05-28-2024 03:18 AM - edited 05-28-2024 03:36 AM
Hey,
Is there anyway to protect from potential attackers that are using NAC bypass?
for example
https://github.com/scipag/nac_bypass
If you have a solution I will be more than happy to hear.
05-28-2024 11:16 AM
Profiling? Anonymous endpoint detection? Or a third-party profiling utility such as Ordr?
05-28-2024 12:01 PM
Don't think you understood me.
You can't do Profiling if you look at the link I sent under the "Use" section you will understand why.
Anonymous endpoint detection? you are talking about Anomalous Endpoint Detection? It won't capture that.
ORDR? most likely won't capture that also.
05-28-2024 12:22 PM
Yes, sorry misspelling. Why wouldn't Ordr catch that in SPAN? The OS would appear different post "hack". I also fail to see why profiling wouldn't work here either? Unless you are only using a DHCP probe?
05-28-2024 01:28 PM - edited 05-28-2024 01:58 PM
Nothing I do will matter though imagine that the Raspberry Pi acts as a bridge meaning you won't see the "Rogue" or the Suspicous endpoint, you will only see the authenticated endpoint. I will give you a better example you will also see one mac address coming from that port and that mac address will be the legitimate endpoint.
I just dont understand how profiling will work though mind giving me an example?. I don't see the Rogue device it's invsible for me and the switch.
If you want I can link you posts of red teams that did the bypass and they explain how they did it.
05-28-2024 02:48 PM
It's an L1/L2 man in the middle (MITM). Unclear how it works when initially plugged in - although it probably just does not respond. MACsec is the best solution for this.
05-28-2024 03:21 PM
@acapit - is this a theoretical concern, or why are you investigating this? It's no secret that MAB is an insecure form of authentication. Just because it falls under the umbrella of "NAC" doesn't mean that it makes network access secure. The clue is in the word "Bypass". It bypasses the real security mechanism, which is 802.1X. And 802.1X is secure because it relies on the client playing its part in the security dance. It takes two to tango! If the client has a supplicant then use it. EAP methods such as EAP-TLS and EAP-TTLS are probably the best form of barrier to entry on a network. And then you should disable MAB. How realistic is it to disable MAB in most networks? Not very, but that's the reality. If the client supports wireless, then rather go wireless because you get security as part of the authentication method.
As for MACsec - I have not seen this used on end clients, but the client needs extra software to make this work (e.g. Cisco's AnyConnect). At that point, if it's a semi-smart device, you probably have 802.1X on the endpoint anyway - just use that instead.
MAB == insecure. It's a reality. It falls on the rest of the network to then try "protect" those untrusted segments, using other detection tools like Netflow, ACLs, Firewals, AVC, DPI, etc. Security In Depth. And to be fair, even with 802.1X, the chances of someone spoofing a certificate on a rogue device are low (but not impossible), all of those security mechanisms won't go amiss either.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide