Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1854
Views
0
Helpful
3
Replies

the question about ISE Profiling problem with how to detect guest OS (that running on hypervisor)

s_malinskiy
Level 1
Level 1

‎05-13-2020 06:56 AM

Hello guys,

 

I have a task to detect and profile Guest OS (like Win10 on Vbox for example) and wanna ask you guys how do you do this, expectially how do you detect avoiding tampering mdm-tlv messaegs, since that can be easily tampered by native tools of hypervisor (VBoxManage for example) since device-type, device-ma can be easily chanched.
Maybe there we have some module for Anyconnect that can be used to detect that Anycoonect running from VM envirolment?

 

Thank tyou.

 

 

0 Helpful
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-16-2020 11:04 AM - edited ‎05-16-2020 11:06 AM

I am not quite sure exactly what you are looking for here. Typically in a server stack you would not enable/run 8021x as this is typically used on host facing ports. However, there are ways to accomplish it if you desire. As far as what I think you are asking in regard to profiling take a peek at the ISE AD probe. This probe allows you to utilize the following attributes: AD-Host-Exists, AD-Join-Point, AD-Operating-System, AD-OS-Version, AD-Service-Pack. Note that the connecting switch will need to be properly configured as a device sensor, and the probe and profiling in ISE will need to be properly configured. This may better assist you: https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

Maybe there we have some module for Anyconnect that can be used to detect that Anycoonect running from VM envirolment?
-You may be able to target specific conditions via the ISE Posture module. This is an entirely separate solution in regard to ISE configuration, etc. My suggestion would be to find a unique registry key, piece of software, or anything that differentiates the virtual host versus the physical host. Take a peek here for more details: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273
Not sure if this answers your questions, but hopefully this helps shed some light. Good luck!

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎05-16-2020 01:34 PM

Unclear what your desired policy is but here are your policy / technology options:

 

  1. Bridged Mode VMs
    1. 802.1X to Authenticate All Users and/or Machines
      Note: this will require a switchport with Multi-Auth capability (assuming we are talking a wired network) for multiple MACs on the same switchport.
      1. authenticate the VM at a machine or user level and apply appropriate policy
    2. MAC Authentication Bypass (MAB)
      Warning: Any endpoint (VMs specifically here) may randomize or spoof MAC addresses.
      1. Endpoint Profiling
        Using endpoint profiling is meant to classify endpoints using many network protocol attributes and not just a single, spoofable MAC address. The more attributes you use in a policy the harder it is to spoof. However, technically, it could still be spoofed. This is why you should limit network access per endpoint type to minimize any potential attack surface and use additional security tools for malicious network behavior.
      2. MAC Registration
        Require registration of all non-authenticating endpoints into asset database. Yes, MACs can still be spoofed but you'll hopefully use expirations and limit/differentiate network access by requiring users to choose different types of limited network access levels. Open network access should never be allowed with MAB.
      3. Unknown Endpoints
        Severely limit access. Redirect to a Support portal identifying them as unknown and provide educational options about how to configure 802.1X or register their asset by MAC address.
  2. NAT Mode VMs
    It doesn't matter at the network level since everything will look like the host which you hopefully authenticated using 802.1X for your trusted employee and/or corporate endpoint. You must use AnyConnect Posture or Meraki SM or some other EMM/MDM or client-based solution to enforce policies for software installation, configuration, etc.

 

 

 

0 Helpful

s_malinskiy
Level 1
Level 1
In response to thomas

‎05-22-2020 01:29 AM

Hello.

Let's look at some typical cases regarding VPN access for employees at home -

 

We have policy of following rules for remote employees that use home PC for accessing to corporate resources (not all but mostly this one can be easily avoided) -

rules:

1. Employees can't use any virtual environment (Vbox, Parralels, Qemu and so on. ( profiling won't work, since we can easily change device-type for example, mac addres, ) 

2. Employees should use VPN access only from local PC, not from any remote connection, but employees can change VPN profile (VPN Logon Enforcement, VPN Establishment for example)  to bypass that rule by tampering vpn profile file.


I agree that EEM will help but in this case we have a lot of BYOD devices that employees use at home, and for some reason we can't make them use EEM agent.

So AD-PROBE is a good solution, but we have BYOD devices, so we don't use corporate devices.

 

Maybe has someone got any expirenece how we can solve this?

0 Helpful
Customers Also Viewed These Support Documents