The threat behind MAC spoofing
When implementing any insurance policy, you need to start with estimating the level of risk, the probability of that risk, and the potential damage should that risk become a reality.
One of the network risks that is often presented to demonstrate the ineffectiveness of 802.1x solutions is the ease of bypassing modern network access control (NAC) by using MAC spoofing. Usually, this involves spoofing the network printer or other vulnerable device.
Now, let’s put aside the fact that network printers today can support certificate or credential-based authentication, and that certain products have remedies against such attempts even when the authentication is based on MAC.
Let’s consider: is MAC spoofing a legitimate threat or an exaggerated, manageable flaw?
But before I try to analyze this risk, I want to point out the biggest advantage a NAC solution can give an organization to cope with modern cyber security threats: the ability to apply dynamic segmentation based on device type or identity.
Without going into too much detail, NAC is one of the only systems that can help you prevent lateral movement, indirectly allowing you to identify breaches and directly helping you to prevent the compromise of your crown jewels.
The threat landscape
Here are some of the most common adversaries when it comes to MAC spoofing:
- The employee – a disgruntled current or former employee
- The guest – a contractor, customer, patient, etc. who physically visits your organization for a period of time
- The hacker – a malicious person trying to attack your network and steal information, causing harm to your organization
And here are the most common attack surfaces:
- Wired, ethernet switches
One caveat: most wifi environments contain managed devices. So, for devices that do not have an 802.1x supplicant, and thus does not support certificate-based authentication (or credentials based), it is easy to setup an isolated segment and significantly lower the risk of attack.
As such, we’ll put our focus on examining wired environments, and how they’re vulnerable to the above adversaries.
Let’s be clear – MAC spoofing requires some technical knowledge to execute, which the non-technical lay person typically does not possess. Those doing it know what they’re doing, and they know it’s wrong.
With that said, it’s important to point out that a lot of damage is caused by the unintended – i.e. people clicking on a link in an email, deleting the wrong record or file, or even dropping a laptop into a pool.
Employees should be trustworthy. If they’re not, cyber security is likely not your problem. But, when someone is fired, laid off, or even just mistreated at work, there always exists the potential for them to hold a grudge. It’s human nature.
Disgruntled employees can pose a big risk. If an employee still works for an organization and he/she is determined to do damage, that’s a problem that’s nearly impossible to prevent. The network connection alone is not going to stop he/she from stealing data or worse. This individual likely already has access through other corporate devices and the credentials to access whatever data he/she wants.
At the end of the day, however, this individual’s risk of MAC spoofing can be categorized as “very low” with “low” probability and “low” potential for damage. The reason being is that the potential damage done is not necessarily related to network connection. The first line of defense against a disgruntled current of former employees is physical barriers – i.e. locked doors and other physical security.
A guest visiting your office might want to connect to your network. Most likely, this guest will not go to great lengths to hack your network if they are initially blocked. By supplying a guest network, such as a guest wifi, you will effectively eliminate that risk all together. Thus, like the employee, this individual’s risk of MAC spoofing can be categorized as “very low” for both probability and damage.
A hacker will need physical access to your network in order to do his/her job. Today, spearhead attacks can enable hackers to access your networks from afar. Doing so, however, typically requires some sort of motive.
This motivation is often dependent upon the type of business you operate. If you’re in military and defense, for example, you likely have a higher than average risk of being the target of such an attack. The same going for banking and financial services, healthcare and any other industry with highly sensitive and confidential data.
For most organizations, the threat of physical access hacking is typically low, while the potential for damage could be high. Should a retailer fear physical burglary just because a new device has connected to its network? I think not.
For most organizations, the risk of MAC spoofing is almost non-existent. This is usually fairly easy for an auditor to demonstrate, and would appear as part of a comprehensive security report. So in reality, the perception of the threat is that it’s a much larger problem than it actually is.
You can also prevent MAC spoofing by implementing stronger authentication methods that are fairly common today. One of the major roles of NAC is to provide secure authentication and authorization to the network. Thus, even if authentication is somehow breached, authorization serves as a second layer of defense that can limit access by putting potential individuals of risk in a specific “narrow” segment.
The segmentation of specific types of MAC-based devices is a best practice in NAC. Even if spoofing occurs, such a device won’t be able to access a particularly sensitive VLAN, such as those in Finance or HR, if proper segmentation has been established through your network security policies.
Cyber security data breaches are becoming increasingly common and severe. Today, banks, insurance companies, investment firms, and other financial institutions are considered to be prime targets. Due to the sensitivity and importance of their data, these institutions suffer approximately 300X more cyber breaches than any other industry.
In 2018, the financial sector reported 819 cyber incidents, an explosive increase from the 69 incidents reported for 2017 – including the infamous Equifax data breach. The total numbers for 2019 won’t be available until next year, yet we know that the financial sector has already experienced a number of significant attacks already this year. Such breaches included the attacks on Capital One, First American Financial Corp., Desjardins Group and Westpac/PayID.
Despite these pervasive cyber security threats, financial institutions are still failing to prevent, defend, prepare and respond effectively to attacks – particularly when it comes to network security. In many cases, the problem stems from executive leadership not prioritizing the cybersecurity budget or emphasizing its importance. Few organizations make prevention a priority, few apply the top recommended CIS controls or prepare employees on how to respond effectively in the event of a security incident. Unfortunately, poor network access control and other cyber security oversights lead to hundreds of millions of dollars in losses, the exploitation of personal data and more.
Some financial institutions, however, have already decided to take proactive measures this year to obtain risk monitoring, visibility and access controls. One such group is Royal London, the UK’s largest mutual life, pensions and investment company. Faced with limited network and device visibility, they had a variety of security and compliance issues to contend with. However, since implementing Portnox CORE, the company and all of its locations have instituted a higher level of cyber hygiene.
CORE is a simple to operate network access control solution that provides full visibility into every endpoint and component on the network, along with risk monitoring and enforcement capabilities. It is simple to deploy and manage and has received numerous cyber security awards.
From the moment Portnox’s on-premises NAC solution was implemented, Royal London’s security team has been able to successfully handle all challenges associated with visibility, control and compliance enforcement. This includes the ability to see all endpoints on the network, and ensure that they are properly secured according to company policies, privacy standards and regulatory compliance.
Furthermore, as risk-monitoring and other network security enforcement actions that would otherwise have to be done manually are now automated, Royal London’s IT team can devote their time to more important tasks, thereby increasing efficiency and productivity.
Fill out this form to immediately receive the full case study:
Portnox CLEAR is a cloud-based network security solution that provides role and risk-based network access control for corporate and BYOD endpoints across all access layers, including wired, wireless and VPN. CLEAR allows an IT administrator to discover and monitor unsecure, compromised and vulnerable devices, while being able to authorize and manage access to corporate networks based on device risk posture assessments.
In order to provide these capabilities, our cloud-based NAC solution collects and stores data in the cloud. With the understanding that organizational data includes sensitive and important assets for each company, CLEAR uses the most advanced and secure protocols to protect this data in accordance with best practices in data access control in cloud computing. To better understand these cloud security techniques, we will review the security of data at rest, data in transit, administration, management and additional cloud security measures.
Data at Rest
Portnox CLEAR uses Microsoft Azure as its IaaS (Infrastructure as-a-Service), PaaS (Platform as-a-Service) and in some instances, it uses Azure-specific SaaS elements. Azure infrastructure was selected because of its high security standards and global availability. In fact, Azure has the widest spread of data centers across the globe today.
CLEAR stores all data on different Azure storage services such as Azure Storage Service Encryption (SSE) where data is encrypted and decrypted using 256-bit AES encryption. For CLEAR administrators’ passwords and Radius-shared secret keys, CLEAR uses Azure Key Vault where keys are stored in hardware security modules (HSMs).
Data in Transit
With Portnox CLEAR we protect all data traveling to and from CLEAR cloud services, and the methods are constantly being upgraded to stay ahead.
Ethernet Switches & Wireless Controllers
Ethernet switches and wireless controllers send AAA Radius authentication requests to CLEAR’s cloud Radius in order to validate and allow access of devices to networks protected by CLEAR services. All traffic is encrypted with a shared key between the NAS and CLEAR Radius.
In addition to that, TLS encapsulates the encrypted Radius packet and provides an extra layer of encryption.
There is an option to use RADSEC (Radius over TLS) protocol. RADSEC uses TLS in combination with the TCP protocol. This provides stronger security and reliability than UDP which is commonly used for Radius communication.
Additionally, CLEAR admins could restrict access to the CLEAR Radius service by choosing to allow access only from specific IP addresses. All other IP addresses would be denied access.
All traffic between the VPN and CLEAR’s Radius server is encrypted using a symmetric key – a long and random key, generated by cloud-based NAC solution that is manually copied to the VPN device. Furthermore, the authentication details for users usually include only hashes, but those capabilities vary between VPN GWs. CLEAR secures the VPN client’s connection by verifying that connected devices are complying with the organization’s risk-assessment policies and by using two factor authentication capabilities.
Portnox CLEAR Cloud Broker
The cloud broker is an application component that runs on-premises and is used as a bridge between CLEAR cloud services and the corporate on-premises Active Directory. The broker is deployed when there is a requirement for 802.1X credentials authentication with on-premises Active Directories and/or for AgentP enrollment by using on-prem AD.
AD users and groups include sensitive and important information for any organization and thus the following security measures are taken:
- The Broker application is installed on a domain-joined machine, while the LDAP queries user ID is a read-only user, and the LDAP communication can be LDAP or LDAPS (LDAP over SSL).
- The service user that connects to the LDAP is saved locally on the domain machine.
- The communication with CLEAR cloud services is always over TLS. All traffic is encrypted.
- CLEAR services are updated with group names and user IDs only, whereas passwords never travel to the cloud and the verification is done by using the MSCHAPv2 challenge response authentication protocol.
Portnox CLEAR’s AgentP
AgentP is a lightweight application that can be installed on most platforms, including Windows, MAC OS X, iOS, Android and Linux. Using AgentP offers many security advantages such as risk assessment capabilities, SSID configuration, 2FA for VPN / OKTA and CLEAR certificates deployment. Data collected by AgentP is sent via the Transport Layer Security (TLS) protocol. The data is never stored locally on the endpoint, but processed only via the device RAM and is sent periodically to CLEAR services.
Administration and Management
The available administrators’ repositories are: CLEAR (based on email domains), Azure AD, Google G Suite and OKTA.
For administrators on our cloud-based network security platform, password complexities and expiration policies are built-in and cannot be turned off. Two factor authentication is also available for CLEAR admins and authorization codes are sent via text message. Captcha verification processes are also included as part of the sign-up process.
For Azure AD, G Suite and OKTA, the authentication is determined by the authentication repository, including multi-factor authentication.
Role-based access control is supported and administrators can be added with full admin permissions, read only or guest management only permissions.
Additional Security Measures
Portnox’s DevOps team uses automated code and scripts to identify security issues in the code. In addition, Portnox uses third party technologies that specialize in conducting complex penetration tests for cloud products.
Our cloud-based network security solution is a SOC 2 Type 2 compliant technology. Regular audits are conducted to ensure that the requirements of SOC 2 Type 2 security principles are complied with:
- Security – The system resources are protected against unauthorized access.
- Availability – The system is available as committed.
- Processing Integrity– System processing is complete, accurate, timely and authorized.
- Confidentiality– Information that is designated as confidential is protected.
- Privacy – The privacy of the information that the service collects, retains, uses, discloses and disposes.
For more detailed information on CLEAR’s cloud-based network security measures, please contact your customer success representative, or visit the CLEAR support site.
See a Demo of CLEAR – Please fill out this form: