Wednesday, August 5, 2015

fortigate device identification can easily be forged

In this post I will point out that fortigate device identification and how it's not 100% fool-proof. In fact it can easily be fooled.

I know plenty of firewall engineer in the FTNT camp, and most swear by device identification,  but the truth is; " they are bias for it & are mistaken on the actual security protection that it offers".

Device identification is typically used to control a wide audience of device & mainly by mac_address or device type ( computer phone tablet etc....). But the method used by fortinet is not as solid as some may  think.

I've seen numerous public k-12 schools deploy this method to restrict or attempt to restrict mobile devices from the network access. In one school I was at, they attempted to ban all non -Apple tablets from the classroom environment  and it was a big failed.

1st off  mac address filtering and those that  deploy it, really don't understand it ( imho ) or blindly put all trust in it.  Either way,  any two-bit  end-user who has admin or super-user access and can change the system interface mac address, can easily fool any systems that relies on mac-filtering.

My macbook  for example,  can have it's wired or wireless interface(s)  ether-address change just by disabling  the interface  and using the ifconfig to reconfigure the ether address.

 review  the manpages for  airport  and ifconfig cli commands


e.g ( changing wireless interface en0 mac_address after disassociating  )



2nd,  the http user-agent detection for a device can easily be substituted via a user-agent switcher. Once again any two-bit end users can execute this with ease. Here's my macbook Air BIA Mac_Address = b8:e8:56:12:d2:08

I change the user-agent within the firefox browser and the same macbook can now posed as a window host, linux host or  palmOS, etc.....

Guess what ? My device is still really a macbook Air! But are you 100% sure ? Please take a look at the diag user device list outputs.


 A user-agent detection website site  can be used to  show and display your claimed user-agent



Here's some example of wrong identifications.

 And here's the correct one.


Even a Nexus10 tablet could be masked as a iPad device or iPod using the chameleon app. And yes this is a Samsung Tablet impostering as a Apple Product with no "rooting".


Let's look at just some of the defined categories that are listed.


In this output the only tablet ( android ) that's correctly ID is my nexus 10 tablet, all others devices including my wife's  Galaxy Note3 are Identified as a Android-Tablet.


Funny, my older NexusS phone was properly identified as a phone.


So be careful on how you deploy  device identification and if you define a blacklist. This method for network control is not 100% perfect. Numerous other & better means for controlling devices  access exists such-as ;
  •  deploying fortinet FSSO agent
  •  enabling layer2 802.1x
  •  captive portals w/user authentications
  •  NAC_profiling
  •  EndPoint Registrations


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       o 
      /  \

No comments:

Post a Comment