I know plenty of firewall engineer in the FTNT camp, and most swear by device identification, but the truth is; " they are bias for it & are mistaken on the actual security protection that it offers".
Device identification is typically used to control a wide audience of device & mainly by mac_address or device type ( computer phone tablet etc....). But the method used by fortinet is not as solid as some may think.
I've seen numerous public k-12 schools deploy this method to restrict or attempt to restrict mobile devices from the network access. In one school I was at, they attempted to ban all non -Apple tablets from the classroom environment and it was a big failed.
1st off mac address filtering and those that deploy it, really don't understand it ( imho ) or blindly put all trust in it. Either way, any two-bit end-user who has admin or super-user access and can change the system interface mac address, can easily fool any systems that relies on mac-filtering.
My macbook for example, can have it's wired or wireless interface(s) ether-address change just by disabling the interface and using the ifconfig to reconfigure the ether address.
review the manpages for airport and ifconfig cli commands
e.g ( changing wireless interface en0 mac_address after disassociating )
2nd, the http user-agent detection for a device can easily be substituted via a user-agent switcher. Once again any two-bit end users can execute this with ease. Here's my macbook Air BIA Mac_Address = b8:e8:56:12:d2:08
I change the user-agent within the firefox browser and the same macbook can now posed as a window host, linux host or palmOS, etc.....
Guess what ? My device is still really a macbook Air! But are you 100% sure ? Please take a look at the diag user device list outputs.
A user-agent detection website site can be used to show and display your claimed user-agent
Here's some example of wrong identifications.
And here's the correct one.
Even a Nexus10 tablet could be masked as a iPad device or iPod using the chameleon app. And yes this is a Samsung Tablet impostering as a Apple Product with no "rooting".
Let's look at just some of the defined categories that are listed.
In this output the only tablet ( android ) that's correctly ID is my nexus 10 tablet, all others devices including my wife's Galaxy Note3 are Identified as a Android-Tablet.
Funny, my older NexusS phone was properly identified as a phone.
So be careful on how you deploy device identification and if you define a blacklist. This method for network control is not 100% perfect. Numerous other & better means for controlling devices access exists such-as ;
- deploying fortinet FSSO agent
- enabling layer2 802.1x
- captive portals w/user authentications
- NAC_profiling
- EndPoint Registrations
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
No comments:
Post a Comment