Solved: Raspberry Pi detection

jonbrown · ‎10-28-2016

Hello,

I have a customer that is concerned with Raspberry Pi devices getting on their network. Can ISE identify a Raspberry Pi device based on its network characteristics? My understanding is that the Raspberry Pi device takes on the characteristics of the PC that’s connected to the back of it. The Raspberry Pi passes the credentials of the PC behind it to gain access to the network, customer is concerned these devices can sniff in-line and steal confidential data.

This is for a quarter end deal, a quick response would be appreciated. Thanks!

Jason Kunst · ‎10-29-2016

I believe they are talking about something like this?

Pwned again: An exclusive look at Pwnie Express’ newest hack-in-a-box | Ars Technica

Raspberry Pi As A Hacking Arsenal | The Security Blogger

I would think that securing the ports with dot1x with machine based certificates plus user based certificates/creds and compliance checks would protect fairly well?

View solution in original post

Timothy Abbott · ‎10-28-2016

Hi Jon,

RPi devices can be detect by ISE. In fact, they have their own OUI (Raspberry PI Foundation) for the builtin Ethernet adapter. This makes very easy to build a profile for it. What does confuse me is that you say they are being connected to a PC? Which device actually has network connectivity?

Regards,

-Tim

jonbrown · ‎10-28-2016

Thanks Tim,

Here is the thread from our customer:

Guys,

I have been asked today to look into how and whether Cisco ISE can thwart a Raspberry Pi device if it is plugged into one of our access switch ports. This device can apparently be used to attack the network. See below. Please advise.

"I'm told these type devices take on the PC characteristics and will be allowed on the Network. Is that not correct?"

our response:

Absolutely. You can predefine profiles that are allowed on your network. Any device that falls outside of those profiles can be automatically blocked, restricted to a quarantine VLAN or allowed guest access as you require.

I'm told these type devices take on the PC characteristics and will be allowed on the Network. Is that not correct?

jonbrown · ‎10-28-2016

Neither my CSE nor I have any experience with the device so not sure what its capable of. Very much appreciate the response.

Jason Kunst · ‎10-29-2016

I believe they are talking about something like this?

Pwned again: An exclusive look at Pwnie Express’ newest hack-in-a-box | Ars Technica

Raspberry Pi As A Hacking Arsenal | The Security Blogger

I would think that securing the ports with dot1x with machine based certificates plus user based certificates/creds and compliance checks would protect fairly well?

jonbrown · ‎10-30-2016

Hi Jason, you are correct!

The customer was saying ForeScout could not detect the device so its a big differentiator if we can. They are looking for any white papers or testing to show we can detect/block/notify on the device, any chance the BU has plans for this type of testing?

Jason Kunst · ‎11-01-2016

I have reached out to chyps tiabbott to see if there is anything more we can offer

Craig Hyps · ‎11-08-2016

The raspberry pi devices have a unique MAC address that starts with B8:27:EB which provides a unique OUI as Tim noted of "Raspberry PI Foundation". Additionally, the default hostname is "raspberry".

DHCP is enabled by default and it primarily runs Linux-based OS. Therefore, you can often detect the TCP/IP stack from DHCP-Class-Id or Parameter-Request-List which is based on Linux such as Class ID containing "dhcpd" or "Linux". In addition to default Raspbian, it can also run many other third-party operating systems.

As Jason noted, best practice is to authenticate everything that connects to network and apply principle of least privileges to limit what non-authenticating devices can access. As a small device, they could be more easily inserted inline and used for MiTM attacks as articles Jason referenced indicate. MACsec can be used to prevent such attacks.

Craig

jonbrown · ‎11-13-2016

Thanks all! Really appreciate the assist.