Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1305
Views
0
Helpful
4
Replies

Detecting endpoint-hosted virtual machines?

SeanP
Level 1
Level 1

‎03-12-2018 07:48 AM

This is my first time posting to the community at-large.. please be gentle.

I've been working with ISE 2.3 for about two weeks so my apologies in advance if this is a dumb question. We're performing a bake-off with multiple NAC solutions and one of the evaluation criteria is the ability to detect and enforce network access restrictions on guest virtual machines hosted on otherwise approved endpoints. For example, assume a known Windows endpoint connects to the network and is subsequently authenticated and permitted access to the network. That same endpoint them starts a Kali Linux virtual machine and starts pen-testing the internal network. I realize there's an entire ecosystem of solutions meant to detect this "east-west' activity but my question is can a standalone implementation of Cisco ISE (no Stealthwatch, no PxGrid, etc) detect the presence of a hosted virtual machine based on information reported by the access device (netflow, cdp, lldp, etc)? Our access devices for the tests are a 4500x (03.08.01 universal k9) and a 3750x (15.0.2-SE11 universal k9).

I've been reading day and night and I can't seem to find a straightforward answer on this subject. Granted, I'm just getting started with 802.1x and NAC concepts in general.

Thanks,

SP

0 Helpful
4 Replies 4

afahmy
Cisco Employee
Cisco Employee

‎03-12-2018 09:45 AM

Hi there

Unless I completely misunderstood your question please note the following

Kali Linux supports 1x auth

http://www.keyboardbanger.com/configuring-authentication-kali-linux/

Cisco switches Support multi auth

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-802x-multi-auth.html

This feature supports multiple hosts on the same network port

Thanks

Ahmed

Sent from my iPhone

0 Helpful

SeanP
Level 1
Level 1
In response to afahmy

‎03-12-2018 10:11 AM

Thanks Ahmed,

The muti-auth option seems to work well for daisy-chained scenarios (switch->ip phone->pc) and bridged VMs. I think the concern here is the use of unauthorized virtual machines NAT'd behind an authenticated endpoint; using VMware workstation or VirtualBox for example. In that situation, I'm not sure how the NAC could distinguish the physical host from the guest VM, barring some form of packet analysis.

Thanks,

SP



0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to SeanP

‎03-12-2018 04:22 PM

You would need to install anyconnect posture module (system scan) on the endpoints to block them from doing this, this would be out of compliance

0 Helpful

SeanP
Level 1
Level 1
In response to Jason Kunst

‎03-13-2018 10:22 AM

Thanks Jason, that appears to be the general consensus in most of my other research. With out some endpoint assessment / enforcement agent, there doesn't appear to be a method for detecting NAT'd virtual systems.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents