topic Re: user-ip mapping for lan connection in Network Security

user-ip mapping for lan connection

chengl031 — Sat, 27 May 2023 15:32:02 GMT

Hello,

We need to audit the network traffic and also apply some rule based on user or groups. Is there a way that a switch or a wireless controller can provide a user to ip mapping table? this need to be "auth-level", the data need to be unique and fresh. for example a user manually set a static ip (ignore dhcp) or change ip after successful dhcp, the firewall need to know immediately if the change. maybe something like trap in snmp.

Until now I know the switch have a function called device-tracking, is it a good choice for the above situation? do we have some other way? what about in wireless? Thanks

Re: user-ip mapping for lan connection

Rob Ingram — Sat, 27 May 2023 15:35:25 GMT

@chengl031 you would need to use 802.1X with ISE, which can authenticate wired, wireless and VPN users. These IP/user bindings can then be transmitted to the FTD firewall using pxGrid feature. You can then create firewall rules based on user or group information.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/identity-overview.html

Re: user-ip mapping for lan connection

chengl031 — Sat, 27 May 2023 15:41:02 GMT

yes, thanks for your quick reply. We do have a ftd with fmc. And also are planning for the ISE. But, I'm intresting for how the switch and wireless controller provide the latest user-ip mapping to ISE? Which config or technology will use? especially when user manually change the IP, how could the ISE find the change right after the change?

Re: user-ip mapping for lan connection

Flavio Miranda — Sat, 27 May 2023 15:46:12 GMT

To control machine at that level it would be better some solution that directly interact with the machine itself like CrowdStrike for example.

Re: user-ip mapping for lan connection

Rob Ingram — Sat, 27 May 2023 15:48:02 GMT

@chengl031 the client devices are configured with 802.1X, the username is sent to the ISE to authenticate. As part of that process the IP device tracking feature configured on the switches sends the IP/MAC mapping to ISE in the RADIUS accounting packet. Thus ISE has the IP/User mapping, which is sent to the Firewall via the FMC.

Re: user-ip mapping for lan connection

chengl031 — Sat, 27 May 2023 16:02:43 GMT

Is there a interval between switch send accounting packet to ISE? will it a time gap when user change their IP after authenticate? Like a TOCTOU attack, the user already changed to a new ip but FTD still hold a old version of mapping.

And also if some user change their ip and duplicate with other, what action will the switch and ISE take? Like a spoof ip attack

Re: user-ip mapping for lan connection

chengl031 — Sat, 27 May 2023 16:05:46 GMT

thanks, you mean I need direct control to the client OS? such as do not give user a local admin privilege in windows to prevent the unexpected ip change? No good way to deal this in network scope?

Re: user-ip mapping for lan connection

Flavio Miranda — Sat, 27 May 2023 16:18:41 GMT

I used to work in a company and they use this solution I mentioned and the control they have over the machine was extremelly high. To the point that they could know about any network change on the machine. It is not about user privilege but monitoring and control.

Check the tool out and you can see. But, they also have ISE with NAC and everything, of course.

Re: user-ip mapping for lan connection

Rob Ingram — Sat, 27 May 2023 16:37:34 GMT

@chengl031

If the IP address was changed on the device, reauthentication will occur and ISE will know of the IP address as part of that process. ISE will send that updated information to the FMC straight away.

Regardless, if they did change their IP address they could only change to an IP address in the same VLAN they are connected to, else they will not be able to route over the network.

If you authenticate the users that implies the user is trusted. If you manage the computers they are connecting from, then restrict the ability to assign a static IP address.

Dynamic ARP inspection (which relies on DHCP snooping) could be used to ensure the user has a valid IP/MAC binding on the switch, via DHCP. If the user were able to assign a static IP address, there would be no binding and thus connection dropped.

Re: user-ip mapping for lan connection

chengl031 — Sat, 27 May 2023 16:24:45 GMT

thanks again, i'll take a look for that solution

Re: user-ip mapping for lan connection

chengl031 — Sat, 27 May 2023 16:42:21 GMT

Really? I think in the default configuration the lan authentication only on layer 2, i tried to change ip in a wireless with wpa2-enterprise authentication method and success. Please tell me if i miss something or this behaviour need to an additional config.

i want to try figure out in network scope first, if not then i'll think about some solution by agent or tools on client. A very important requirement is traffic audit. so vlan scope is too large and cannot relate to a single user. And also you know FTD is a NGFW, we also want to use some layer 7 access control policy, such as define a rules based on AD user group. these also need a user-ip mapping.