1. Isolating and Protecting Devices on the Network A database-driven methodology Tom Zeller June 2008

2. Purpose Automatically detect special categories of devices and create an appropriate network environment for them

3. Methodology Overview 802.1x on wired and wireless For non-802.1x devices switch fakes 802.1x authentication using MAC address as username and password Custom RADIUS server recognized username is a MAC address looks up policy

4. Define Device Categories Work with departments Categories should be easily added Examples: – PCI cash register – Security Camera – Stolen Laptop – RoboDog – Many more

5. Define Policy Action for Each Category VLAN ID Port ACL Access Denied Alert someone (e.g. stolen laptops) Allow only if in a particular building Allow only if network type matches

6. MAC Table Input Web application with granular access to categories – e.g. Only physical plant admins can add cameras API for IDS, scanners, etc to add devices on fly Include date for annual refresh Force building restriction for most categories Restrict to wired or wireless only (or both)

7. Device, Category/Action Tables

8. Link VLAN names to VLAN Numbers VLAN “Quarantine” is different number in different locations

9. RADIUS Logic If username is a MAC address – Don’t authenticate via ADS – Look up in registered device table – If present retrieve policy action and building – If building matches requesting switch Send policy via RADIUS attributes to switch

10. Transparency: The Solution to Complexity Develop web application to allow support personnel to enter MAC address and see what SHOULD have happened (category, building, VLAN, ACL) and/or what ACTUALLY happened (from log file)