing with a NAC. Then we will focus on the last two years of the project, the problems, the missteps and the good, new and shiny stuff. This will include learning about some 802.1X problems, complaining about other vendor's code, looking at our own problems and salivating on some of the technical prowess we recently achieved. Finally we will expose our World Domination Roadmap covering both short-term improvements and potential research projects (and we will beg for help to achieve it). Hopefully this talk will demystify NACs by explaining in details how our implementation works, give yet another example of why open source rocks and convince those who haven't jumped on the NAC band-wagon to give the free one a try. Olivier Bilodeau is a System Architect at Inverse developing PacketFence an open source Network Access Control (NAC) software. He also lectures on system security at ...cole de technologie superieure University (ETS) in Montreal, Canada. His past experiences made him travel into dusty Unix server rooms, obfuscated perl code and expensive enterprise networks. On his free time he enjoys several CTFs a year (with the CISSP Groupies and Amish Security teams), hacking perl, doing open source development and brewing beer.

Related Material

Video is accompanying material for the following resource
Presentation of a group Game controller Open source Web-Designer Multiplication sign Open source Shared memory Electronic mailing list Online help Hand fan
Point (geometry) Server (computing) Game controller Open source Link (knot theory) Software developer State of matter Firewall (computing) Patch (Unix) System administrator Multiplication sign Inverse element Student's t-test IP address Session Initiation Protocol Goodness of fit Malware Internetworking Core dump Authorization Energy level Information security Address space Physical system Authentication Focus (optics) Key (cryptography) Mapping Patch (Unix) Inverse element Menu (computing) Cartesian coordinate system Flow separation Hand fan Antivirus software Data management Virtual LAN Loop (music) Software Web-Designer Configuration space System identification Row (database)
Dataflow Implementation Group action Server (computing) Game controller Thread (computing) Link (knot theory) Open source State of matter Decision theory Firewall (computing) Multiplication sign Gene cluster Client (computing) Event horizon Goodness of fit Latent heat Core dump Musical ensemble Information security Address space Position operator Rhombus Enterprise architecture Focus (optics) Link (knot theory) Key (cryptography) Information Decision theory Surface Projective plane High availability Menu (computing) Line (geometry) Dynamic Host Configuration Protocol Hand fan Radius Event horizon Software System identification Right angle Musical ensemble Information security Wireless LAN
Server (computing) Game controller State of matter Connectivity (graph theory) Multiplication sign Workstation <Musikinstrument> Client (computing) Mereology Event horizon Encapsulation (object-oriented programming) Revision control Mathematics Natural number Computer configuration Radius Computer hardware Authorization Operating system Diagram Communications protocol Extension (kinesiology) Information security Address space Metropolitan area network Physical system Authentication Enterprise architecture Key (cryptography) Interface (computing) Menu (computing) Hand fan Diameter Dynamic Host Configuration Protocol Mathematics Type theory Virtual LAN Process (computing) Radius Hardy space Software Telnet System identification Cycle (graph theory) Communications protocol Window
Demon Context awareness Code Decision theory Multiplication sign Modal logic Client (computing) Image registration Proper map Subset Direct numerical simulation Mathematics Mechanism design Atomic number Hypermedia Computer configuration Synchronization Information security Sanitary sewer Physical system Exception handling Area Electronic mailing list Menu (computing) Bit Dynamic Host Configuration Protocol Mechanism design Virtual LAN Ad serving Order (biology) System identification Normal (geometry) Right angle Row (database) Domain name Server (computing) Authentication Web browser Code Computer Attribute grammar Latent heat Natural number Internetworking Radius Kerberos <Kryptologie> Intrusion detection system Authorization Reduction of order Operating system Communications protocol Computer-assisted translation Address space Fingerprint Computer architecture Module (mathematics) Authentication Execution unit Information Internettelefonie MUD Boilerplate (text) Projective plane Coma Berenices Client (computing) Denial-of-service attack Similarity (geometry) Uniform resource locator Radius Software Network topology Pressure Window
Demon Email Suite (music) Thread (computing) Code System administrator Multiplication sign Strut Port scanner Set (mathematics) Client (computing) Mereology Software bug Web 2.0 Malware Core dump Information security Physical system Enterprise architecture Mapping Menu (computing) Instance (computer science) Hand fan Data management Internet service provider Website System identification Remote procedure call Asynchronous Transfer Mode Server (computing) Implementation Open source Computer file Patch (Unix) Rule of inference Event horizon Revision control Internetworking Intrusion detection system Computer hardware Software testing Address space Domain name Module (mathematics) Rule of inference Scaling (geometry) Information Internettelefonie Surface Forcing (mathematics) Weight Magneto-optical drive Client (computing) Computer network Limit (category theory) Radius Nationale Forschungseinrichtung für Informatik und Automatik Software Intrusion detection system Personal digital assistant Computer hardware Local ring Library (computing)
Point (geometry) Game controller Concurrency (computer science) Open source Modal logic Usability Hooking Computer hardware Information security Module (mathematics) Weight Magneto-optical drive Keyboard shortcut Open source Independence (probability theory) Menu (computing) System call Hand fan Connected space Radius Software Universe (mathematics) POKE Freeware Wireless LAN Boiling point
Server (computing) Proxy server Link (knot theory) Software developer Real number Letterpress printing Client (computing) Inverse element Web browser IP address Direct numerical simulation Profil (magazine) Internetworking Agreeableness Software testing Address space Fingerprint Exception handling Authentication Internettelefonie Physicalism Dynamic Host Configuration Protocol Backtracking Software Window Row (database)
Authentication Game controller Proxy server Link (knot theory) Local area network Multiplication sign Stress (mechanics) Maxima and minima Menu (computing) Client (computing) Coefficient of determination Software Bridging (networking) Table (information) Resource allocation Logic gate Address space
Point (geometry) Game controller Workstation <Musikinstrument> Electronic program guide Client (computing) Mathematics Different (Kate Ryan album) Radius Netzwerkverwaltung Authorization Software testing Information security Proxy server Authentication Addition Electronic mailing list Menu (computing) Computer network Bit Extreme programming Port scanner Radius Software Nortel Networks American Physical Society System identification Game theory Information security Wireless LAN Spacetime
Game controller Code Multiplication sign Authentication Boom (sailing) Client (computing) Software bug Web 2.0 Wiki Goodness of fit Computer hardware Firmware Information security Address space Email Scaling (geometry) Linear regression Computer network Menu (computing) 10 (number) Graphical user interface Process (computing) Visualization (computer graphics) Software Search engine (computing) Internet service provider output Video game Table (information) Probability density function
Slide rule Building Game controller Server (computing) Open source Code INTEGRAL Multiplication sign System administrator Branch (computer science) Online help Open set Emulation Web 2.0 Web service Goodness of fit Hooking Internetworking Hacker (term) Core dump Computer hardware Cuboid Software testing Process (computing) Router (computing) Stability theory Physical system Computer architecture Enterprise architecture Mapping Software developer Projective plane Menu (computing) Usability Line (geometry) Flow separation Hand fan Process (computing) Radius Integrated development environment Software Repository (publishing) Configuration space Point cloud Cycle (graph theory) Figurate number Freeware Writing
Slide rule Game controller Mapping Beta function Proxy server INTEGRAL Multiplication sign Gene cluster Amsterdam Ordnance Datum Online help Open set Client (computing) Quality of service Mathematics Term (mathematics) Radius Computer hardware Proxy server Domain name Execution unit Mapping Interface (computing) Magneto-optical drive Open source High availability Menu (computing) Computer network Client (computing) Term (mathematics) Group action Open set Dynamic Host Configuration Protocol Band matrix Virtuelles privates Netzwerk Radius Software Data acquisition Statement (computer science) Arithmetic progression Asynchronous Transfer Mode
so I'm really glad that you are all here today this morning what we're going to talk about is pakistan's we've been working I've been working there for two years and it's the first time we unveil we talk about packet films at such large Evan we've mostly done stuff locally in Montreal so I'm really glad to be able to talk to you about it and I hope I'll share my excitement so what we'll see
today is what's network access control we briefly will talk about the the secret sauce so how we do stuff and how it works will we'll talk about why open source has been very helpful for us the good and bad of the two years as a lead developer and some lessons learned and some renting and then the future of packet fans so a bullet list of stuff we want to look at in the future and some community begging for help and stuff so who am i i'm bolado working at the
system architect for inverse since 2001 lead developer of packet fans I'm also teaching information security at 200 graduate students in Montreal I'm really into open source I'm also a new father I brought my baby here at Def Con for the first she's seven months old so it's been quite something the airport and all that I'm also enjoying CTF salaat so we're with the Amish security team doing CTF and also the CISSP groupies and we did the DEFCON qualification two years in a row with mitigated success I'm a developing Tom droid which is an Android application too and so if you want to be interested in what I do and follow me here are the social stuff links this talk will implement you drink me drink protocol so if I see something stupid you can interrupt me and force me to have a sip of a good beer the beer I chosen was I need to talk about it was the IPA California IPA it's really good so I hope I'll make some mistakes and there'll be some some beers I only have these left but for the debriefing so people that come to the debriefing after the talk and have good questions have a beer alright so network access
control this is like you guys this is the elevator pitch let's not focus on that you guys are smart and you know what like what most of it means so we'll go fast identification basically authentication is map user name to IP IP addresses or MAC addresses so the the firewall doesn't discriminate between you know users and IP addresses where nak it's the core focus is to be able to know this device is owned by this person and it's really the the binding of the two that is important for neck there's a mission and mission is allow partially allow or deny users and there's control so control here is to watch for Auton unauthorized stuff including outdated antivirus patch level someone scanning corporate servers spreading malware at cetera so network access control has the goal to do all of that there's the usual sales pitch stuff that you see which involves a loop between detecting a device isolating a device notification administrators about the the states of these devices and remediation which is a key point that we'll talk about several times which is how to help the user to remediate problems including updating as a systems and stuff so basically it's know who is using your network and making sure they behave and we're not talking who an IP address we're talking who user name so it's really important and not an authenticated user name so that's with time what nack has become well remediation of users as I just mentioned guest management so a lot of people want to handle guest put them on the Internet only no access to the internal servers so it started to do that asset and inventory management so it's there it saw the devices and so it categorized them for you and you you see it and also it simplifies the access layer configuration so the more technical people come to packet fans because they are tired of doing purport configuration manually switching VLANs to on ports and so with an AK the v9 management is all done in the in the server and more transparently and it simplifies the the access layer configuration so the secret sauce the
technology mostly pearl some PHP were do a leveraging open source the the Asterix means that I'll be talking about it in the future I did that a couple places so this is the concept and it's designed with high availability in mind so everything we do we always think about we use active passive clusters and so it's really a core focus because network access control if it's down no one accesses the network which is really bad so it's from the ground up thinking in clustering in mind key design decision that we've made with pakistan's we're out of ban so this is the bio position to be in in line which means that it's really the infrastructure that takes a decision we're not in the flow to the packet flow out to the network so if the server fails it most likely fail in a sane state so it's really by a position to in line where you see that there's a firewall doing the decisions and the path the packet group goes through the next device so we're out of band so no packet is going through the server we're doing edge enforcement so this means that the decision for access are done the closest possible to the endpoint that the client computer so there's no it minimizes the attack surface by a lot client who who has not been allowed in the network cannot scan servers and do anything he's like the switch decided that it couldn't get access so really the edge kicked them out if you want we use no agent so this is a lot of the proprietary terry nack are using an agent based system and so we decided that it was error-prone and buggy and in a world where there are several devices coming out all the time we cannot cope with the developing agents for all of these so we decided let's let's not do that and focus on a web-based captive portal instead and so that's what we do listen to everything is also a big thing that we wanted to do is we see everything that's out there so we sniff the ARP we sniff the MAC address when there are security violation done by the switches when we see IP is DHCP we we gather all that information all the time if a user hit the captive portal we record the user agent so we're really about identifying everything that's on your network and a lot of people are amazed when they first plug packet fence even if it's not doing enforcement they will see a lot of devices that they weren't aware about so out-of-band how we do the out-of-band stuff is we rely on SNMP traps this was the the first technique that we developed in 2007 which was the first step that we forked out of the the original packet fence project was which was based only on the ACP so the SNMP traps we have several implementation one is for link up link down Evans one is for magnification event with our to my knowledge a Cisco specific trap and then there's port security which was at first Cisco specific but then got picked up but by a lot of vendors the port security the advantage of course cavity is that you get the MAC address in that the SNMP trap that gets sent to packet fans which means we don't need to go and spoil a thread going to the the port and waiting to see the MAC address show up on the port so it's it's really more performant you have common oh yeah that's right that's good okay so then we got radius based technique that emerged which is halo 2.1 x or mac identification we will talk about these in a sec so we first implemented wireless mac identification because the customer diamond was for a wireless to manage the wireless and the wired side with the same software same solution which has been great for us then we implemented wireless 802 that 1x which is what most people know as WPA enterprise and then we implemented lately the wired magnification and 802 that 1x pieces so let's go into a little
bit more detail the the SNMP trap enforcement works by event on the hardware that generates traps we react to the trap and then we use SNMP client to to connect to the to the switch and then perform a port authorization so MAC address authorization on the port and change VLAN if it's what is required to do the proper enforcement so it's it's an a synchronous process if you want and for most of the vendor it works really well for some of them we need to rely on telnet or SSH because their SNMP interface is not good which we don't really like yeah so one of the advantage of the the authorization and the edge enforcement by SNMP traps is that the because of the a secure vanish named nature of the the authentication is if let's say the system would fail the system would fail in the last state that was established so the port security trap is sent to packet fans packet fans saw the trap saw the MAC address decided that it should have been in the VLAN 100 it will go and put the user in the VLAN 100 then there will be no security notification that will be done by the switch because we authorized the MAC address on the port so as long as not another device which has another MAC address which will generate a security violation and then the other cycle again then as long as you don't have new security evidence the system will stay in the good state no matter if the Pakistan server is up or not running or not so it's it's really a great advantage for this technique now digging into the radius based approach let's have a few reminder about the protocols related to that radius is a key value based protocol for AAA AAA stands for authentication man how come - authorization thank you I guess I'll drink again authorization and then audit so it's a very infrastructure type like accounting or audit alright and what are you you guys are right smarter than me twice ok so it's an infrastructure protocol there's nothing like the switch speaks with the server and there's nothing that the client needs to implement let's not get in to 802 that 1x so far so if you look on yet this piece it's really infrastructure based now let's build on
top of radius and see 802 at 1x then what says it is extensible authentication protocol over radius so EEP and all that nasty peep mschap b 2 and then encapsulation over encapsulation and stuff so it's it's adding a lot of new components to the pure radius that we just saw so the actor in 802 that 1 X are the supplicant the events cater and the authentication server i've never saw any temptation server besides radius but i'm pretty sure you can do it with diameter so it's options the supplicant is actually the client and you need something on the operating system to support it all to that 1x so it's not as transparent as mac identification is and the client-side software has been integrated in Windows and Linux in OS X for a couple versions now so it's pretty stable but we'll see problems with that later and attention most people know attend Skater sorry most people know it as the NASA so the network access all right the protocol even allows you to send stuff to the client so this is how doable upa enterprises set up is that it as part as the authorization and a time station it will send the keys in this encrypted tunnel this is all if you see the little diagram this is all pre DHCP so pre IP and this is what it why it's called port access control port Bayes network access control Mac
identification is simply taking a step back for a tubular 1x when the device doesn't support it we do a simple radius at an authentication authorization with the Mac as the username of the in the radius system so it's really similar to the 802 at 1x but there is no strong authentication there is no end to end with the client so it's it's more of a the infrastructure is taking care of all the boilerplate if you want also in the new coding quote techniques related to radius is a radius CoA which I'll talk about a bit later which means change of atomization which is RFC 35 6e 60s anyway you guys saw it which is so the COA answers the problem of doing because radius is initiated by actor this the switch and the client the COA takes care of the server says to the switch please rethink the security posture of this device and so it's it's kind of adding a new a synchronous nature to the usually really synchronous nature of radius never bring your friends to your talk all right so what do we do for the the enforcement then we accept access access except sorry most requests and then based on that acceptance we return the proper VLAN attribute on clients when someone is not known to the system or is not authenticated we return a registration VIN and so a VLAN where we present a captive portal or if the user in should be an isolation stage we we return at the isolation VLAN and so that's how the magic does so we do access acts at most requests otherwise the user will not have a network access which is kind of defeats the purpose we use few ideas to do the radius and that 1x pieces and it's great complicated to configure but it's great it works well now what we added is a perl module to the few radius few ages has this area and Perl facility which allow us to use Perl code directly into the few radius it's very performant and we with that we do a soap request to the packet fence daemon if you want to the Apache of packet fence and and the decision is taken server-side so this allows for a nice architecture that I'll talk about later now moving on to the captive portal okay various a temptation mechanism so we support l that ad radius Kerberos and guests we use the portal to do the authentication if a user did 802 that one X then the authentication is already went to the ad server so we don't need to present a captive portal so it's there's a lot of options there actually if you want to automatically register devices and stuff what does the captive portal do after someone's attempted over HTTP strongly as we ready redirect them to the Internet and we can also provide with remediation information which we'll see later in order to reach the captive portal on the VLANs where we present captive portal we provide dhcp and then in DHCP we provide the DNS server and we do a DNS black hole so any requests will get the same answer which is the packets and server that's really simple cheap technique that we do and then with the first hit on the browser we use mud we write to rewrite the URL for example Google Chrome will be rewritten to PF dot ini' techcom slash captive portal which allow us to have a valid certificate because we have a domain name there so it's not like other solutions which are doing reverse proxying which then you have SSL problems with that so it's kind of I'm kind of glad we did that so how do we do our voice over IP now our old technique because we're kind of changing this right now is we rely on CDP and the voice VLAN features of the switches which is actually easy to attack if you want so now what we do is we handle them as regular devices and we try to automatically register them if the user wants that but so there's still the older technique and CDP is so transparent that a lot of people prefer that even if it's insecure over radius we do Mac identification and then your phone doesn't really matter what more matters more more is your network device so the switch in question and with a row to that One X there are some vendor specific attributes in radius to control the behavior of the of the avoid stuff but we've never saw a lot of 802 1x cat capable phones so it's really a tricky business and we're not we we've done it over wireless and wired but it's not I think we only got it with Avaya so far and there's no not a lot of customer demand for it and because there's no other phone who does able to go to our necks so it's getting there maybe I'll have another presentation on that the the PC behind the phone a voice over IP yeah this is exactly what I mean by voice over IP is that if it's only a phone then I don't really care I'm handling it like a normal device but if it's there's a PC behind then there are problems with that especially regard because we provide the HCP you know I'm seeing the timing and I I really want a question about it and in the debriefing and I'll give you all the details it is tricky business when it's over radius based technique it's easier and it works better than when it's over SNMP based techniques because of the the influence of changing the primary via an ID on the port and stuff like that you really need to be careful and tag the proper voice VLAN and stuff so yeah I want to talk about this later so so for the voice over IP and a little note to pentesters most one auto registration of the phone they don't the phone doesn't have a browser so you cannot you know ask your user to go on the phone and register it so either they they have a list of all the MAC addresses and the automatically register them or we we do it through several technique which is Mac vendor prefix I saw that I think the tree come switches do that which is really discussed about which is a really tricky or I think an unsecure technique if you want others do it through CDP we pakistan's do it a lot with DHCP fingerprints which are something I talked about yesterday about the finger Bank project which is really rarely spoofed so far but as more people will gain awareness that we were doing DHCP fingerprints I'm pretty sure it will get spoofed and then people will get access to the the lambdai spoofing a DHCP fingerprint of a phone and also the some phones that are 802 NS capable are doing md5 authentication which is a flood EEP technique for 802 that one X so it's not it's not great and so the note is here spoof any of these technique and you'll get access to the voice VLAN and then from that scan and try to pivot maybe if you can on the media server so pentesters should really look into the voice VLAN stuff so quarantine is the
captive portal portal sorry feature where we present remediation information to the user here's the screenshot of how it's done now I made that up it's not a real technique that we have it's written here you have been detected using Windows 95 live please install a decent operating system download OpenBSD that will probably not work on a desktop computer but I don't want to get a flame started so the triggers we have for quarantine is operating system based on our DHCP fingerprint browser Mac vendor necess IDs which is snort based which I'm talking I'm going to talk about in the next slides and so the captive portal provides instruction it's really helpful to reduce helpdesk pressure when you implement nak and so we we've been really enjoying doing stuff with that
and it's the customer who come up with the greatest stuff to do with with the the quarantine and we really like that so the policy checking and monitoring how the nest site is a client-side scanning upon a transcription it's I say somewhat limited because if you don't provide a domain for example domain credential on the nester scanner then you can only see the surface exposed on the on the client so you can prevent them from running a web server for instance but you cannot do more but if you do provide domain admin credentials then you can you know hit on the device and then list the patches and stuff like that it's not free and also more the more tests you have the more the longer it will take to attend skate to authorize the device on the network and it's something that a lot of people what it takes two minutes to do an SS scan on a client is too long so let's forget about that so it's been mixed love-hate relationship with the are necessary limitation then the snort peace is more you most of you guys know snort I'm pretty sure and so it's an intrusion detection system you clone your traffic that is going to the Internet to the packet front server you run a local snort instance there and you enable the rules you're interested in to and the device is violating the rules will be isolated it works really really great and we've been doing a lot of BitTorrent blocking Skype locking malware detection preventing users from n mapping the servers and stuff like that and it's it's it's great and with the quarantine captive portal we've been we are able to provide a couple of like you can do BitTorrent three times after that you are completely locked out of the network so each time we present with the captive portal but you have a button to re-enable your access to the network so you can do stuff to annoy your users if you want like allow them to re-enable their internet access a hundred time or a thousand time and see how how long they will you know try again and try again and try again to do peer to peer before they are getting tired and just calling helpdesk what's going on no we don't do that and
it's probably because we were never asked this come up coming over for a beer so I again being open source we're really and and having running a business on open source we really really tied to what's going on on the here we go-oh I'm sorry so yeah we're always interested and the syslog stuff there are new switches that can sense the slug events and I'm never I saw the features and I never looked into it but it would be something really really interesting we do support that we have a remote mode for snort which we use our own demon we tail the the the alert alert file and then we do a soap request so then you avoid the crashing your whole you know packet stands because there's a gigabit of traffic per second to analyze force north but snort with his single traded approach has been quite good because it cannot crush the rest of the system because it's only using one core one thread so it's it's it's it's still interesting and we have a really big big enterprise customer running snort and packets times on the same server and it's it's doing great so how do we support network access I see that I run out of time I need to move faster so adding a new supported switch for the radius based technique is really really great all we need to do is because all the legwork is done by three radius always we say is we support wire dot 1x and if the the NASS part that is sent by the the switch is the same as the EF end X there's nothing else to do and then we implement the identification which is again very standardized there's the PA Iria 10 scale SNMP nib that works in like 99% of the cases and so for us adding new radius based supported device is really easy SNMP is more challenging because it's not standardized as as much especially regarding port security a lot of the hardware do it per switch port VLAN and some of them do it per switch port and so because of that there are different tricks that we need to do especially with voice over IP again so it's it's it's a love-hate relationship and it's one of the things that brings us customers and you know we work on supporting new hardware and they pay us to do so so it's it's been good for the business but for your mental health it's not that great it's like there's nasty bugs in there I am going to talk about it earlier later a little later but it's mostly read the switch documentation try to configure it figure out that there are mismatch between the documentation how you do actually do configure it and then you snmpwalk and you try to find the the sexy stuff you're looking for the MAC addresses port security information and then you do your SNMP set and then as when you got it working with SNMP step then you port it into your Perl code and then rinse repeat and you have a switch working with SNMP yes we are but this is a net SNMP library which encapsulates all of that but we've got I don't know if I don't want to name any names but they are implementation of SNMP v3 which are really really buggy and it's not our fault it's the switches fault and so sometimes you know we face problems and we need to pull in other modules and stuff and it's a love-hate relationship with SNMP v3 I really prefer when a customer has a management VLAN which is guaranteed to be isolated and so I'm telling them you know what snmpv2 is fine by me if you're you're sure that no one can sniff on your management VLAN well again it's all arguable so the packet fans then is the zero effort nack which is a VMware appliance which we have version for the desktop suite and also the ASX ESX stuff so it's pre-installed pre-configured and people can really try packet fans quickly with a VM instance so just wanted to let let that ow he's glad I'm
glad you're glad okay so open source for the win what has
been great for we're doing open source for us is the vendor independence a lot of the the network access our competitors if you want they really flew in into the the vendor or they do not and then do art poisoning or other inline techniques which are in my opinion less secure and so because of being open source we kind of you know poke at the firmware and try to make it work and when one want a device implemented we work on it and a lot of the let's say mostly universities they they actually develop their own module and they send it to us and then we support new hardware and that's just being great the proprietary a pricing is questionable there is per IP per concurrent connection per ap access point per switch license fees so it's really kind of odd and and for a lot of people migrating over to packet fans they tell me like we placed so much for our next solution it just doesn't make any sense and it's because they charge per IP and people are using Wireless and every device that you have like five of them on yourself and you just cost them five licenses because they all wanted to hook on the network and so sometimes they really like we need to move away from the proprietary stuff also because we can stay focused and we build on top of Apache bind DHCP net SNMP free radius snort iptables necess 70-plus depend modules that we pull in when you install packets fans so like we're really into reuse I guess we use Linux and it's been really great so this is an also an advantage because the stack is familiar so you guys all know the tools and when you really need to tweak the things you can do it yourself and when you need to troubleshoot it's not dark arcane magic that you cannot understand or can or or you need to call support for it's stuff that you actually can see and that you can Google on on Google so so it's great because okay I have this radius problem I google it and Oh everyone has a similar or a twist a different problem and you can help troubleshoot yourself by doing that which is not something we can save their proprietary offerings and so it's been also good security is not necessarily solely based on security on obscurity sorry so what I mean by that is that this is network access control there are some things that we kind of lift the carpet and put the dust under the carpet because we are doing questionable things because we want you know the customer to be able to deploy easily and you know an AK is better than no nak so we still need to have them it all boils down to user friendliness versus security and you guys all know about that so other solutions can be all about obscurity but we since it's open source people can look at it and say hey you guys are doing like funky stuff over there and maybe you should not do that and so it's another InTouch because you can look at it poke at it and find
problems so what I've been learned and what we've been we doing bad and doing good for the last two years so let's go
most snacks are easy to bypass this is something I learned by while working at inverse because of network and estrogen friendliness so per port exceptions for printers voice over IP up links you find them you can leverage them CDP is being enabled on access port which is in my opinion a problem real DNS is exposed so if your neck solution is based on offering the Internet DNS there are a lot of tools to be able to tunnel a TCP into DNS so you can turn out and because there is no authentication built in and to layer two or layer three if you're not doing a row to that one X everything can be hacked or spoofed so you can change your IP address you can change the MAC address you can change your your DHCP client to be able to spoof the fingerprints I was talking about earlier you can spoof your your user agent and you will user a transport thing has been known to get you out of Cisco's I don't Mac profiler anyway the the see if it's an iPod or iPhone or iPad user agent then they let you true because they don't have any agents for this OS and so because of that again it's because there's no authentication and and you can spoof this stuff client side and there's the trust which is fake then is easy to bypass and so again coming to MAC address spoofing printers don't have browsers so they will they will often be pre pre registered into the neck devices and so printer is so easy to find an academic printer you go there do your physical pen test you pop the the printer on the side you look at the MAC address you put it on your back track five client and then boom you're all allowed in the printer VLAN and you can start scanning the the print servers which are windows which are not patched cetera so another thing I learned is
that you can bypass it at 1x but there's a talk actually right after this which is focused only on that a two-hour talk on how to bypass knight-errant 1x but let me I still tell you what's the technique so you put a hub between the victim and the switch the goal is to prevent the port from going down so if there is no link down then the the the stack is not reset because it's a port based network access control and once the access has been granted there is no a continuous monitoring of what you have been doing with the access so you wait for the victim to successfully item I attend skate because you put a hub in between you spoof your MAC address with the victims Mac and then you plug into the up and bam you bypassed 802 1x completely this was a ID I discovered this by a kind of a mistake when I was working on my necks capable phones and I kind of couldn't believe it and I googled it and then I found on Wikipedia and on Microsoft they are there is an article from 2005 talking about this problem but now the bad thing is that they're doing appliances like the Pony Express which is doing mad dog that when it's bypass it's really interesting to see that it's gaining traction after all that time so the attack scenario is you have two things you can do you keep the legitimate client connected which is bad because you have duplicated MAC addresses on the same segment but which is good because the client can be a tense gate if they switch asks - or you replace that legitimate client which is bad because you won't pass a reallocation request because you're not able to provide a strong authentication but what is good about it is that you will not have network problems because there are no a duplicated Mac on the segment it works and see the a bridge too far table I skipped which is after this talk and attract one and I'm pretty sure that because he's doing a bridging he'll be able to to circumvent the the problem I'm I'm mentioning here the attack scenario because he'll be able to firewall in between let the e over LAN go through the client but still intercept the the the good stuff that he
is want to do in the man-in-the-middle getting it to go to the One X is tricky business I'll just keep that it's it's buggy the support varies and stuff
another thing the 802 that one X wired on Mac OS X is buggy I haven't tried to reproduce it on in Lion but it's it's
definitely buggy we open a ticket with Apple and they said send us a ton of logging and we did and we never hear back from them but we'll revalidate
again on 10.7 but still the point is it's just that we're always finding problems and every you know pieces where
we need to interact with and it's it's not an easy game to be a network access control software what I learned also is a network vendor fragmentation so via an assignment to SNMP is done in like I don't know maybe 25 different ways there are port lists they are really straight one assignment so a lot of different weird stuff that you can see port security is named differently implemented differently SNMP access is inconsistent if you go into the radius base enforcement then wirele wired and station has many many names I think I have a few here where is it so Cisco calls it mecha-tanks kitchen bypass or mAb H because it Mac based authentication Nortel calls it neat which is not know EEP extreme networks cause net log in juniper calls it Mac radius so there's a lot of different stuff going on in that space and it's it's not making the anything easy for us there are gray areas and that one X where you don't really have guarantees about what will go with the DHCP on the client and trust the problems probably with Mac OS X the radius change of authorization is not supported everywhere which makes it a little bit harder to so really hard but the situation on the wireless side is better I guess they learn formed the wired side of things and they avoided a lot of mistakes so Mac identification and 802 1x wireless is really great and we've been implementing really more easily the the APS and the controller usually I don't know like one day to figure out how it works and make it work and another day to document the for our network administration guide and make additional tests to make sure that it will scale and everything so two days and we support a new controller brand so which is pretty good learn network
vendors firmware quality so there are so many regressions and we like get client they update an Iowa did I see iOS they upgrade the switch firmware and then boom something that used to work before stops working now and so it's really really painful weird coincidences I've saw the same exact bug implemented in like four different brands and I couldn't believe it I was like it's the same bug and it's an obscure bug and and so you see that there is probably a lot of you know people buying code out of other vendors and stuff and a lot of reuse of the same code which unfortunately I guess is handled very differently because the the bugs are fixed in one vendor but not the other one but it's obviously the same bug also something that happened with us is oh I think there's a bug in there and the vendor says all right it doesn't work using the command line interface but it does work in the web GUI but who manages hundreds of devices using a web GUI aside from controllers which do a pretty good job but for switches come on this is really odd and scale issues I just wanted to to hint on a issue I faced where the people were handling in the SNMP they were handling the MAC addresses saw on the layer two in the same table as the MAC addresses secured on ports so one when you want to list the secure MAC address on the switch if the layer 2 network is really hot large then you start to snmpwalk tens of thousands of devices and it makes the whole thing completely slower so we often faced problems like that and that we just don't know what to do with that and then we ran on the network vendor and they say come on it's not us it's been working fine for most people but then you ask them do you have nack implemented with one of the knack providers and they say no what snack so it's problem I know some people aren't going to agree with this but all vendors hold tight on their issue trackers Molla I'm talking network vendors again most they all tight on their firmware so we have you the customer pays us to implement nack on their switch and we're having a hard time downloading their firmware this is not normal like we need to escalate and send a lot of email the some of them even hold tight on their documentation so we got a physical switch that they sent us but we are having a hard time download a PDF to configure the set switch it's really really a problem and can it just stop you know opening your documentation opening your firmware has proven to be a good thing for like let's compare Visual Basic with PHP in the 95 days PHP our documentation was open so it got picked up by search engines and people who had problems had really really easy way to find solution but with the network control stuff the network vendors you Google and you get almost never good answers and you you get a lot of open-ended questions that are not answered so please come on they should get wiki's and they should do it the open-source way it will make everyone's life easier and right now I think it's it's more penalizing their their customer who paid for their hardware the way they are working right now so I'm a little distressed by that
ok ok again learn nobody does infrastructure at education which is a big security problem let's skip to that
ok the bad thing we do with packet fans first installation step disable SC Linux yeah that's right we suck at SC Linux we tried we just couldn't figure it out if someone wanted help it will be really appreciated we have to short release cycle for a core piece of infrastructure we like released 11 releases in the last year or so maybe and so it's really fast for most people we don't have an map integration I really I I saw fyodor speak at Def Con last year and I really AM into and map but we still couldn't get help or a time or you know customer mindshare to implement and map so we've done not done yet and I think it's bad external code contributions are scarce we're having a problem creating a good community probably because it's not sexy doing network access control it's really you know enterprise Z infrastructure stuff which is really attracting a lot of developers and we're pretty much sent OS rail for now but we're we want to fix that so what we've done that is good we improved a lot on the last two years the development process in the infrastructure fully automated smoke test we're packaging every night the software builds that there are new packages out and you can hook on a young repository on the latest software our branches are stable so we have a stable branch everything is public there is no like big code dumps like Android where all every commit is public and on the internet so it's it's really a true open source project all that GPL by the way I don't think I have this anywhere in my slide so it's all GPL based license the code is usability plus plus we really work hard on simplifying the installation the upgrades if you've tried packet fans like two years ago give it another try because it really really changed a lot we got Enterprise the new feature so you can have users write for people using the web admin this way or helpdesk cannot screw up the whole system we support router environments out of the box so this we inject automatically static routes and do the DHCP config and all that stuff so we've been deploying a lot in campus-based the environment where you know you need to route between the buildings and it works really really well and it was a appreciated feature 64-bit support we now have a fancy guest workflow support we've been working on that branch for a year and now we're about to merge it with with the upcoming 3.0 release we're going to do we improved performance and several occasions let's keep that technology we
support web services to manage hardware we've been doing our so web services for the radius access control so people could technically decouple the free radius let's say you keep your free radius on your camp per campus and then you do a soap request so Web Services request to the packet fan server so you could have a technique distributed architecture like three layer architecture but based on radius we are so dead packet fencing the cloud on ec2 the only thing you need locally is an open VPN and everything is tunneled so this was more as a fun hacking project we did no one really wants to pay for that we realized because it's too scary you know to have network access in the cloud making in line and out-of-band work at the same time on the same server this is really new and we're releasing this with 3.0 so we'll be able to support old ancient hardware at the same time as v9e solution and strong good technique this is really I think some interesting
feature how long do I have left two minutes okay I need to to bypass
that I'm sorry so we did a proxy bypass client-side proxy bypass really interesting with the slides if you want
to see what I mean JavaScript network access detection we've worked on that too which is kind of a hack because I'm trying to avoid the cross domain origin policy stuff and it's it's kind of neat that's why I include it here but let's skip that so
short term we're going to do inline mode to support easier legacy network hardware now in beta so it's public already we want to do radius accounting bandwidth monitoring with the proper alarms for it so we could be more a hotel style network access control I guess we're looking into nap and statement of health client time checking radius change of a terrorization which we haven't do yet ACL and QoS assignment with radius a lot of my colleagues have been working on that we're now kind of unsure how we will present the interface to the user but we've got the basic technology and technique working it's just more of how we will we will present the feature to the user we would like to support VPNs so then we will be really covering every access control techniques that we know about Debian Ubuntu support of course longer term we kind of hate the active passive approach for doing a high availability we would prefer a simpler active active clustering approach so we were working on that and map open das integration and making this stuff click next next next easy to install we're making progress with this with the 3.0 beta will be able to for the Pakistan Zen solution it will be DHCP base neck you plug-in in the trunk port and it will mostly work for most people so we're really making progress with that and trying to make it easier all the time research topic so if people are really interested in to more advanced stuff we want to implement AF map we're looking at doing client-side agent but we will like a multi-platform like Python base maybe approach and stuff so yeah that's pretty much it we beg for help we want everyone to use pakistan's if they can conclusion I hope I do miss
the find knack for you guys and you should give pakistan's a try if you manage the network because I think you'll see value quite quickly thank you very much see you in the briefing room